diff --git a/csaf_2_1/mandatoryTests.js b/csaf_2_1/mandatoryTests.js index 9b5b19a..e749408 100644 --- a/csaf_2_1/mandatoryTests.js +++ b/csaf_2_1/mandatoryTests.js @@ -9,7 +9,6 @@ export { mandatoryTest_6_1_8, mandatoryTest_6_1_9, mandatoryTest_6_1_10, - mandatoryTest_6_1_11, mandatoryTest_6_1_12, mandatoryTest_6_1_13, mandatoryTest_6_1_14, @@ -43,4 +42,5 @@ export { mandatoryTest_6_1_32, mandatoryTest_6_1_33, } from '../mandatoryTests.js' +export { mandatoryTest_6_1_11 } from './mandatoryTests/mandatoryTest_6_1_11.js' export { mandatoryTest_6_1_34 } from './mandatoryTests/mandatoryTest_6_1_34.js' diff --git a/csaf_2_1/mandatoryTests/mandatoryTest_6_1_11.js b/csaf_2_1/mandatoryTests/mandatoryTest_6_1_11.js new file mode 100644 index 0000000..1dcd7be --- /dev/null +++ b/csaf_2_1/mandatoryTests/mandatoryTest_6_1_11.js @@ -0,0 +1,96 @@ +import Ajv from 'ajv/dist/jtd.js' +import { cwecMap } from '../../lib/cwec.js' + +const ajv = new Ajv() + +/* + This is the jtd schema that needs to match the input document so that the + test is activated. If this schema doesn't match it normally means that the input + document does not validate against the csaf json schema or optional fields that + the test checks are not present. + */ +const inputSchema = /** @type {const} */ ({ + additionalProperties: true, + properties: { + vulnerabilities: { + elements: { + additionalProperties: true, + properties: { + cwes: { + elements: { + additionalProperties: true, + properties: {}, + }, + }, + }, + }, + }, + }, +}) + +const validateInput = ajv.compile(inputSchema) + +const cweSchema = /** @type {const} */ ({ + additionalProperties: true, + properties: { + id: { type: 'string' }, + version: { type: 'string' }, + name: { type: 'string' }, + }, +}) + +const validateCWE = ajv.compile(cweSchema) + +/** + * This implements the mandatory test 6.1.11 of the CSAF 2.1 standard. + * + * @param {any} doc + */ +export async function mandatoryTest_6_1_11(doc) { + /** @type {Array<{ message: string; instancePath: string }>} */ + const errors = [] + let isValid = true + + if (!validateInput(doc)) { + return { errors, isValid } + } + + for (let i = 0; i < doc.vulnerabilities.length; ++i) { + const vulnerability = doc.vulnerabilities[i] + for (let j = 0; j < vulnerability.cwes.length; ++j) { + const cwe = vulnerability.cwes.at(i) + if (validateCWE(cwe)) { + const cwec = cwecMap.get(cwe.version) + if (!cwec) { + isValid = false + errors.push({ + instancePath: `/vulnerabilities/${i}/cwes/${j}/version`, + message: 'no such cwe version is recognized', + }) + continue + } + const entry = (await cwec()).default.weaknesses.find( + (w) => w.id === cwe.id + ) + if (!entry) { + isValid = false + errors.push({ + instancePath: `/vulnerabilities/${i}/cwes/${j}/id`, + message: 'no weakness with this id is recognized', + }) + continue + } + if (entry.name !== cwe.name) { + isValid = false + errors.push({ + instancePath: `/vulnerabilities/${i}/cwes/${j}/name`, + message: 'the name does not match the weakness with the given id', + }) + continue + } + } + } + } + + return { isValid, errors } +} diff --git a/lib/cwec.js b/lib/cwec.js new file mode 100644 index 0000000..31d9c0c --- /dev/null +++ b/lib/cwec.js @@ -0,0 +1,53 @@ +export const cwecMap = new Map([ + ['4.15', () => import('./cwec/4.15.js')], + ['4.14', () => import('./cwec/4.14.js')], + ['4.13', () => import('./cwec/4.13.js')], + ['4.12', () => import('./cwec/4.12.js')], + ['4.11', () => import('./cwec/4.11.js')], + ['4.10', () => import('./cwec/4.10.js')], + ['4.9', () => import('./cwec/4.9.js')], + ['4.8', () => import('./cwec/4.8.js')], + ['4.7', () => import('./cwec/4.7.js')], + ['4.6', () => import('./cwec/4.6.js')], + ['4.5', () => import('./cwec/4.5.js')], + ['4.4', () => import('./cwec/4.4.js')], + ['4.3', () => import('./cwec/4.3.js')], + ['4.2', () => import('./cwec/4.2.js')], + ['4.1', () => import('./cwec/4.1.js')], + ['4.0', () => import('./cwec/4.0.js')], + ['3.4.1', () => import('./cwec/3.4.1.js')], + ['3.4', () => import('./cwec/3.4.js')], + ['3.3', () => import('./cwec/3.3.js')], + ['3.2', () => import('./cwec/3.2.js')], + ['3.1', () => import('./cwec/3.1.js')], + ['3.0', () => import('./cwec/3.0.js')], + ['2.12', () => import('./cwec/2.12.js')], + ['2.11', () => import('./cwec/2.11.js')], + ['2.10', () => import('./cwec/2.10.js')], + ['2.9', () => import('./cwec/2.9.js')], + ['2.8', () => import('./cwec/2.8.js')], + ['2.7', () => import('./cwec/2.7.js')], + ['2.6', () => import('./cwec/2.6.js')], + ['2.5', () => import('./cwec/2.5.js')], + ['2.4', () => import('./cwec/2.4.js')], + ['2.3', () => import('./cwec/2.3.js')], + ['2.2', () => import('./cwec/2.2.js')], + ['2.1', () => import('./cwec/2.1.js')], + ['2.0', () => import('./cwec/2.0.js')], + ['1.13', () => import('./cwec/1.13.js')], + ['1.12', () => import('./cwec/1.12.js')], + ['1.11', () => import('./cwec/1.11.js')], + ['1.10', () => import('./cwec/1.10.js')], + ['1.9', () => import('./cwec/1.9.js')], + ['1.8.1', () => import('./cwec/1.8.1.js')], + ['1.8', () => import('./cwec/1.8.js')], + ['1.7', () => import('./cwec/1.7.js')], + ['1.6', () => import('./cwec/1.6.js')], + ['1.5', () => import('./cwec/1.5.js')], + ['1.4', () => import('./cwec/1.4.js')], + ['1.3', () => import('./cwec/1.3.js')], + ['1.2', () => import('./cwec/1.2.js')], + ['1.1', () => import('./cwec/1.1.js')], + ['1.0.1', () => import('./cwec/1.0.1.js')], + ['1.0', () => import('./cwec/1.0.js')], +]) diff --git a/lib/cwec/1.0.1.js b/lib/cwec/1.0.1.js new file mode 100644 index 0000000..07f038b --- /dev/null +++ b/lib/cwec/1.0.1.js @@ -0,0 +1,1064 @@ +export default { + weaknesses: [ + { id: 'CWE-100', name: 'Technology-Specific Input Validation Problems' }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Insufficient Output Sanitization' }, + { id: 'CWE-117', name: 'Incorrect Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource (aka 'Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Handling', + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-124', + name: "Boundary Beginning Violation ('Buffer Underwrite')", + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Unchecked Array Indexing' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { id: 'CWE-130', name: 'Failure to Handle Length Parameter Inconsistency' }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Failure to Sanitize Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Failure to Sanitize Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Failure to Sanitize Comment Element' }, + { id: 'CWE-152', name: 'Failure to Sanitize Macro Symbol' }, + { id: 'CWE-153', name: 'Failure to Sanitize Substitution Character' }, + { id: 'CWE-154', name: 'Failure to Sanitize Variable Name Delimiter' }, + { id: 'CWE-155', name: 'Failure to Sanitize Wildcard or Matching Symbol' }, + { id: 'CWE-156', name: 'Failure to Sanitize Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { id: 'CWE-160', name: 'Failure to Sanitize Leading Special Element' }, + { + id: 'CWE-161', + name: 'Failure to Sanitize Multiple Leading Special Elements', + }, + { id: 'CWE-162', name: 'Failure to Sanitize Trailing Special Element' }, + { + id: 'CWE-163', + name: 'Failure to Sanitize Multiple Trailing Special Elements', + }, + { id: 'CWE-164', name: 'Failure to Sanitize Internal Special Element' }, + { + id: 'CWE-165', + name: 'Failure to Sanitize Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Failure to Handle Missing Special Element' }, + { id: 'CWE-167', name: 'Failure to Handle Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow (Wrap or Wraparound)' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Incorrect Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Insufficient Input Validation' }, + { id: 'CWE-200', name: 'Information Leak (Information Disclosure)' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Discrepancy Information Leaks' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { id: 'CWE-205', name: 'Behavioral Discrepancy Information Leak' }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'External Behavioral Inconsistency Information Leak', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Error Message Information Leaks' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { id: 'CWE-212', name: 'Cross-boundary Cleansing Information Leak' }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { id: 'CWE-217', name: 'Failure to Protect Stored Data from Modification' }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-22', name: 'Path Traversal' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Failure to Fulfill API Contract (aka 'API Abuse')", + }, + { + id: 'CWE-228', + name: 'Failure to Handle Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Failure to Handle Missing Value' }, + { id: 'CWE-231', name: 'Failure to Handle Extra Value' }, + { id: 'CWE-232', name: 'Failure to Handle Undefined Value' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Failure to Handle Extra Parameter' }, + { id: 'CWE-236', name: 'Failure to Handle Undefined Parameter' }, + { id: 'CWE-237', name: 'Element Problems' }, + { id: 'CWE-238', name: 'Failure to Handle Missing Element' }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { id: 'CWE-240', name: 'Failure to Resolve Inconsistent Elements' }, + { id: 'CWE-241', name: 'Failure to Handle Wrong Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { + id: 'CWE-250', + name: 'Design Principle Violation: Failure to Use Least Privilege', + }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Misinterpreted Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Hard-Coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Insecure Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { + id: 'CWE-273', + name: 'Failure to Check Whether Privileges Were Dropped Successfully', + }, + { id: 'CWE-274', name: 'Failure to Handle Insufficient Privileges' }, + { id: 'CWE-276', name: 'Insecure Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Insecure Execution-assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Failure to Handle Insufficient Permissions or Privileges', + }, + { id: 'CWE-281', name: 'Permission Preservation Failure' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Missing or Inconsistent Access Control' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Insufficient Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Failure to Follow Chain of Trust in Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Failure to Validate Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Failure to Validate Certificate Expiration' }, + { id: 'CWE-299', name: 'Failure to Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Improper Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'No Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Failure to Restrict Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Failure to Encrypt Sensitive Data' }, + { id: 'CWE-312', name: 'Plaintext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Plaintext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Weak Encryption' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { id: 'CWE-333', name: 'Failure to Handle Insufficient Entropy in TRNG' }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improperly Verified Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Failure to Check Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Race Condition in Checking for Certificate Revocation', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption (aka 'Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere (aka 'Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Failure to Handle Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Failure to Resolve Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Lock on Critical Resource' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { id: 'CWE-454', name: 'External Initialization of Trusted Variables' }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Failure to Use Default Case in Switch' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final (aka 'Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { + id: 'CWE-494', + name: 'Download of Untrusted Mobile Code Without Integrity Check', + }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { id: 'CWE-497', name: 'Information Leak of System Data' }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { id: 'CWE-527', name: 'Information Leak Through CVS Repository' }, + { id: 'CWE-528', name: 'Information Leak Through Core Dump Files' }, + { + id: 'CWE-529', + name: 'Information Leak Through Access Control List Files', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { id: 'CWE-530', name: 'Information Leak Through Backup (.~bk) Files' }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Leaks' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { id: 'CWE-544', name: 'Missing Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { id: 'CWE-565', name: 'Use of Cookies in Security Decision' }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Failure to Resolve Links Before File Access (aka 'Link Following')", + }, + { id: 'CWE-590', name: 'Free of Invalid Pointer Not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { id: 'CWE-595', name: 'Incorrect Syntactic Object Comparison' }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { + id: 'CWE-600', + name: 'Failure to Catch All Exceptions (Missing Catch Block)', + }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site (aka 'Open Redirect')", + }, + { + id: 'CWE-602', + name: 'Design Principle Violation: Client-Side Enforcement of Server-Side Security', + }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: 'Sensitive Cookie in HTTPS Session Without "Secure" Attribute', + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { + id: 'CWE-619', + name: "Dangling Database Cursor (aka 'Cursor Injection')", + }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { + id: 'CWE-636', + name: "Design Principle Violation: Not Failing Securely (aka 'Failing Open')", + }, + { + id: 'CWE-637', + name: 'Design Principle Violation: Not Using Economy of Mechanism', + }, + { + id: 'CWE-638', + name: 'Design Principle Violation: Not Using Complete Mediation', + }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of User State Data' }, + { + id: 'CWE-643', + name: "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')", + }, + { + id: 'CWE-644', + name: 'Insufficient Sanitization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Improper Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection')", + }, + { + id: 'CWE-653', + name: 'Design Principle Violation: Insufficient Compartmentalization', + }, + { + id: 'CWE-654', + name: 'Design Principle Violation: Reliance on a Single Factor in a Security Decision', + }, + { + id: 'CWE-655', + name: 'Design Principle Violation: Failure to Satisfy Psychological Acceptability', + }, + { + id: 'CWE-656', + name: 'Design Principle Violation: Reliance on Security through Obscurity', + }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Failure to Handle File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Insufficient Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Incorrect or Incomplete Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Failure to Handle Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { + id: 'CWE-671', + name: 'Design Principle Violation: Lack of Administrator Control over Security', + }, + { id: 'CWE-672', name: 'Use of a Resource after Expiration or Release' }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Error Handling' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Failure to Enforce that Messages or Data are Well-Formed', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { id: 'CWE-72', name: 'Apple HFS+ Alternate Data Stream' }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { id: 'CWE-732', name: 'Insecure Permission Assignment for Resource' }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane (aka 'Injection')", + }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { + id: 'CWE-77', + name: "Failure to Sanitize Data into a Control Plane (aka 'Command Injection')", + }, + { + id: 'CWE-78', + name: "Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')", + }, + { + id: 'CWE-79', + name: "Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))", + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Failure to Sanitize Directives in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Failure to Sanitize Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Failure to Sanitize Data within SQL Queries (aka 'SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'Insufficient Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')", + }, + { id: 'CWE-94', name: 'Code Injection' }, + { + id: 'CWE-95', + name: "Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')", + }, + { + id: 'CWE-96', + name: 'Insufficient Control of Directives in Statically Saved Code (Static Code Injection)', + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-99', + name: "Insufficient Control of Resource Identifiers (aka 'Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.0.js b/lib/cwec/1.0.js new file mode 100644 index 0000000..d75bb68 --- /dev/null +++ b/lib/cwec/1.0.js @@ -0,0 +1,1045 @@ +export default { + weaknesses: [ + { id: 'CWE-100', name: 'Technology-Specific Input Validation Problems' }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Insufficient Output Sanitization' }, + { id: 'CWE-117', name: 'Incorrect Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource (aka 'Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Handling', + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-124', + name: "Boundary Beginning Violation ('Buffer Underwrite')", + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Unchecked Array Indexing' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { id: 'CWE-130', name: 'Failure to Handle Length Parameter Inconsistency' }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Failure to Sanitize Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Failure to Sanitize Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Failure to Sanitize Comment Element' }, + { id: 'CWE-152', name: 'Failure to Sanitize Macro Symbol' }, + { id: 'CWE-153', name: 'Failure to Sanitize Substitution Character' }, + { id: 'CWE-154', name: 'Failure to Sanitize Variable Name Delimiter' }, + { id: 'CWE-155', name: 'Failure to Sanitize Wildcard or Matching Symbol' }, + { id: 'CWE-156', name: 'Failure to Sanitize Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { id: 'CWE-160', name: 'Failure to Sanitize Leading Special Element' }, + { + id: 'CWE-161', + name: 'Failure to Sanitize Multiple Leading Special Elements', + }, + { id: 'CWE-162', name: 'Failure to Sanitize Trailing Special Element' }, + { + id: 'CWE-163', + name: 'Failure to Sanitize Multiple Trailing Special Elements', + }, + { id: 'CWE-164', name: 'Failure to Sanitize Internal Special Element' }, + { + id: 'CWE-165', + name: 'Failure to Sanitize Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Failure to Handle Missing Special Element' }, + { id: 'CWE-167', name: 'Failure to Handle Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow (Wrap or Wraparound)' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Incorrect Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Insufficient Input Validation' }, + { id: 'CWE-200', name: 'Information Leak (Information Disclosure)' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Discrepancy Information Leaks' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { id: 'CWE-205', name: 'Behavioral Discrepancy Information Leak' }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'External Behavioral Inconsistency Information Leak', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Error Message Information Leaks' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { id: 'CWE-212', name: 'Cross-boundary Cleansing Information Leak' }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { id: 'CWE-217', name: 'Failure to Protect Stored Data from Modification' }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-22', name: 'Path Traversal' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Failure to Fulfill API Contract (aka 'API Abuse')", + }, + { + id: 'CWE-228', + name: 'Failure to Handle Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Failure to Handle Missing Value' }, + { id: 'CWE-231', name: 'Failure to Handle Extra Value' }, + { id: 'CWE-232', name: 'Failure to Handle Undefined Value' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Failure to Handle Extra Parameter' }, + { id: 'CWE-236', name: 'Failure to Handle Undefined Parameter' }, + { id: 'CWE-237', name: 'Element Problems' }, + { id: 'CWE-238', name: 'Failure to Handle Missing Element' }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { id: 'CWE-240', name: 'Failure to Resolve Inconsistent Elements' }, + { id: 'CWE-241', name: 'Failure to Handle Wrong Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { + id: 'CWE-250', + name: 'Design Principle Violation: Failure to Use Least Privilege', + }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Misinterpreted Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Hard-Coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Insecure Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { + id: 'CWE-273', + name: 'Failure to Check Whether Privileges Were Dropped Successfully', + }, + { id: 'CWE-274', name: 'Failure to Handle Insufficient Privileges' }, + { id: 'CWE-276', name: 'Insecure Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Insecure Execution-assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filename'" }, + { + id: 'CWE-280', + name: 'Failure to Handle Insufficient Permissions or Privileges', + }, + { id: 'CWE-281', name: 'Permission Preservation Failure' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Missing or Inconsistent Access Control' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Insufficient Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Failure to Follow Chain of Trust in Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Failure to Validate Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Failure to Validate Certificate Expiration' }, + { id: 'CWE-299', name: 'Failure to Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Improper Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'No Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Failure to Restrict Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\filename'" }, + { id: 'CWE-311', name: 'Failure to Encrypt Sensitive Data' }, + { id: 'CWE-312', name: 'Plaintext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Plaintext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Weak Encryption' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { id: 'CWE-333', name: 'Failure to Handle Insufficient Entropy in TRNG' }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improperly Verified Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Failure to Check Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { id: 'CWE-367', name: 'Time-of-check Time-of-use Race Condition' }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Race Condition in Checking for Certificate Revocation', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Resource Exhaustion' }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere (aka 'Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { id: 'CWE-406', name: 'Network Amplification' }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Failure to Handle Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Failure to Resolve Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Lock on Critical Resource' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { id: 'CWE-454', name: 'External Initialization of Trusted Variables' }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Failure to Use Default Case in Switch' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final (aka 'Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { + id: 'CWE-494', + name: 'Download of Untrusted Mobile Code Without Integrity Check', + }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { id: 'CWE-497', name: 'Information Leak of System Data' }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { id: 'CWE-527', name: 'Information Leak Through CVS Repository' }, + { id: 'CWE-528', name: 'Information Leak Through Core Dump Files' }, + { + id: 'CWE-529', + name: 'Information Leak Through Access Control List Files', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { id: 'CWE-530', name: 'Information Leak Through Backup (.~bk) Files' }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Leaks' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { id: 'CWE-544', name: 'Missing Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { id: 'CWE-565', name: 'Use of Cookies in Security Decision' }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { + id: 'CWE-57', + name: "Path Equivalence: 'dirname/fakechild/../realchild/filename'", + }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Failure to Resolve Links Before File Access (aka 'Link Following')", + }, + { id: 'CWE-590', name: 'Free of Invalid Pointer Not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { id: 'CWE-595', name: 'Incorrect Syntactic Object Comparison' }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { + id: 'CWE-600', + name: 'Failure to Catch All Exceptions (Missing Catch Block)', + }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site (aka 'Open Redirect')", + }, + { + id: 'CWE-602', + name: 'Design Principle Violation: Client-Side Enforcement of Server-Side Security', + }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: 'Sensitive Cookie in HTTPS Session Without "Secure" Attribute', + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { + id: 'CWE-619', + name: "Dangling Database Cursor (aka 'Cursor Injection')", + }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { + id: 'CWE-636', + name: "Design Principle Violation: Not Failing Securely (aka 'Failing Open')", + }, + { + id: 'CWE-637', + name: 'Design Principle Violation: Not Using Economy of Mechanism', + }, + { + id: 'CWE-638', + name: 'Design Principle Violation: Not Using Complete Mediation', + }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of User State Data' }, + { id: 'CWE-643', name: 'Unsafe Treatment of XPath Input' }, + { + id: 'CWE-644', + name: 'Insufficient Filtering of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Taking Actions based on File Name or Extension of a User Supplied File', + }, + { + id: 'CWE-647', + name: 'Using Non-Canonical Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Improper Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { id: 'CWE-652', name: 'Unsafe Treatment of XQuery Input' }, + { + id: 'CWE-653', + name: 'Design Principle Violation: Insufficient Compartmentalization', + }, + { + id: 'CWE-654', + name: 'Design Principle Violation: Reliance on a Single Factor in a Security Decision', + }, + { + id: 'CWE-655', + name: 'Design Principle Violation: Failure to Satisfy Psychological Acceptability', + }, + { + id: 'CWE-656', + name: 'Design Principle Violation: Reliance on Security through Obscurity', + }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Failure to Handle File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Insufficient Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Incorrect or Incomplete Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Failure to Handle Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { + id: 'CWE-671', + name: 'Design Principle Violation: Lack of Administrator Control over Security', + }, + { id: 'CWE-672', name: 'Use of a Resource after Expiration or Release' }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Error Handling' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Failure to Enforce that Messages or Data are Well-Formed', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { id: 'CWE-72', name: 'Apple HFS+ Alternate Data Stream' }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { id: 'CWE-732', name: 'Insecure Permission Assignment for Resource' }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane (aka 'Injection')", + }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { + id: 'CWE-77', + name: "Failure to Sanitize Data into a Control Plane (aka 'Command Injection')", + }, + { + id: 'CWE-78', + name: "Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')", + }, + { + id: 'CWE-79', + name: "Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))", + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Failure to Sanitize Directives in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Failure to Sanitize Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Failure to Sanitize Data within SQL Queries (aka 'SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-92', name: 'Custom Special Character Injection' }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')", + }, + { id: 'CWE-94', name: 'Code Injection' }, + { + id: 'CWE-95', + name: "Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')", + }, + { + id: 'CWE-96', + name: 'Insufficient Control of Directives in Statically Saved Code (Static Code Injection)', + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-99', + name: "Insufficient Control of Resource Identifiers (aka 'Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.1.js b/lib/cwec/1.1.js new file mode 100644 index 0000000..e4846c0 --- /dev/null +++ b/lib/cwec/1.1.js @@ -0,0 +1,1068 @@ +export default { + weaknesses: [ + { id: 'CWE-100', name: 'Technology-Specific Input Validation Problems' }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Insufficient Output Sanitization' }, + { id: 'CWE-117', name: 'Incorrect Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource (aka 'Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Handling', + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-124', + name: "Boundary Beginning Violation ('Buffer Underwrite')", + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Unchecked Array Indexing' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { id: 'CWE-130', name: 'Failure to Handle Length Parameter Inconsistency' }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Failure to Sanitize Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Failure to Sanitize Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Failure to Sanitize Comment Element' }, + { id: 'CWE-152', name: 'Failure to Sanitize Macro Symbol' }, + { id: 'CWE-153', name: 'Failure to Sanitize Substitution Character' }, + { id: 'CWE-154', name: 'Failure to Sanitize Variable Name Delimiter' }, + { id: 'CWE-155', name: 'Failure to Sanitize Wildcard or Matching Symbol' }, + { id: 'CWE-156', name: 'Failure to Sanitize Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { id: 'CWE-160', name: 'Failure to Sanitize Leading Special Element' }, + { + id: 'CWE-161', + name: 'Failure to Sanitize Multiple Leading Special Elements', + }, + { id: 'CWE-162', name: 'Failure to Sanitize Trailing Special Element' }, + { + id: 'CWE-163', + name: 'Failure to Sanitize Multiple Trailing Special Elements', + }, + { id: 'CWE-164', name: 'Failure to Sanitize Internal Special Element' }, + { + id: 'CWE-165', + name: 'Failure to Sanitize Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Failure to Handle Missing Special Element' }, + { id: 'CWE-167', name: 'Failure to Handle Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow (Wrap or Wraparound)' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Insufficient Input Validation' }, + { id: 'CWE-200', name: 'Information Leak (Information Disclosure)' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Discrepancy Information Leaks' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { id: 'CWE-205', name: 'Behavioral Discrepancy Information Leak' }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'External Behavioral Inconsistency Information Leak', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Error Message Information Leaks' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { id: 'CWE-212', name: 'Cross-boundary Cleansing Information Leak' }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { id: 'CWE-217', name: 'Failure to Protect Stored Data from Modification' }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-22', name: 'Path Traversal' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Failure to Fulfill API Contract (aka 'API Abuse')", + }, + { + id: 'CWE-228', + name: 'Failure to Handle Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Failure to Handle Missing Value' }, + { id: 'CWE-231', name: 'Failure to Handle Extra Value' }, + { id: 'CWE-232', name: 'Failure to Handle Undefined Value' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Failure to Handle Extra Parameter' }, + { id: 'CWE-236', name: 'Failure to Handle Undefined Parameter' }, + { id: 'CWE-237', name: 'Element Problems' }, + { id: 'CWE-238', name: 'Failure to Handle Missing Element' }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { id: 'CWE-240', name: 'Failure to Resolve Inconsistent Elements' }, + { id: 'CWE-241', name: 'Failure to Handle Wrong Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { + id: 'CWE-250', + name: 'Design Principle Violation: Failure to Use Least Privilege', + }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Misinterpreted Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Hard-Coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Insecure Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { + id: 'CWE-273', + name: 'Failure to Check Whether Privileges Were Dropped Successfully', + }, + { id: 'CWE-274', name: 'Failure to Handle Insufficient Privileges' }, + { id: 'CWE-276', name: 'Insecure Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Insecure Execution-assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Failure to Handle Insufficient Permissions or Privileges', + }, + { id: 'CWE-281', name: 'Permission Preservation Failure' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Missing or Inconsistent Access Control' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Insufficient Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Failure to Follow Chain of Trust in Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Failure to Validate Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Failure to Validate Certificate Expiration' }, + { id: 'CWE-299', name: 'Failure to Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Improper Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'No Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Failure to Restrict Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Failure to Encrypt Sensitive Data' }, + { id: 'CWE-312', name: 'Plaintext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Plaintext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Weak Encryption' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { id: 'CWE-333', name: 'Failure to Handle Insufficient Entropy in TRNG' }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improperly Verified Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Failure to Check Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Race Condition in Checking for Certificate Revocation', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption (aka 'Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere (aka 'Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Failure to Handle Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Failure to Resolve Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Lock on Critical Resource' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { id: 'CWE-454', name: 'External Initialization of Trusted Variables' }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Failure to Use Default Case in Switch' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final (aka 'Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { + id: 'CWE-494', + name: 'Download of Untrusted Mobile Code Without Integrity Check', + }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { id: 'CWE-497', name: 'Information Leak of System Data' }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { id: 'CWE-527', name: 'Information Leak Through CVS Repository' }, + { id: 'CWE-528', name: 'Information Leak Through Core Dump Files' }, + { + id: 'CWE-529', + name: 'Information Leak Through Access Control List Files', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { id: 'CWE-530', name: 'Information Leak Through Backup (.~bk) Files' }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Leaks' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { id: 'CWE-544', name: 'Missing Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { id: 'CWE-565', name: 'Use of Cookies in Security Decision' }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Failure to Resolve Links Before File Access (aka 'Link Following')", + }, + { id: 'CWE-590', name: 'Free of Invalid Pointer Not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { id: 'CWE-595', name: 'Incorrect Syntactic Object Comparison' }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { + id: 'CWE-600', + name: 'Failure to Catch All Exceptions (Missing Catch Block)', + }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site (aka 'Open Redirect')", + }, + { + id: 'CWE-602', + name: 'Design Principle Violation: Client-Side Enforcement of Server-Side Security', + }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: 'Sensitive Cookie in HTTPS Session Without "Secure" Attribute', + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { + id: 'CWE-619', + name: "Dangling Database Cursor (aka 'Cursor Injection')", + }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { + id: 'CWE-636', + name: "Design Principle Violation: Not Failing Securely (aka 'Failing Open')", + }, + { + id: 'CWE-637', + name: 'Design Principle Violation: Not Using Economy of Mechanism', + }, + { + id: 'CWE-638', + name: 'Design Principle Violation: Not Using Complete Mediation', + }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of User State Data' }, + { + id: 'CWE-643', + name: "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')", + }, + { + id: 'CWE-644', + name: 'Insufficient Sanitization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Improper Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection')", + }, + { + id: 'CWE-653', + name: 'Design Principle Violation: Insufficient Compartmentalization', + }, + { + id: 'CWE-654', + name: 'Design Principle Violation: Reliance on a Single Factor in a Security Decision', + }, + { + id: 'CWE-655', + name: 'Design Principle Violation: Failure to Satisfy Psychological Acceptability', + }, + { + id: 'CWE-656', + name: 'Design Principle Violation: Reliance on Security through Obscurity', + }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Failure to Handle File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Insufficient Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Incorrect or Incomplete Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Failure to Handle Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { + id: 'CWE-671', + name: 'Design Principle Violation: Lack of Administrator Control over Security', + }, + { id: 'CWE-672', name: 'Use of a Resource after Expiration or Release' }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Error Handling' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Failure to Enforce that Messages or Data are Well-Formed', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Failure to Handle Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { id: 'CWE-732', name: 'Insecure Permission Assignment for Resource' }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane (aka 'Injection')", + }, + { id: 'CWE-749', name: 'Exposed Insecure Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { + id: 'CWE-77', + name: "Failure to Sanitize Data into a Control Plane (aka 'Command Injection')", + }, + { + id: 'CWE-78', + name: "Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')", + }, + { + id: 'CWE-79', + name: "Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))", + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Failure to Sanitize Directives in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Failure to Sanitize Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Failure to Sanitize Data within SQL Queries (aka 'SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'Insufficient Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')", + }, + { id: 'CWE-94', name: 'Code Injection' }, + { + id: 'CWE-95', + name: "Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')", + }, + { + id: 'CWE-96', + name: 'Insufficient Control of Directives in Statically Saved Code (Static Code Injection)', + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-99', + name: "Insufficient Control of Resource Identifiers (aka 'Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.10.js b/lib/cwec/1.10.js new file mode 100644 index 0000000..6543299 --- /dev/null +++ b/lib/cwec/1.10.js @@ -0,0 +1,1228 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { id: 'CWE-227', name: "Failure to Fulfill API Contract ('API Abuse')" }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { + id: 'CWE-544', + name: 'Failure to Use a Standardized Error Handling Mechanism', + }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Failure to Catch All Exceptions in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Multithreaded Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.11.js b/lib/cwec/1.11.js new file mode 100644 index 0000000..2abe84c --- /dev/null +++ b/lib/cwec/1.11.js @@ -0,0 +1,1259 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { id: 'CWE-227', name: "Failure to Fulfill API Contract ('API Abuse')" }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.12.js b/lib/cwec/1.12.js new file mode 100644 index 0000000..69e2583 --- /dev/null +++ b/lib/cwec/1.12.js @@ -0,0 +1,1288 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through External Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: 'Exposure of File Descriptor to Unintended Control Sphere', + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Exposure Through XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.13.js b/lib/cwec/1.13.js new file mode 100644 index 0000000..29cbbb2 --- /dev/null +++ b/lib/cwec/1.13.js @@ -0,0 +1,1294 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through External Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: 'Exposure of File Descriptor to Unintended Control Sphere', + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Exposure Through XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.2.js b/lib/cwec/1.2.js new file mode 100644 index 0000000..7cf468b --- /dev/null +++ b/lib/cwec/1.2.js @@ -0,0 +1,1044 @@ +export default { + weaknesses: [ + { id: 'CWE-100', name: 'Technology-Specific Input Validation Problems' }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Incorrect Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource (aka 'Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Handling', + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-124', + name: "Boundary Beginning Violation ('Buffer Underwrite')", + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Unchecked Array Indexing' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { id: 'CWE-130', name: 'Failure to Handle Length Parameter Inconsistency' }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Failure to Sanitize Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Failure to Sanitize Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Failure to Sanitize Comment Element' }, + { id: 'CWE-152', name: 'Failure to Sanitize Macro Symbol' }, + { id: 'CWE-153', name: 'Failure to Sanitize Substitution Character' }, + { id: 'CWE-154', name: 'Failure to Sanitize Variable Name Delimiter' }, + { id: 'CWE-155', name: 'Failure to Sanitize Wildcard or Matching Symbol' }, + { id: 'CWE-156', name: 'Failure to Sanitize Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { id: 'CWE-160', name: 'Failure to Sanitize Leading Special Element' }, + { + id: 'CWE-161', + name: 'Failure to Sanitize Multiple Leading Special Elements', + }, + { id: 'CWE-162', name: 'Failure to Sanitize Trailing Special Element' }, + { + id: 'CWE-163', + name: 'Failure to Sanitize Multiple Trailing Special Elements', + }, + { id: 'CWE-164', name: 'Failure to Sanitize Internal Special Element' }, + { + id: 'CWE-165', + name: 'Failure to Sanitize Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Failure to Handle Missing Special Element' }, + { id: 'CWE-167', name: 'Failure to Handle Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Leak (Information Disclosure)' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Discrepancy Information Leaks' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { id: 'CWE-205', name: 'Behavioral Discrepancy Information Leak' }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'External Behavioral Inconsistency Information Leak', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Error Message Information Leak' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { id: 'CWE-212', name: 'Cross-boundary Cleansing Information Leak' }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { id: 'CWE-217', name: 'Failure to Protect Stored Data from Modification' }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-22', name: 'Path Traversal' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Failure to Fulfill API Contract (aka 'API Abuse')", + }, + { + id: 'CWE-228', + name: 'Failure to Handle Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Failure to Handle Missing Value' }, + { id: 'CWE-231', name: 'Failure to Handle Extra Value' }, + { id: 'CWE-232', name: 'Failure to Handle Undefined Value' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Failure to Handle Extra Parameter' }, + { id: 'CWE-236', name: 'Failure to Handle Undefined Parameter' }, + { id: 'CWE-237', name: 'Element Problems' }, + { id: 'CWE-238', name: 'Failure to Handle Missing Element' }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { id: 'CWE-240', name: 'Failure to Resolve Inconsistent Elements' }, + { id: 'CWE-241', name: 'Failure to Handle Wrong Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Misinterpreted Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Hard-Coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Insecure Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { + id: 'CWE-273', + name: 'Failure to Check Whether Privileges Were Dropped Successfully', + }, + { id: 'CWE-274', name: 'Failure to Handle Insufficient Privileges' }, + { id: 'CWE-276', name: 'Insecure Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Insecure Execution-assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Failure to Handle Insufficient Permissions or Privileges', + }, + { id: 'CWE-281', name: 'Permission Preservation Failure' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Failure to Follow Chain of Trust in Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Failure to Validate Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Failure to Validate Certificate Expiration' }, + { id: 'CWE-299', name: 'Failure to Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Improper Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'No Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Failure to Restrict Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Failure to Encrypt Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Weak Encryption' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { id: 'CWE-333', name: 'Failure to Handle Insufficient Entropy in TRNG' }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improperly Verified Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Failure to Check Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Race Condition in Checking for Certificate Revocation', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption (aka 'Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere (aka 'Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Failure to Handle Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Failure to Resolve Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Lock on Critical Resource' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { id: 'CWE-454', name: 'External Initialization of Trusted Variables' }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Failure to Use Default Case in Switch' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final (aka 'Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { id: 'CWE-497', name: 'Information Leak of System Data' }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { id: 'CWE-527', name: 'Information Leak Through CVS Repository' }, + { id: 'CWE-528', name: 'Information Leak Through Core Dump Files' }, + { + id: 'CWE-529', + name: 'Information Leak Through Access Control List Files', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { id: 'CWE-530', name: 'Information Leak Through Backup (.~bk) Files' }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Leaks' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { id: 'CWE-544', name: 'Missing Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { id: 'CWE-565', name: 'Use of Cookies in Security Decision' }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Failure to Resolve Links Before File Access (aka 'Link Following')", + }, + { id: 'CWE-590', name: 'Free of Invalid Pointer Not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { id: 'CWE-595', name: 'Incorrect Syntactic Object Comparison' }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { + id: 'CWE-600', + name: 'Failure to Catch All Exceptions (Missing Catch Block)', + }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site (aka 'Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: 'Sensitive Cookie in HTTPS Session Without "Secure" Attribute', + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { + id: 'CWE-619', + name: "Dangling Database Cursor (aka 'Cursor Injection')", + }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely (aka 'Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')", + }, + { + id: 'CWE-644', + name: 'Insufficient Sanitization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Improper Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Failure to Satisfy Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Failure to Handle File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Insufficient Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Failure to Handle Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { id: 'CWE-672', name: 'Use of a Resource after Expiration or Release' }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Error Handling' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Failure to Enforce that Messages or Data are Well-Formed', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Failure to Handle Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Insecure Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane (aka 'Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { + id: 'CWE-77', + name: "Failure to Sanitize Data into a Control Plane (aka 'Command Injection')", + }, + { + id: 'CWE-78', + name: "Failure to Preserve OS Command Structure (aka 'OS Command Injection')", + }, + { + id: 'CWE-79', + name: "Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')", + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Failure to Sanitize Directives in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Failure to Sanitize Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Failure to Preserve SQL Query Structure (aka 'SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'Insufficient Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code (aka 'Code Injection')", + }, + { + id: 'CWE-95', + name: "Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')", + }, + { + id: 'CWE-96', + name: 'Insufficient Control of Directives in Statically Saved Code (Static Code Injection)', + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-99', + name: "Insufficient Control of Resource Identifiers (aka 'Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.3.js b/lib/cwec/1.3.js new file mode 100644 index 0000000..651fc34 --- /dev/null +++ b/lib/cwec/1.3.js @@ -0,0 +1,1072 @@ +export default { + weaknesses: [ + { id: 'CWE-100', name: 'Technology-Specific Input Validation Problems' }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Incorrect Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource (aka 'Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-124', + name: "Boundary Beginning Violation ('Buffer Underwrite')", + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Unchecked Array Indexing' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Sanitization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Sanitization of Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Sanitization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Sanitization of Macro Symbols' }, + { id: 'CWE-153', name: 'Improper Sanitization of Substitution Characters' }, + { + id: 'CWE-154', + name: 'Improper Sanitization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Sanitization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Sanitization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { id: 'CWE-160', name: 'Failure to Sanitize Leading Special Element' }, + { + id: 'CWE-161', + name: 'Failure to Sanitize Multiple Leading Special Elements', + }, + { id: 'CWE-162', name: 'Failure to Sanitize Trailing Special Element' }, + { + id: 'CWE-163', + name: 'Failure to Sanitize Multiple Trailing Special Elements', + }, + { id: 'CWE-164', name: 'Failure to Sanitize Internal Special Element' }, + { + id: 'CWE-165', + name: 'Failure to Sanitize Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Failure to Handle Missing Special Element' }, + { id: 'CWE-167', name: 'Failure to Handle Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Leak (Information Disclosure)' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Discrepancy Information Leaks' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { id: 'CWE-205', name: 'Behavioral Discrepancy Information Leak' }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'External Behavioral Inconsistency Information Leak', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Error Message Information Leak' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { id: 'CWE-212', name: 'Cross-boundary Cleansing Information Leak' }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { id: 'CWE-217', name: 'Failure to Protect Stored Data from Modification' }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-22', name: 'Path Traversal' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Failure to Fulfill API Contract (aka 'API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Hard-Coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Insecure Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { + id: 'CWE-273', + name: 'Improper Check for Successfully Dropped Privileges', + }, + { id: 'CWE-274', name: 'Failure to Handle Insufficient Privileges' }, + { id: 'CWE-276', name: 'Insecure Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Insecure Execution-assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Permission Preservation Failure' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Improper Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'No Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Failure to Restrict Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Failure to Encrypt Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Weak Encryption' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { id: 'CWE-333', name: 'Failure to Handle Insufficient Entropy in TRNG' }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improperly Verified Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Race Condition in Checking for Certificate Revocation', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption (aka 'Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere (aka 'Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Failure to Handle Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Failure to Resolve Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Lock on Critical Resource' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { id: 'CWE-454', name: 'External Initialization of Trusted Variables' }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Failure to Use Default Case in Switch' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final (aka 'Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { id: 'CWE-497', name: 'Information Leak of System Data' }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { id: 'CWE-527', name: 'Information Leak Through CVS Repository' }, + { id: 'CWE-528', name: 'Information Leak Through Core Dump Files' }, + { + id: 'CWE-529', + name: 'Information Leak Through Access Control List Files', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { id: 'CWE-530', name: 'Information Leak Through Backup (.~bk) Files' }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Leaks' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { + id: 'CWE-544', + name: 'Failure to Use a Standardized Error Handling Mechanism', + }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { id: 'CWE-565', name: 'Use of Cookies in Security Decision' }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Failure to Resolve Links Before File Access (aka 'Link Following')", + }, + { id: 'CWE-590', name: 'Free of Invalid Pointer Not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { id: 'CWE-595', name: 'Incorrect Syntactic Object Comparison' }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Failure to Catch All Exceptions in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site (aka 'Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { + id: 'CWE-619', + name: "Dangling Database Cursor (aka 'Cursor Injection')", + }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely (aka 'Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')", + }, + { + id: 'CWE-644', + name: 'Insufficient Sanitization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Improper Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Failure to Satisfy Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Insufficient Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { id: 'CWE-672', name: 'Use of a Resource after Expiration or Release' }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Failure to Enforce that Messages or Data are Well-Formed', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Failure to Handle Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Insecure Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane (aka 'Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { id: 'CWE-754', name: 'Improper Check for Exceptional Conditions' }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { + id: 'CWE-77', + name: "Failure to Sanitize Data into a Control Plane (aka 'Command Injection')", + }, + { + id: 'CWE-78', + name: "Failure to Preserve OS Command Structure (aka 'OS Command Injection')", + }, + { + id: 'CWE-79', + name: "Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')", + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Failure to Sanitize Directives in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Failure to Sanitize Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Failure to Preserve SQL Query Structure (aka 'SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'Insufficient Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code (aka 'Code Injection')", + }, + { + id: 'CWE-95', + name: "Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')", + }, + { + id: 'CWE-96', + name: 'Insufficient Control of Directives in Statically Saved Code (Static Code Injection)', + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-99', + name: "Insufficient Control of Resource Identifiers (aka 'Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.4.js b/lib/cwec/1.4.js new file mode 100644 index 0000000..4049d64 --- /dev/null +++ b/lib/cwec/1.4.js @@ -0,0 +1,1113 @@ +export default { + weaknesses: [ + { id: 'CWE-100', name: 'Technology-Specific Input Validation Problems' }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-124', + name: "Boundary Beginning Violation ('Buffer Underwrite')", + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Unchecked Array Indexing' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Sanitization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Sanitization of Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Sanitization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Sanitization of Macro Symbols' }, + { id: 'CWE-153', name: 'Improper Sanitization of Substitution Characters' }, + { + id: 'CWE-154', + name: 'Improper Sanitization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Sanitization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Sanitization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Sanitization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Sanitization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Sanitization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Sanitization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Sanitization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Sanitization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Leak (Information Disclosure)' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Discrepancy Information Leaks' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { id: 'CWE-205', name: 'Behavioral Discrepancy Information Leak' }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'External Behavioral Inconsistency Information Leak', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Error Message Information Leak' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { id: 'CWE-212', name: 'Cross-boundary Cleansing Information Leak' }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-22', name: 'Path Traversal' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { id: 'CWE-227', name: "Failure to Fulfill API Contract ('API Abuse')" }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Hard-Coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'No Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Failure to Restrict Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Failure to Encrypt Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Weak Encryption' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Lock on Critical Resource' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { id: 'CWE-454', name: 'External Initialization of Trusted Variables' }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { id: 'CWE-497', name: 'Information Leak of System Data' }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { id: 'CWE-527', name: 'Information Leak Through CVS Repository' }, + { id: 'CWE-528', name: 'Information Leak Through Core Dump Files' }, + { + id: 'CWE-529', + name: 'Information Leak Through Access Control List Files', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { id: 'CWE-530', name: 'Information Leak Through Backup (.~bk) Files' }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Leaks' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { + id: 'CWE-544', + name: 'Failure to Use a Standardized Error Handling Mechanism', + }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { id: 'CWE-565', name: 'Use of Cookies in Security Decision' }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Failure to Catch All Exceptions in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Failure to Sanitize Data within XPath Expressions ('XPath injection')", + }, + { + id: 'CWE-644', + name: 'Improper Sanitization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { id: 'CWE-672', name: 'Use of a Resource after Expiration or Release' }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { id: 'CWE-754', name: 'Improper Check for Exceptional Conditions' }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Failure to Sanitize Data into a Control Plane ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-78', + name: "Failure to Preserve OS Command Structure ('OS Command Injection')", + }, + { + id: 'CWE-79', + name: "Failure to Preserve Web Page Structure ('Cross-site Scripting')", + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Improper Sanitization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Sanitization of Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Failure to Preserve SQL Query Structure ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.5.js b/lib/cwec/1.5.js new file mode 100644 index 0000000..7884fa3 --- /dev/null +++ b/lib/cwec/1.5.js @@ -0,0 +1,1138 @@ +export default { + weaknesses: [ + { id: 'CWE-100', name: 'Technology-Specific Input Validation Problems' }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-124', + name: "Boundary Beginning Violation ('Buffer Underwrite')", + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Unchecked Array Indexing' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Sanitization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Sanitization of Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Sanitization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Sanitization of Macro Symbols' }, + { id: 'CWE-153', name: 'Improper Sanitization of Substitution Characters' }, + { + id: 'CWE-154', + name: 'Improper Sanitization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Sanitization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Sanitization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Sanitization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Sanitization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Sanitization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Sanitization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Sanitization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Sanitization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Leak (Information Disclosure)' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Discrepancy Information Leaks' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { id: 'CWE-205', name: 'Behavioral Discrepancy Information Leak' }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'External Behavioral Inconsistency Information Leak', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Error Message Information Leak' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { id: 'CWE-212', name: 'Cross-boundary Cleansing Information Leak' }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-22', name: 'Path Traversal' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { id: 'CWE-227', name: "Failure to Fulfill API Contract ('API Abuse')" }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Hard-Coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'No Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Failure to Restrict Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Failure to Encrypt Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { id: 'CWE-454', name: 'External Initialization of Trusted Variables' }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { id: 'CWE-497', name: 'Information Leak of System Data' }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { id: 'CWE-527', name: 'Information Leak Through CVS Repository' }, + { id: 'CWE-528', name: 'Information Leak Through Core Dump Files' }, + { + id: 'CWE-529', + name: 'Information Leak Through Access Control List Files', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { id: 'CWE-530', name: 'Information Leak Through Backup (.~bk) Files' }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Leaks' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { + id: 'CWE-544', + name: 'Failure to Use a Standardized Error Handling Mechanism', + }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Failure to Catch All Exceptions in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Failure to Sanitize Data within XPath Expressions ('XPath injection')", + }, + { + id: 'CWE-644', + name: 'Improper Sanitization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { id: 'CWE-672', name: 'Use of a Resource after Expiration or Release' }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { id: 'CWE-754', name: 'Improper Check for Exceptional Conditions' }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Sanitization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { + id: 'CWE-79', + name: "Failure to Preserve Web Page Structure ('Cross-site Scripting')", + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Improper Sanitization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Sanitization of Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.6.js b/lib/cwec/1.6.js new file mode 100644 index 0000000..5107ae4 --- /dev/null +++ b/lib/cwec/1.6.js @@ -0,0 +1,1138 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Sanitization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Sanitization of Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Sanitization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Sanitization of Macro Symbols' }, + { id: 'CWE-153', name: 'Improper Sanitization of Substitution Characters' }, + { + id: 'CWE-154', + name: 'Improper Sanitization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Sanitization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Sanitization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Sanitization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Sanitization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Sanitization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Sanitization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Sanitization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Sanitization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Leak (Information Disclosure)' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Discrepancy Information Leaks' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { id: 'CWE-205', name: 'Behavioral Discrepancy Information Leak' }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'External Behavioral Inconsistency Information Leak', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Error Message Information Leak' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { id: 'CWE-212', name: 'Cross-boundary Cleansing Information Leak' }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-22', name: 'Path Traversal' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { id: 'CWE-227', name: "Failure to Fulfill API Contract ('API Abuse')" }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Hard-Coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'No Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Failure to Restrict Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Failure to Encrypt Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { id: 'CWE-454', name: 'External Initialization of Trusted Variables' }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { id: 'CWE-497', name: 'Information Leak of System Data' }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { id: 'CWE-527', name: 'Information Leak Through CVS Repository' }, + { id: 'CWE-528', name: 'Information Leak Through Core Dump Files' }, + { + id: 'CWE-529', + name: 'Information Leak Through Access Control List Files', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { id: 'CWE-530', name: 'Information Leak Through Backup (.~bk) Files' }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Leaks' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { + id: 'CWE-544', + name: 'Failure to Use a Standardized Error Handling Mechanism', + }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Failure to Catch All Exceptions in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Failure to Sanitize Data within XPath Expressions ('XPath injection')", + }, + { + id: 'CWE-644', + name: 'Improper Sanitization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { id: 'CWE-672', name: 'Use of a Resource after Expiration or Release' }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { id: 'CWE-754', name: 'Improper Check for Exceptional Conditions' }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Sanitization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Failure to Preserve Web Page Structure ('Cross-site Scripting')", + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Improper Sanitization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Sanitization of Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.7.js b/lib/cwec/1.7.js new file mode 100644 index 0000000..4b30d6c --- /dev/null +++ b/lib/cwec/1.7.js @@ -0,0 +1,1176 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Sanitization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Sanitization of Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Sanitization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Sanitization of Macro Symbols' }, + { id: 'CWE-153', name: 'Improper Sanitization of Substitution Characters' }, + { + id: 'CWE-154', + name: 'Improper Sanitization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Sanitization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Sanitization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Sanitization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Sanitization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Sanitization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Sanitization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Sanitization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Sanitization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { id: 'CWE-212', name: 'Improper Cross-boundary Cleansing' }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-22', name: 'Path Traversal' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { id: 'CWE-227', name: "Failure to Fulfill API Contract ('API Abuse')" }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Hard-Coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'No Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Failure to Restrict Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Failure to Encrypt Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { id: 'CWE-454', name: 'External Initialization of Trusted Variables' }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { + id: 'CWE-544', + name: 'Failure to Use a Standardized Error Handling Mechanism', + }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Failure to Catch All Exceptions in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Failure to Sanitize Data within XPath Expressions ('XPath injection')", + }, + { + id: 'CWE-644', + name: 'Improper Sanitization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { id: 'CWE-672', name: 'Use of a Resource after Expiration or Release' }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { id: 'CWE-754', name: 'Improper Check for Exceptional Conditions' }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Sanitization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Failure to Preserve Web Page Structure ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Improper Sanitization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Sanitization of Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.8.1.js b/lib/cwec/1.8.1.js new file mode 100644 index 0000000..bd7fed4 --- /dev/null +++ b/lib/cwec/1.8.1.js @@ -0,0 +1,1215 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { id: 'CWE-227', name: "Failure to Fulfill API Contract ('API Abuse')" }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { + id: 'CWE-544', + name: 'Failure to Use a Standardized Error Handling Mechanism', + }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Failure to Catch All Exceptions in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Sanitization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Failure to Preserve Web Page Structure ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Sanitization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Sanitization of Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.8.js b/lib/cwec/1.8.js new file mode 100644 index 0000000..4fca2fa --- /dev/null +++ b/lib/cwec/1.8.js @@ -0,0 +1,1209 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Sanitization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Sanitization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Failure to Sanitize Delimiters' }, + { + id: 'CWE-141', + name: 'Failure to Sanitize Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Failure to Sanitize Value Delimiters' }, + { id: 'CWE-143', name: 'Failure to Sanitize Record Delimiters' }, + { id: 'CWE-144', name: 'Failure to Sanitize Line Delimiters' }, + { id: 'CWE-145', name: 'Failure to Sanitize Section Delimiters' }, + { + id: 'CWE-146', + name: 'Failure to Sanitize Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Sanitization of Input Terminators' }, + { id: 'CWE-148', name: 'Failure to Sanitize Input Leaders' }, + { id: 'CWE-149', name: 'Failure to Sanitize Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Failure to Sanitize Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Sanitization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Sanitization of Macro Symbols' }, + { id: 'CWE-153', name: 'Improper Sanitization of Substitution Characters' }, + { + id: 'CWE-154', + name: 'Improper Sanitization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Sanitization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Sanitization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { id: 'CWE-158', name: 'Failure to Sanitize Null Byte or NUL Character' }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Sanitization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Sanitization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Sanitization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Sanitization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Sanitization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Sanitization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data Into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { id: 'CWE-227', name: "Failure to Fulfill API Contract ('API Abuse')" }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Mutable Objects Passed by Reference' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { + id: 'CWE-544', + name: 'Failure to Use a Standardized Error Handling Mechanism', + }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Failure to Catch All Exceptions in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Insufficient Filtering of File and Other Resource Names for Executable Content', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Failure to Sanitize Data within XPath Expressions ('XPath injection')", + }, + { + id: 'CWE-644', + name: 'Improper Sanitization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Failure to Sanitize Data into a Different Plane ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Failure to Resolve Equivalent Special Elements into a Different Plane', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Sanitization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Failure to Preserve Web Page Structure ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Sanitization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Sanitization of Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Failure to Sanitize Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Failure to Resolve Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Failure to Sanitize Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Failure to Sanitize Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Failure to Sanitize Data into LDAP Queries ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Failure to Sanitize CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Failure to Sanitize Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/1.9.js b/lib/cwec/1.9.js new file mode 100644 index 0000000..4eddfe4 --- /dev/null +++ b/lib/cwec/1.9.js @@ -0,0 +1,1215 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Failure to Constrain Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { id: 'CWE-168', name: 'Failure to Resolve Inconsistent Special Elements' }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Failure to Handle Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Failure to Handle Mixed Encoding' }, + { id: 'CWE-176', name: 'Failure to Handle Unicode Encoding' }, + { id: 'CWE-177', name: 'Failure to Handle URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Failure to Resolve Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Leak Through Sent Data' }, + { id: 'CWE-202', name: 'Privacy Leak through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Leak' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Internal Behavioral Inconsistency Information Leak', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Timing Discrepancy Information Leak' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { id: 'CWE-210', name: 'Product-Generated Error Message Information Leak' }, + { id: 'CWE-211', name: 'Product-External Error Message Information Leak' }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intended Information Leak' }, + { id: 'CWE-214', name: 'Process Environment Information Leak' }, + { id: 'CWE-215', name: 'Information Leak Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { id: 'CWE-227', name: "Failure to Fulfill API Contract ('API Abuse')" }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Failure to Change Working Directory in chroot Jail', + }, + { + id: 'CWE-244', + name: "Failure to Clear Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Access Control (Authorization) Issues' }, + { id: 'CWE-285', name: 'Improper Access Control (Authorization)' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Failure to Add Integrity Check Value' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { id: 'CWE-362', name: 'Race Condition' }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-375', name: 'Passing Mutable Objects to an Untrusted Method' }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Failure to Report Error in Status Code' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Failure to Release Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { id: 'CWE-403', name: 'UNIX File Descriptor Leak' }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Insufficient Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Failure to Protect Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Unsafe Function Call from a Signal Handler' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Data Leak Between Sessions' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Information Leak through Class Cloning' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Leak Through Caching' }, + { id: 'CWE-525', name: 'Information Leak Through Browser Caching' }, + { id: 'CWE-526', name: 'Information Leak Through Environmental Variables' }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Leak Through Test Code' }, + { id: 'CWE-532', name: 'Information Leak Through Log Files' }, + { id: 'CWE-533', name: 'Information Leak Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Leak Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Leak Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Leak Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Leak Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Leak Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Leak Through Source Code' }, + { id: 'CWE-541', name: 'Information Leak Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Leak Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern in a Non-thread-safe Manner', + }, + { + id: 'CWE-544', + name: 'Failure to Use a Standardized Error Handling Mechanism', + }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Leak Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-550', name: 'Information Leak Through Server Error Message' }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Access Control Bypass Through User-Controlled SQL Primary Key', + }, + { id: 'CWE-567', name: 'Unsynchronized Access to Shared Data' }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Failure to Follow Specification' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Leak Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Failure to Catch All Exceptions in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Leak Through XML External Entity File Disclosure', + }, + { + id: 'CWE-612', + name: 'Information Leak Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Leak Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { id: 'CWE-637', name: 'Failure to Use Economy of Mechanism' }, + { id: 'CWE-638', name: 'Failure to Use Complete Mediation' }, + { + id: 'CWE-639', + name: 'Access Control Bypass Through User-Controlled Key', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Leak through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Insufficient Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in an Unsynchronized Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Insufficient Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Failure to Provide Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Failure to Handle Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-703', name: 'Failure to Handle Exceptional Conditions' }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Failure to Control Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.0.js b/lib/cwec/2.0.js new file mode 100644 index 0000000..29cbbb2 --- /dev/null +++ b/lib/cwec/2.0.js @@ -0,0 +1,1294 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through External Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: 'Exposure of File Descriptor to Unintended Control Sphere', + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Exposure Through XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.1.js b/lib/cwec/2.1.js new file mode 100644 index 0000000..29cbbb2 --- /dev/null +++ b/lib/cwec/2.1.js @@ -0,0 +1,1294 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through External Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: 'Exposure of File Descriptor to Unintended Control Sphere', + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Exposure Through XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.10.js b/lib/cwec/2.10.js new file mode 100644 index 0000000..c16af89 --- /dev/null +++ b/lib/cwec/2.10.js @@ -0,0 +1,1402 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { + id: 'CWE-563', + name: "Assignment to Variable without Use ('Unused Variable')", + }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.11.js b/lib/cwec/2.11.js new file mode 100644 index 0000000..75fc32a --- /dev/null +++ b/lib/cwec/2.11.js @@ -0,0 +1,1413 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { + id: 'CWE-563', + name: "Assignment to Variable without Use ('Unused Variable')", + }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Blacklist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.12.js b/lib/cwec/2.12.js new file mode 100644 index 0000000..c4fe496 --- /dev/null +++ b/lib/cwec/2.12.js @@ -0,0 +1,1416 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Improper Restriction of Cross-Origin Permission to window.opener.location', + }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-Generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Improper Interaction Between Multiple Entities' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { id: 'CWE-769', name: 'Uncontrolled File Descriptor Consumption' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.2.js b/lib/cwec/2.2.js new file mode 100644 index 0000000..29cbbb2 --- /dev/null +++ b/lib/cwec/2.2.js @@ -0,0 +1,1294 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through External Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: 'Exposure of File Descriptor to Unintended Control Sphere', + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Exposure Through XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Unvalidated Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.3.js b/lib/cwec/2.3.js new file mode 100644 index 0000000..2285176 --- /dev/null +++ b/lib/cwec/2.3.js @@ -0,0 +1,1294 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { + id: 'CWE-296', + name: 'Improper Following of Chain of Trust for Certificate Validation', + }, + { + id: 'CWE-297', + name: 'Improper Validation of Host-specific Certificate Data', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: 'Exposure of File Descriptor to Unintended Control Sphere', + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { id: 'CWE-441', name: 'Unintended Proxy/Intermediary' }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Trust of OpenSSL Certificate Without Validation' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Information Exposure Through XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Redirect Without Exit' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Unrestricted Recursive Entity References in DTDs ('XML Bomb')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.4.js b/lib/cwec/2.4.js new file mode 100644 index 0000000..80ed520 --- /dev/null +++ b/lib/cwec/2.4.js @@ -0,0 +1,1324 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Parameter Problems' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { id: 'CWE-247', name: 'Reliance on DNS Lookups in a Security Decision' }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-292', name: 'Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Plaintext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Plaintext Storage in the Registry' }, + { id: 'CWE-315', name: 'Plaintext Storage in a Cookie' }, + { id: 'CWE-316', name: 'Plaintext Storage in Memory' }, + { id: 'CWE-317', name: 'Plaintext Storage in GUI' }, + { id: 'CWE-318', name: 'Plaintext Storage in Executable' }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-350', name: 'Improperly Trusted Reverse DNS' }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.5.js b/lib/cwec/2.5.js new file mode 100644 index 0000000..19c493e --- /dev/null +++ b/lib/cwec/2.5.js @@ -0,0 +1,1372 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { id: 'CWE-359', name: 'Privacy Violation' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { id: 'CWE-451', name: 'UI Misrepresentation of Critical Information' }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Authentication of Endpoint in a Communication Channel', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Restriction of Content Provider Export to Other Applications', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.6.js b/lib/cwec/2.6.js new file mode 100644 index 0000000..251def5 --- /dev/null +++ b/lib/cwec/2.6.js @@ -0,0 +1,1390 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { id: 'CWE-338', name: 'Use of Cryptographically Weak PRNG' }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Unused Variable' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.7.js b/lib/cwec/2.7.js new file mode 100644 index 0000000..2cb7f67 --- /dev/null +++ b/lib/cwec/2.7.js @@ -0,0 +1,1401 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { + id: 'CWE-563', + name: "Assignment to Variable without Use ('Unused Variable')", + }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.8.js b/lib/cwec/2.8.js new file mode 100644 index 0000000..2cb7f67 --- /dev/null +++ b/lib/cwec/2.8.js @@ -0,0 +1,1401 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Uncontrolled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { + id: 'CWE-563', + name: "Assignment to Variable without Use ('Unused Variable')", + }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/2.9.js b/lib/cwec/2.9.js new file mode 100644 index 0000000..0e5e16a --- /dev/null +++ b/lib/cwec/2.9.js @@ -0,0 +1,1401 @@ +export default { + weaknesses: [ + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Improper Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-227', + name: "Improper Fulfillment of API Contract ('API Abuse')", + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { id: 'CWE-335', name: 'PRNG Seed Error' }, + { id: 'CWE-336', name: 'Same Seed in PRNG' }, + { id: 'CWE-337', name: 'Predictable Seed in PRNG' }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-398', name: 'Indicator of Poor Code Quality' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Interaction Error' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Functions' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-485', name: 'Insufficient Encapsulation' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { + id: 'CWE-563', + name: "Assignment to Variable without Use ('Unused Variable')", + }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Coding Standards Violation' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/3.0.js b/lib/cwec/3.0.js new file mode 100644 index 0000000..be03fc4 --- /dev/null +++ b/lib/cwec/3.0.js @@ -0,0 +1,1427 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Improper Restriction of Cross-Origin Permission to window.opener.location', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-Generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { id: 'CWE-435', name: 'Improper Interaction Between Multiple Entities' }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { id: 'CWE-533', name: 'Information Exposure Through Server Log Files' }, + { id: 'CWE-534', name: 'Information Exposure Through Debug Log Files' }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { id: 'CWE-542', name: 'Information Exposure Through Cleanup Log Files' }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Blacklist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Insufficient Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { id: 'CWE-769', name: 'Uncontrolled File Descriptor Consumption' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + ], +} diff --git a/lib/cwec/3.1.js b/lib/cwec/3.1.js new file mode 100644 index 0000000..67f4f21 --- /dev/null +++ b/lib/cwec/3.1.js @@ -0,0 +1,1451 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-Generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { + id: 'CWE-400', + name: "Uncontrolled Resource Consumption ('Resource Exhaustion')", + }, + { + id: 'CWE-401', + name: "Improper Release of Memory Before Removing Last Reference ('Memory Leak')", + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Array-Typed Field Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Blacklist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Variable Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { id: 'CWE-769', name: 'Uncontrolled File Descriptor Consumption' }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/3.2.js b/lib/cwec/3.2.js new file mode 100644 index 0000000..8bcaca9 --- /dev/null +++ b/lib/cwec/3.2.js @@ -0,0 +1,1683 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-Generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Improper Release of Memory Before Removing Last Reference', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Information Exposure Through Log Files' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: "Improper Restriction of XML External Entity Reference ('XXE')", + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Blacklist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/3.3.js b/lib/cwec/3.3.js new file mode 100644 index 0000000..49a5f2c --- /dev/null +++ b/lib/cwec/3.3.js @@ -0,0 +1,1685 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-Generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Inclusion of Sensitive Information in Log Files' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Blacklist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { id: 'CWE-88', name: 'Argument Injection or Modification' }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/3.4.1.js b/lib/cwec/3.4.1.js new file mode 100644 index 0000000..dba7e3e --- /dev/null +++ b/lib/cwec/3.4.1.js @@ -0,0 +1,1688 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-Generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Inclusion of Sensitive Information in Log Files' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Blacklist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/3.4.js b/lib/cwec/3.4.js new file mode 100644 index 0000000..8d5eff7 --- /dev/null +++ b/lib/cwec/3.4.js @@ -0,0 +1,1688 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency ', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { id: 'CWE-159', name: 'Failure to Sanitize Special Element' }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive Whitelist' }, + { id: 'CWE-184', name: 'Incomplete Blacklist' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { id: 'CWE-200', name: 'Information Exposure' }, + { id: 'CWE-201', name: 'Information Exposure Through Sent Data' }, + { id: 'CWE-202', name: 'Exposure of Sensitive Data Through Data Queries' }, + { id: 'CWE-203', name: 'Information Exposure Through Discrepancy' }, + { id: 'CWE-204', name: 'Response Discrepancy Information Exposure' }, + { + id: 'CWE-205', + name: 'Information Exposure Through Behavioral Discrepancy', + }, + { + id: 'CWE-206', + name: 'Information Exposure of Internal State Through Behavioral Inconsistency', + }, + { + id: 'CWE-207', + name: 'Information Exposure Through an External Behavioral Inconsistency', + }, + { id: 'CWE-208', name: 'Information Exposure Through Timing Discrepancy' }, + { id: 'CWE-209', name: 'Information Exposure Through an Error Message' }, + { + id: 'CWE-210', + name: 'Information Exposure Through Self-generated Error Message', + }, + { + id: 'CWE-211', + name: 'Information Exposure Through Externally-Generated Error Message', + }, + { + id: 'CWE-212', + name: 'Improper Cross-boundary Removal of Sensitive Data', + }, + { id: 'CWE-213', name: 'Intentional Information Exposure' }, + { id: 'CWE-214', name: 'Information Exposure Through Process Environment' }, + { id: 'CWE-215', name: 'Information Exposure Through Debug Information' }, + { id: 'CWE-216', name: 'Containment Errors (Container Errors)' }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { id: 'CWE-219', name: 'Sensitive Data Under Web Root' }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { id: 'CWE-220', name: 'Sensitive Data Under FTP Root' }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { id: 'CWE-226', name: 'Sensitive Information Uncleared Before Release' }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Cryptography for Passwords' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { + id: 'CWE-300', + name: "Channel Accessible by Non-Endpoint ('Man-in-the-Middle')", + }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Predictability Problems' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: "Exposure of Private Information ('Privacy Violation')", + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Incorrect Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Leftover Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of System Data to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Information Exposure Through Caching' }, + { id: 'CWE-525', name: 'Information Exposure Through Browser Caching' }, + { + id: 'CWE-526', + name: 'Information Exposure Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of CVS Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Information Exposure Through Test Code' }, + { id: 'CWE-532', name: 'Inclusion of Sensitive Information in Log Files' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { id: 'CWE-535', name: 'Information Exposure Through Shell Error Message' }, + { + id: 'CWE-536', + name: 'Information Exposure Through Servlet Runtime Error Message', + }, + { + id: 'CWE-537', + name: 'Information Exposure Through Java Runtime Error Message', + }, + { id: 'CWE-538', name: 'File and Directory Information Exposure' }, + { id: 'CWE-539', name: 'Information Exposure Through Persistent Cookies' }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { id: 'CWE-540', name: 'Information Exposure Through Source Code' }, + { id: 'CWE-541', name: 'Information Exposure Through Include Source Code' }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { id: 'CWE-548', name: 'Information Exposure Through Directory Listing' }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Information Exposure Through Server Error Message', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Information Exposure Through Query Strings in GET Request', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Information Exposure Through Indexing of Private Data', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { id: 'CWE-615', name: 'Information Exposure Through Comments' }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { id: 'CWE-651', name: 'Information Exposure Through WSDL File' }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Blacklist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { + id: 'CWE-707', + name: 'Improper Enforcement of Message or Data Structure', + }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Delimitation of Arguments in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.0.js b/lib/cwec/4.0.js new file mode 100644 index 0000000..fae79f7 --- /dev/null +++ b/lib/cwec/4.0.js @@ -0,0 +1,1844 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'Exposed Chip Debug Interface With Insufficient Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { + id: 'CWE-1231', + name: 'Improper Implementation of Lock Protection Registers', + }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Improper Hardware Lock Protection for Security Sensitive Controls', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-1240', name: 'Use of a Risky Cryptographic Primitive' }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Exposure of Security-Sensitive Fuse Values During Debug', + }, + { + id: 'CWE-1244', + name: 'Improper Authorization on Physical Debug and Test Interfaces', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Missing Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Exposure of Sensitive Information Through Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information Uncleared in Resource Before Release for Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Blacklist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.1.js b/lib/cwec/4.1.js new file mode 100644 index 0000000..2c70c1e --- /dev/null +++ b/lib/cwec/4.1.js @@ -0,0 +1,1952 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'Exposed Chip Debug and or Test Interface With Insufficient Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { + id: 'CWE-1231', + name: 'Improper Implementation of Lock Protection Registers', + }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Improper Hardware Lock Protection for Security Sensitive Controls', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-1240', name: 'Use of a Risky Cryptographic Primitive' }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Exposure of Security-Sensitive Fuse Values During Debug', + }, + { + id: 'CWE-1244', + name: 'Improper Authorization on Physical Debug and Test Interfaces', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Missing Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1256', + name: 'Hardware Features Enable Physical Attacks from Software', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Sensitive Information Uncleared During Hardware Debug Flows', + }, + { id: 'CWE-1259', name: 'Improper Protection of Security Identifiers' }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { + id: 'CWE-1262', + name: 'Register Interface Allows Software Access to Sensitive Data or Security Settings', + }, + { id: 'CWE-1263', name: 'Insufficient Physical Protection Mechanism' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Agents Included in Control Policy are not Contained in Less-Privileged Policy', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Identifiers' }, + { + id: 'CWE-1271', + name: 'Missing Known Value on Reset for Registers Holding Security Settings', + }, + { id: 'CWE-1272', name: 'Debug/Power State Transitions Leak Information' }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Insufficient Protections on the Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Block Incorrectly Connected to Larger System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Primitives used without Successful Self-Test', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Exposure of Sensitive Information Through Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information Uncleared in Resource Before Release for Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Required Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.10.js b/lib/cwec/4.10.js new file mode 100644 index 0000000..2effac9 --- /dev/null +++ b/lib/cwec/4.10.js @@ -0,0 +1,2123 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Insufficient Technical Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Improper Access Control in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Outbound Error Messages and Alert Signals', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { + id: 'CWE-1357', + name: 'Reliance on Insufficiently Trustworthy Component', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-1384', + name: 'Improper Handling of Physical or Environmental Conditions', + }, + { id: 'CWE-1385', name: 'Missing Origin Validation in WebSockets' }, + { + id: 'CWE-1386', + name: 'Insecure Operation on Windows Junction / Mount Point', + }, + { + id: 'CWE-1389', + name: 'Incorrect Parsing of Numbers with Different Radices', + }, + { id: 'CWE-1390', name: 'Weak Authentication' }, + { id: 'CWE-1391', name: 'Use of Weak Credentials' }, + { id: 'CWE-1392', name: 'Use of Default Credentials' }, + { id: 'CWE-1393', name: 'Use of Default Password' }, + { id: 'CWE-1394', name: 'Use of Default Cryptographic Key' }, + { id: 'CWE-1395', name: 'Dependency on Vulnerable Third-Party Component' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'DEPRECATED: Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { + id: 'CWE-478', + name: 'Missing Default Case in Multiple Condition Expression', + }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Cleartext Storage of Sensitive Information in an Environment Variable', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.11.js b/lib/cwec/4.11.js new file mode 100644 index 0000000..2effac9 --- /dev/null +++ b/lib/cwec/4.11.js @@ -0,0 +1,2123 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Insufficient Technical Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Improper Access Control in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Outbound Error Messages and Alert Signals', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { + id: 'CWE-1357', + name: 'Reliance on Insufficiently Trustworthy Component', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-1384', + name: 'Improper Handling of Physical or Environmental Conditions', + }, + { id: 'CWE-1385', name: 'Missing Origin Validation in WebSockets' }, + { + id: 'CWE-1386', + name: 'Insecure Operation on Windows Junction / Mount Point', + }, + { + id: 'CWE-1389', + name: 'Incorrect Parsing of Numbers with Different Radices', + }, + { id: 'CWE-1390', name: 'Weak Authentication' }, + { id: 'CWE-1391', name: 'Use of Weak Credentials' }, + { id: 'CWE-1392', name: 'Use of Default Credentials' }, + { id: 'CWE-1393', name: 'Use of Default Password' }, + { id: 'CWE-1394', name: 'Use of Default Cryptographic Key' }, + { id: 'CWE-1395', name: 'Dependency on Vulnerable Third-Party Component' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'DEPRECATED: Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { + id: 'CWE-478', + name: 'Missing Default Case in Multiple Condition Expression', + }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Cleartext Storage of Sensitive Information in an Environment Variable', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.12.js b/lib/cwec/4.12.js new file mode 100644 index 0000000..2effac9 --- /dev/null +++ b/lib/cwec/4.12.js @@ -0,0 +1,2123 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Insufficient Technical Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Improper Access Control in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Outbound Error Messages and Alert Signals', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { + id: 'CWE-1357', + name: 'Reliance on Insufficiently Trustworthy Component', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-1384', + name: 'Improper Handling of Physical or Environmental Conditions', + }, + { id: 'CWE-1385', name: 'Missing Origin Validation in WebSockets' }, + { + id: 'CWE-1386', + name: 'Insecure Operation on Windows Junction / Mount Point', + }, + { + id: 'CWE-1389', + name: 'Incorrect Parsing of Numbers with Different Radices', + }, + { id: 'CWE-1390', name: 'Weak Authentication' }, + { id: 'CWE-1391', name: 'Use of Weak Credentials' }, + { id: 'CWE-1392', name: 'Use of Default Credentials' }, + { id: 'CWE-1393', name: 'Use of Default Password' }, + { id: 'CWE-1394', name: 'Use of Default Cryptographic Key' }, + { id: 'CWE-1395', name: 'Dependency on Vulnerable Third-Party Component' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'DEPRECATED: Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { + id: 'CWE-478', + name: 'Missing Default Case in Multiple Condition Expression', + }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Cleartext Storage of Sensitive Information in an Environment Variable', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.13.js b/lib/cwec/4.13.js new file mode 100644 index 0000000..57874f6 --- /dev/null +++ b/lib/cwec/4.13.js @@ -0,0 +1,2127 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Insufficient Technical Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { + id: 'CWE-1188', + name: 'Initialization of a Resource with an Insecure Default', + }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Improper Access Control in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Outbound Error Messages and Alert Signals', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { + id: 'CWE-1357', + name: 'Reliance on Insufficiently Trustworthy Component', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-1384', + name: 'Improper Handling of Physical or Environmental Conditions', + }, + { id: 'CWE-1385', name: 'Missing Origin Validation in WebSockets' }, + { + id: 'CWE-1386', + name: 'Insecure Operation on Windows Junction / Mount Point', + }, + { + id: 'CWE-1389', + name: 'Incorrect Parsing of Numbers with Different Radices', + }, + { id: 'CWE-1390', name: 'Weak Authentication' }, + { id: 'CWE-1391', name: 'Use of Weak Credentials' }, + { id: 'CWE-1392', name: 'Use of Default Credentials' }, + { id: 'CWE-1393', name: 'Use of Default Password' }, + { id: 'CWE-1394', name: 'Use of Default Cryptographic Key' }, + { id: 'CWE-1395', name: 'Dependency on Vulnerable Third-Party Component' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-1419', name: 'Incorrect Initialization of Resource' }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'DEPRECATED: Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { + id: 'CWE-478', + name: 'Missing Default Case in Multiple Condition Expression', + }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Cleartext Storage of Sensitive Information in an Environment Variable', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.14.js b/lib/cwec/4.14.js new file mode 100644 index 0000000..6ec2646 --- /dev/null +++ b/lib/cwec/4.14.js @@ -0,0 +1,2146 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Insufficient Technical Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { + id: 'CWE-1188', + name: 'Initialization of a Resource with an Insecure Default', + }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'Improper Identifier for IP Block used in System-On-Chip (SOC)', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { + id: 'CWE-1302', + name: 'Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)', + }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Improper Access Control in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Outbound Error Messages and Alert Signals', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { + id: 'CWE-1357', + name: 'Reliance on Insufficiently Trustworthy Component', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-1384', + name: 'Improper Handling of Physical or Environmental Conditions', + }, + { id: 'CWE-1385', name: 'Missing Origin Validation in WebSockets' }, + { + id: 'CWE-1386', + name: 'Insecure Operation on Windows Junction / Mount Point', + }, + { + id: 'CWE-1389', + name: 'Incorrect Parsing of Numbers with Different Radices', + }, + { id: 'CWE-1390', name: 'Weak Authentication' }, + { id: 'CWE-1391', name: 'Use of Weak Credentials' }, + { id: 'CWE-1392', name: 'Use of Default Credentials' }, + { id: 'CWE-1393', name: 'Use of Default Password' }, + { id: 'CWE-1394', name: 'Use of Default Cryptographic Key' }, + { id: 'CWE-1395', name: 'Dependency on Vulnerable Third-Party Component' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-1419', name: 'Incorrect Initialization of Resource' }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { + id: 'CWE-1420', + name: 'Exposure of Sensitive Information during Transient Execution', + }, + { + id: 'CWE-1421', + name: 'Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution', + }, + { + id: 'CWE-1422', + name: 'Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution', + }, + { + id: 'CWE-1423', + name: 'Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution', + }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'DEPRECATED: Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { + id: 'CWE-478', + name: 'Missing Default Case in Multiple Condition Expression', + }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Cleartext Storage of Sensitive Information in an Environment Variable', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.15.js b/lib/cwec/4.15.js new file mode 100644 index 0000000..989f34e --- /dev/null +++ b/lib/cwec/4.15.js @@ -0,0 +1,2147 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Insufficient Technical Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { + id: 'CWE-1188', + name: 'Initialization of a Resource with an Insecure Default', + }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'Improper Identifier for IP Block used in System-On-Chip (SOC)', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { + id: 'CWE-1302', + name: 'Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)', + }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Improper Access Control in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Outbound Error Messages and Alert Signals', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { + id: 'CWE-1357', + name: 'Reliance on Insufficiently Trustworthy Component', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-1384', + name: 'Improper Handling of Physical or Environmental Conditions', + }, + { id: 'CWE-1385', name: 'Missing Origin Validation in WebSockets' }, + { + id: 'CWE-1386', + name: 'Insecure Operation on Windows Junction / Mount Point', + }, + { + id: 'CWE-1389', + name: 'Incorrect Parsing of Numbers with Different Radices', + }, + { id: 'CWE-1390', name: 'Weak Authentication' }, + { id: 'CWE-1391', name: 'Use of Weak Credentials' }, + { id: 'CWE-1392', name: 'Use of Default Credentials' }, + { id: 'CWE-1393', name: 'Use of Default Password' }, + { id: 'CWE-1394', name: 'Use of Default Cryptographic Key' }, + { id: 'CWE-1395', name: 'Dependency on Vulnerable Third-Party Component' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-1419', name: 'Incorrect Initialization of Resource' }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { + id: 'CWE-1420', + name: 'Exposure of Sensitive Information during Transient Execution', + }, + { + id: 'CWE-1421', + name: 'Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution', + }, + { + id: 'CWE-1422', + name: 'Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution', + }, + { + id: 'CWE-1423', + name: 'Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution', + }, + { id: 'CWE-1426', name: 'Improper Validation of Generative AI Output' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'DEPRECATED: Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { + id: 'CWE-478', + name: 'Missing Default Case in Multiple Condition Expression', + }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Cleartext Storage of Sensitive Information in an Environment Variable', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.2.js b/lib/cwec/4.2.js new file mode 100644 index 0000000..a45938d --- /dev/null +++ b/lib/cwec/4.2.js @@ -0,0 +1,2010 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { + id: 'CWE-1231', + name: 'Improper Implementation of Lock Protection Registers', + }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Improper Hardware Lock Protection for Security Sensitive Controls', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-1240', name: 'Use of a Risky Cryptographic Primitive' }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Improper Access to Sensitive Information Using Debug and Test Interfaces', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Missing or Improperly Implemented Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Hardware Features Enable Physical Attacks from Software', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { + id: 'CWE-1262', + name: 'Register Interface Allows Software Access to Sensitive Data or Security Settings', + }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Unitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Insufficient Protections on the Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { + id: 'CWE-1300', + name: 'Improper Protection Against Physical Side Channels', + }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { + id: 'CWE-203', + name: 'Observable Differences in Behavior to Error Inputs', + }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Uncontrolled Memory Allocation' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.3.js b/lib/cwec/4.3.js new file mode 100644 index 0000000..f326a99 --- /dev/null +++ b/lib/cwec/4.3.js @@ -0,0 +1,2086 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { + id: 'CWE-1231', + name: 'Improper Implementation of Lock Protection Registers', + }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Improper Hardware Lock Protection for Security Sensitive Controls', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-1240', name: 'Use of a Risky Cryptographic Primitive' }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Improper Access to Sensitive Information Using Debug and Test Interfaces', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Missing or Improperly Implemented Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Hardware Features Enable Physical Attacks from Software', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { + id: 'CWE-1262', + name: 'Register Interface Allows Software Access to Sensitive Data or Security Settings', + }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Unitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Insufficient Protections on the Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { + id: 'CWE-1300', + name: 'Improper Protection Against Physical Side Channels', + }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Missing Security Checks in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { + id: 'CWE-1320', + name: 'Improper Protection for Out of Bounds Signal Level Alerts', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip', + }, + { + id: 'CWE-1332', + name: 'Insufficient Protection Against Instruction Skipping Via Fault Injection', + }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using a Random IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.4.js b/lib/cwec/4.4.js new file mode 100644 index 0000000..2a04153 --- /dev/null +++ b/lib/cwec/4.4.js @@ -0,0 +1,2088 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { + id: 'CWE-1231', + name: 'Improper Implementation of Lock Protection Registers', + }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Improper Hardware Lock Protection for Security Sensitive Controls', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-1240', name: 'Use of a Risky Cryptographic Primitive' }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Improper Access to Sensitive Information Using Debug and Test Interfaces', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Missing or Improperly Implemented Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Hardware Features Enable Physical Attacks from Software', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { + id: 'CWE-1262', + name: 'Register Interface Allows Software Access to Sensitive Data or Security Settings', + }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Insufficient Protections on the Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { + id: 'CWE-1300', + name: 'Improper Protection Against Physical Side Channels', + }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Missing Security Checks in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { + id: 'CWE-132', + name: 'DEPRECATED (Duplicate): Miscalculated Null Termination', + }, + { + id: 'CWE-1320', + name: 'Improper Protection for Out of Bounds Signal Level Alerts', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip', + }, + { + id: 'CWE-1332', + name: 'Insufficient Protection Against Instruction Skipping Via Fault Injection', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED (Duplicate): Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED (Duplicate): General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Unprotected Storage of Credentials' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { + id: 'CWE-292', + name: 'DEPRECATED (Duplicate): Trusting Self-reported DNS Name', + }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Not Using an Unpredictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED (Duplicate): Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED (Duplicate): HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED (Duplicate): Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.5.js b/lib/cwec/4.5.js new file mode 100644 index 0000000..9afc4c3 --- /dev/null +++ b/lib/cwec/4.5.js @@ -0,0 +1,2095 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { + id: 'CWE-1231', + name: 'Improper Implementation of Lock Protection Registers', + }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Improper Hardware Lock Protection for Security Sensitive Controls', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { id: 'CWE-1240', name: 'Use of a Risky Cryptographic Primitive' }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Improper Access to Sensitive Information Using Debug and Test Interfaces', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Missing or Improperly Implemented Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Hardware Features Enable Physical Attacks from Software', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { + id: 'CWE-1262', + name: 'Register Interface Allows Software Access to Sensitive Data or Security Settings', + }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Insufficient Protections on the Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { + id: 'CWE-1300', + name: 'Improper Protection Against Physical Side Channels', + }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Missing Security Checks in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Out of Bounds Signal Level Alerts', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip', + }, + { + id: 'CWE-1332', + name: 'Insufficient Protection Against Instruction Skipping Via Fault Injection', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Reversible One-Way Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Insufficient Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { id: 'CWE-675', name: 'Duplicate Operations on Resource' }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.6.js b/lib/cwec/4.6.js new file mode 100644 index 0000000..1d2cf53 --- /dev/null +++ b/lib/cwec/4.6.js @@ -0,0 +1,2097 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Incomplete Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Missing Security Checks in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Out of Bounds Signal Level Alerts', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.7.js b/lib/cwec/4.7.js new file mode 100644 index 0000000..e205e92 --- /dev/null +++ b/lib/cwec/4.7.js @@ -0,0 +1,2103 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Insufficient Technical Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Missing Security Checks in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Out of Bounds Signal Level Alerts', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { id: 'CWE-1357', name: 'Reliance on Uncontrolled Component' }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-1384', + name: 'Improper Handling of Extreme Physical Environment Conditions', + }, + { id: 'CWE-1385', name: 'Missing Origin Validation in WebSockets' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'DEPRECATED: Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.8.js b/lib/cwec/4.8.js new file mode 100644 index 0000000..5bd338f --- /dev/null +++ b/lib/cwec/4.8.js @@ -0,0 +1,2107 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Insufficient Technical Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Missing Security Checks in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Out of Bounds Signal Level Alerts', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { id: 'CWE-1357', name: 'Reliance on Uncontrolled Component' }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-1384', + name: 'Improper Handling of Physical or Environmental Conditions', + }, + { id: 'CWE-1385', name: 'Missing Origin Validation in WebSockets' }, + { + id: 'CWE-1386', + name: 'Insecure Operation on Windows Junction / Mount Point', + }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'DEPRECATED: Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { id: 'CWE-478', name: 'Missing Default Case in Switch Statement' }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/lib/cwec/4.9.js b/lib/cwec/4.9.js new file mode 100644 index 0000000..7a7972d --- /dev/null +++ b/lib/cwec/4.9.js @@ -0,0 +1,2119 @@ +export default { + weaknesses: [ + { id: 'CWE-1004', name: "Sensitive Cookie Without 'HttpOnly' Flag" }, + { + id: 'CWE-1007', + name: 'Insufficient Visual Distinction of Homoglyphs Presented to User', + }, + { id: 'CWE-102', name: 'Struts: Duplicate Validation Forms' }, + { + id: 'CWE-1021', + name: 'Improper Restriction of Rendered UI Layers or Frames', + }, + { + id: 'CWE-1022', + name: 'Use of Web Link to Untrusted Target with window.opener Access', + }, + { id: 'CWE-1023', name: 'Incomplete Comparison with Missing Factors' }, + { id: 'CWE-1024', name: 'Comparison of Incompatible Types' }, + { id: 'CWE-1025', name: 'Comparison Using Wrong Factors' }, + { id: 'CWE-103', name: 'Struts: Incomplete validate() Method Definition' }, + { + id: 'CWE-1037', + name: 'Processor Optimization Removal or Modification of Security-critical Code', + }, + { id: 'CWE-1038', name: 'Insecure Automated Optimizations' }, + { + id: 'CWE-1039', + name: 'Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations', + }, + { + id: 'CWE-104', + name: 'Struts: Form Bean Does Not Extend Validation Class', + }, + { id: 'CWE-1041', name: 'Use of Redundant Code' }, + { + id: 'CWE-1042', + name: 'Static Member Data Element outside of a Singleton Class Element', + }, + { + id: 'CWE-1043', + name: 'Data Element Aggregating an Excessively Large Number of Non-Primitive Elements', + }, + { + id: 'CWE-1044', + name: 'Architecture with Number of Horizontal Layers Outside of Expected Range', + }, + { + id: 'CWE-1045', + name: 'Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor', + }, + { + id: 'CWE-1046', + name: 'Creation of Immutable Text Using String Concatenation', + }, + { id: 'CWE-1047', name: 'Modules with Circular Dependencies' }, + { + id: 'CWE-1048', + name: 'Invokable Control Element with Large Number of Outward Calls', + }, + { + id: 'CWE-1049', + name: 'Excessive Data Query Operations in a Large Data Table', + }, + { id: 'CWE-105', name: 'Struts: Form Field Without Validator' }, + { + id: 'CWE-1050', + name: 'Excessive Platform Resource Consumption within a Loop', + }, + { + id: 'CWE-1051', + name: 'Initialization with Hard-Coded Network Resource Configuration Data', + }, + { + id: 'CWE-1052', + name: 'Excessive Use of Hard-Coded Literals in Initialization', + }, + { id: 'CWE-1053', name: 'Missing Documentation for Design' }, + { + id: 'CWE-1054', + name: 'Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer', + }, + { id: 'CWE-1055', name: 'Multiple Inheritance from Concrete Classes' }, + { + id: 'CWE-1056', + name: 'Invokable Control Element with Variadic Parameters', + }, + { + id: 'CWE-1057', + name: 'Data Access Operations Outside of Expected Data Manager Component', + }, + { + id: 'CWE-1058', + name: 'Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element', + }, + { id: 'CWE-1059', name: 'Insufficient Technical Documentation' }, + { id: 'CWE-106', name: 'Struts: Plug-in Framework not in Use' }, + { + id: 'CWE-1060', + name: 'Excessive Number of Inefficient Server-Side Data Accesses', + }, + { id: 'CWE-1061', name: 'Insufficient Encapsulation' }, + { id: 'CWE-1062', name: 'Parent Class with References to Child Class' }, + { + id: 'CWE-1063', + name: 'Creation of Class Instance within a Static Code Block', + }, + { + id: 'CWE-1064', + name: 'Invokable Control Element with Signature Containing an Excessive Number of Parameters', + }, + { + id: 'CWE-1065', + name: 'Runtime Resource Management Control Element in a Component Built to Run on Application Servers', + }, + { id: 'CWE-1066', name: 'Missing Serialization Control Element' }, + { + id: 'CWE-1067', + name: 'Excessive Execution of Sequential Searches of Data Resource', + }, + { + id: 'CWE-1068', + name: 'Inconsistency Between Implementation and Documented Design', + }, + { id: 'CWE-1069', name: 'Empty Exception Block' }, + { id: 'CWE-107', name: 'Struts: Unused Validation Form' }, + { + id: 'CWE-1070', + name: 'Serializable Data Element Containing non-Serializable Item Elements', + }, + { id: 'CWE-1071', name: 'Empty Code Block' }, + { + id: 'CWE-1072', + name: 'Data Resource Access without Use of Connection Pooling', + }, + { + id: 'CWE-1073', + name: 'Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses', + }, + { id: 'CWE-1074', name: 'Class with Excessively Deep Inheritance' }, + { + id: 'CWE-1075', + name: 'Unconditional Control Flow Transfer outside of Switch Block', + }, + { id: 'CWE-1076', name: 'Insufficient Adherence to Expected Conventions' }, + { + id: 'CWE-1077', + name: 'Floating Point Comparison with Incorrect Operator', + }, + { id: 'CWE-1078', name: 'Inappropriate Source Code Style or Formatting' }, + { id: 'CWE-1079', name: 'Parent Class without Virtual Destructor Method' }, + { id: 'CWE-108', name: 'Struts: Unvalidated Action Form' }, + { + id: 'CWE-1080', + name: 'Source Code File with Excessive Number of Lines of Code', + }, + { id: 'CWE-1082', name: 'Class Instance Self Destruction Control Element' }, + { + id: 'CWE-1083', + name: 'Data Access from Outside Expected Data Manager Component', + }, + { + id: 'CWE-1084', + name: 'Invokable Control Element with Excessive File or Data Access Operations', + }, + { + id: 'CWE-1085', + name: 'Invokable Control Element with Excessive Volume of Commented-out Code', + }, + { id: 'CWE-1086', name: 'Class with Excessive Number of Child Classes' }, + { + id: 'CWE-1087', + name: 'Class with Virtual Method without a Virtual Destructor', + }, + { + id: 'CWE-1088', + name: 'Synchronous Access of Remote Resource without Timeout', + }, + { + id: 'CWE-1089', + name: 'Large Data Table with Excessive Number of Indices', + }, + { id: 'CWE-109', name: 'Struts: Validator Turned Off' }, + { + id: 'CWE-1090', + name: 'Method Containing Access of a Member Element from Another Class', + }, + { + id: 'CWE-1091', + name: 'Use of Object without Invoking Destructor Method', + }, + { + id: 'CWE-1092', + name: 'Use of Same Invokable Control Element in Multiple Architectural Layers', + }, + { id: 'CWE-1093', name: 'Excessively Complex Data Representation' }, + { id: 'CWE-1094', name: 'Excessive Index Range Scan for a Data Resource' }, + { id: 'CWE-1095', name: 'Loop Condition Value Update within the Loop' }, + { + id: 'CWE-1096', + name: 'Singleton Class Instance Creation without Proper Locking or Synchronization', + }, + { + id: 'CWE-1097', + name: 'Persistent Storable Data Element without Associated Comparison Control Element', + }, + { + id: 'CWE-1098', + name: 'Data Element containing Pointer Item without Proper Copy Control Element', + }, + { id: 'CWE-1099', name: 'Inconsistent Naming Conventions for Identifiers' }, + { id: 'CWE-11', name: 'ASP.NET Misconfiguration: Creating Debug Binary' }, + { id: 'CWE-110', name: 'Struts: Validator Without Form Field' }, + { + id: 'CWE-1100', + name: 'Insufficient Isolation of System-Dependent Functions', + }, + { id: 'CWE-1101', name: 'Reliance on Runtime Component in Generated Code' }, + { + id: 'CWE-1102', + name: 'Reliance on Machine-Dependent Data Representation', + }, + { + id: 'CWE-1103', + name: 'Use of Platform-Dependent Third Party Components', + }, + { id: 'CWE-1104', name: 'Use of Unmaintained Third Party Components' }, + { + id: 'CWE-1105', + name: 'Insufficient Encapsulation of Machine-Dependent Functionality', + }, + { id: 'CWE-1106', name: 'Insufficient Use of Symbolic Constants' }, + { + id: 'CWE-1107', + name: 'Insufficient Isolation of Symbolic Constant Definitions', + }, + { id: 'CWE-1108', name: 'Excessive Reliance on Global Variables' }, + { id: 'CWE-1109', name: 'Use of Same Variable for Multiple Purposes' }, + { id: 'CWE-111', name: 'Direct Use of Unsafe JNI' }, + { id: 'CWE-1110', name: 'Incomplete Design Documentation' }, + { id: 'CWE-1111', name: 'Incomplete I/O Documentation' }, + { id: 'CWE-1112', name: 'Incomplete Documentation of Program Execution' }, + { id: 'CWE-1113', name: 'Inappropriate Comment Style' }, + { id: 'CWE-1114', name: 'Inappropriate Whitespace Style' }, + { id: 'CWE-1115', name: 'Source Code Element without Standard Prologue' }, + { id: 'CWE-1116', name: 'Inaccurate Comments' }, + { id: 'CWE-1117', name: 'Callable with Insufficient Behavioral Summary' }, + { + id: 'CWE-1118', + name: 'Insufficient Documentation of Error Handling Techniques', + }, + { id: 'CWE-1119', name: 'Excessive Use of Unconditional Branching' }, + { id: 'CWE-112', name: 'Missing XML Validation' }, + { id: 'CWE-1120', name: 'Excessive Code Complexity' }, + { id: 'CWE-1121', name: 'Excessive McCabe Cyclomatic Complexity' }, + { id: 'CWE-1122', name: 'Excessive Halstead Complexity' }, + { id: 'CWE-1123', name: 'Excessive Use of Self-Modifying Code' }, + { id: 'CWE-1124', name: 'Excessively Deep Nesting' }, + { id: 'CWE-1125', name: 'Excessive Attack Surface' }, + { + id: 'CWE-1126', + name: 'Declaration of Variable with Unnecessarily Wide Scope', + }, + { + id: 'CWE-1127', + name: 'Compilation with Insufficient Warnings or Errors', + }, + { + id: 'CWE-113', + name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + }, + { id: 'CWE-114', name: 'Process Control' }, + { id: 'CWE-115', name: 'Misinterpretation of Input' }, + { id: 'CWE-116', name: 'Improper Encoding or Escaping of Output' }, + { id: 'CWE-1164', name: 'Irrelevant Code' }, + { id: 'CWE-117', name: 'Improper Output Neutralization for Logs' }, + { id: 'CWE-1173', name: 'Improper Use of Validation Framework' }, + { + id: 'CWE-1174', + name: 'ASP.NET Misconfiguration: Improper Model Validation', + }, + { id: 'CWE-1176', name: 'Inefficient CPU Computation' }, + { id: 'CWE-1177', name: 'Use of Prohibited Code' }, + { + id: 'CWE-118', + name: "Incorrect Access of Indexable Resource ('Range Error')", + }, + { id: 'CWE-1187', name: 'DEPRECATED: Use of Uninitialized Resource' }, + { id: 'CWE-1188', name: 'Insecure Default Initialization of Resource' }, + { + id: 'CWE-1189', + name: 'Improper Isolation of Shared Resources on System-on-a-Chip (SoC)', + }, + { + id: 'CWE-119', + name: 'Improper Restriction of Operations within the Bounds of a Memory Buffer', + }, + { id: 'CWE-1190', name: 'DMA Device Enabled Too Early in Boot Phase' }, + { + id: 'CWE-1191', + name: 'On-Chip Debug and Test Interface With Improper Access Control', + }, + { + id: 'CWE-1192', + name: 'System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers', + }, + { + id: 'CWE-1193', + name: 'Power-On of Untrusted Execution Core Before Enabling Fabric Access Control', + }, + { + id: 'CWE-12', + name: 'ASP.NET Misconfiguration: Missing Custom Error Page', + }, + { + id: 'CWE-120', + name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + }, + { id: 'CWE-1204', name: 'Generation of Weak Initialization Vector (IV)' }, + { id: 'CWE-1209', name: 'Failure to Disable Reserved Bits' }, + { id: 'CWE-121', name: 'Stack-based Buffer Overflow' }, + { id: 'CWE-122', name: 'Heap-based Buffer Overflow' }, + { id: 'CWE-1220', name: 'Insufficient Granularity of Access Control' }, + { + id: 'CWE-1221', + name: 'Incorrect Register Defaults or Module Parameters', + }, + { + id: 'CWE-1222', + name: 'Insufficient Granularity of Address Regions Protected by Register Locks', + }, + { id: 'CWE-1223', name: 'Race Condition for Write-Once Attributes' }, + { id: 'CWE-1224', name: 'Improper Restriction of Write-Once Bit Fields' }, + { id: 'CWE-1229', name: 'Creation of Emergent Resource' }, + { id: 'CWE-123', name: 'Write-what-where Condition' }, + { + id: 'CWE-1230', + name: 'Exposure of Sensitive Information Through Metadata', + }, + { id: 'CWE-1231', name: 'Improper Prevention of Lock Bit Modification' }, + { + id: 'CWE-1232', + name: 'Improper Lock Behavior After Power State Transition', + }, + { + id: 'CWE-1233', + name: 'Security-Sensitive Hardware Controls with Missing Lock Bit Protection', + }, + { + id: 'CWE-1234', + name: 'Hardware Internal or Debug Modes Allow Override of Locks', + }, + { + id: 'CWE-1235', + name: 'Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations', + }, + { + id: 'CWE-1236', + name: 'Improper Neutralization of Formula Elements in a CSV File', + }, + { id: 'CWE-1239', name: 'Improper Zeroization of Hardware Register' }, + { id: 'CWE-124', name: "Buffer Underwrite ('Buffer Underflow')" }, + { + id: 'CWE-1240', + name: 'Use of a Cryptographic Primitive with a Risky Implementation', + }, + { + id: 'CWE-1241', + name: 'Use of Predictable Algorithm in Random Number Generator', + }, + { + id: 'CWE-1242', + name: 'Inclusion of Undocumented Features or Chicken Bits', + }, + { + id: 'CWE-1243', + name: 'Sensitive Non-Volatile Information Not Protected During Debug', + }, + { + id: 'CWE-1244', + name: 'Internal Asset Exposed to Unsafe Debug Access Level or State', + }, + { + id: 'CWE-1245', + name: 'Improper Finite State Machines (FSMs) in Hardware Logic', + }, + { + id: 'CWE-1246', + name: 'Improper Write Handling in Limited-write Non-Volatile Memories', + }, + { + id: 'CWE-1247', + name: 'Improper Protection Against Voltage and Clock Glitches', + }, + { + id: 'CWE-1248', + name: 'Semiconductor Defects in Hardware Logic with Security-Sensitive Implications', + }, + { + id: 'CWE-1249', + name: 'Application-Level Admin Tool with Inconsistent View of Underlying Operating System', + }, + { id: 'CWE-125', name: 'Out-of-bounds Read' }, + { + id: 'CWE-1250', + name: 'Improper Preservation of Consistency Between Independent Representations of Shared State', + }, + { id: 'CWE-1251', name: 'Mirrored Regions with Different Values' }, + { + id: 'CWE-1252', + name: 'CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations', + }, + { id: 'CWE-1253', name: 'Incorrect Selection of Fuse Values' }, + { id: 'CWE-1254', name: 'Incorrect Comparison Logic Granularity' }, + { + id: 'CWE-1255', + name: 'Comparison Logic is Vulnerable to Power Side-Channel Attacks', + }, + { + id: 'CWE-1256', + name: 'Improper Restriction of Software Interfaces to Hardware Features', + }, + { + id: 'CWE-1257', + name: 'Improper Access Control Applied to Mirrored or Aliased Memory Regions', + }, + { + id: 'CWE-1258', + name: 'Exposure of Sensitive System Information Due to Uncleared Debug Information', + }, + { + id: 'CWE-1259', + name: 'Improper Restriction of Security Token Assignment', + }, + { id: 'CWE-126', name: 'Buffer Over-read' }, + { + id: 'CWE-1260', + name: 'Improper Handling of Overlap Between Protected Memory Ranges', + }, + { id: 'CWE-1261', name: 'Improper Handling of Single Event Upsets' }, + { id: 'CWE-1262', name: 'Improper Access Control for Register Interface' }, + { id: 'CWE-1263', name: 'Improper Physical Access Control' }, + { + id: 'CWE-1264', + name: 'Hardware Logic with Insecure De-Synchronization between Control and Data Channels', + }, + { + id: 'CWE-1265', + name: 'Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls', + }, + { + id: 'CWE-1266', + name: 'Improper Scrubbing of Sensitive Data from Decommissioned Device', + }, + { id: 'CWE-1267', name: 'Policy Uses Obsolete Encoding' }, + { + id: 'CWE-1268', + name: 'Policy Privileges are not Assigned Consistently Between Control and Data Agents', + }, + { id: 'CWE-1269', name: 'Product Released in Non-Release Configuration' }, + { id: 'CWE-127', name: 'Buffer Under-read' }, + { id: 'CWE-1270', name: 'Generation of Incorrect Security Tokens' }, + { + id: 'CWE-1271', + name: 'Uninitialized Value on Reset for Registers Holding Security Settings', + }, + { + id: 'CWE-1272', + name: 'Sensitive Information Uncleared Before Debug/Power State Transition', + }, + { id: 'CWE-1273', name: 'Device Unlock Credential Sharing' }, + { + id: 'CWE-1274', + name: 'Improper Access Control for Volatile Memory Containing Boot Code', + }, + { + id: 'CWE-1275', + name: 'Sensitive Cookie with Improper SameSite Attribute', + }, + { + id: 'CWE-1276', + name: 'Hardware Child Block Incorrectly Connected to Parent System', + }, + { id: 'CWE-1277', name: 'Firmware Not Updateable' }, + { + id: 'CWE-1278', + name: 'Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques', + }, + { + id: 'CWE-1279', + name: 'Cryptographic Operations are run Before Supporting Units are Ready', + }, + { id: 'CWE-128', name: 'Wrap-around Error' }, + { + id: 'CWE-1280', + name: 'Access Control Check Implemented After Asset is Accessed', + }, + { + id: 'CWE-1281', + name: 'Sequence of Processor Instructions Leads to Unexpected Behavior', + }, + { + id: 'CWE-1282', + name: 'Assumed-Immutable Data is Stored in Writable Memory', + }, + { + id: 'CWE-1283', + name: 'Mutable Attestation or Measurement Reporting Data', + }, + { + id: 'CWE-1284', + name: 'Improper Validation of Specified Quantity in Input', + }, + { + id: 'CWE-1285', + name: 'Improper Validation of Specified Index, Position, or Offset in Input', + }, + { + id: 'CWE-1286', + name: 'Improper Validation of Syntactic Correctness of Input', + }, + { id: 'CWE-1287', name: 'Improper Validation of Specified Type of Input' }, + { id: 'CWE-1288', name: 'Improper Validation of Consistency within Input' }, + { + id: 'CWE-1289', + name: 'Improper Validation of Unsafe Equivalence in Input', + }, + { id: 'CWE-129', name: 'Improper Validation of Array Index' }, + { id: 'CWE-1290', name: 'Incorrect Decoding of Security Identifiers ' }, + { + id: 'CWE-1291', + name: 'Public Key Re-Use for Signing both Debug and Production Code', + }, + { id: 'CWE-1292', name: 'Incorrect Conversion of Security Identifiers' }, + { + id: 'CWE-1293', + name: 'Missing Source Correlation of Multiple Independent Data', + }, + { id: 'CWE-1294', name: 'Insecure Security Identifier Mechanism' }, + { + id: 'CWE-1295', + name: 'Debug Messages Revealing Unnecessary Information', + }, + { + id: 'CWE-1296', + name: 'Incorrect Chaining or Granularity of Debug Components', + }, + { + id: 'CWE-1297', + name: 'Unprotected Confidential Information on Device is Accessible by OSAT Vendors', + }, + { id: 'CWE-1298', name: 'Hardware Logic Contains Race Conditions' }, + { + id: 'CWE-1299', + name: 'Missing Protection Mechanism for Alternate Hardware Interface', + }, + { + id: 'CWE-13', + name: 'ASP.NET Misconfiguration: Password in Configuration File', + }, + { + id: 'CWE-130', + name: 'Improper Handling of Length Parameter Inconsistency', + }, + { id: 'CWE-1300', name: 'Improper Protection of Physical Side Channels' }, + { + id: 'CWE-1301', + name: 'Insufficient or Incomplete Data Removal within Hardware Component', + }, + { id: 'CWE-1302', name: 'Missing Security Identifier' }, + { + id: 'CWE-1303', + name: 'Non-Transparent Sharing of Microarchitectural Resources', + }, + { + id: 'CWE-1304', + name: 'Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation', + }, + { id: 'CWE-131', name: 'Incorrect Calculation of Buffer Size' }, + { id: 'CWE-1310', name: 'Missing Ability to Patch ROM Code' }, + { + id: 'CWE-1311', + name: 'Improper Translation of Security Attributes by Fabric Bridge', + }, + { + id: 'CWE-1312', + name: 'Missing Protection for Mirrored Regions in On-Chip Fabric Firewall', + }, + { + id: 'CWE-1313', + name: 'Hardware Allows Activation of Test or Debug Logic at Runtime', + }, + { + id: 'CWE-1314', + name: 'Missing Write Protection for Parametric Data Values', + }, + { + id: 'CWE-1315', + name: 'Improper Setting of Bus Controlling Capability in Fabric End-point', + }, + { + id: 'CWE-1316', + name: 'Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges', + }, + { id: 'CWE-1317', name: 'Improper Access Control in Fabric Bridge' }, + { + id: 'CWE-1318', + name: 'Missing Support for Security Features in On-chip Fabrics or Buses', + }, + { + id: 'CWE-1319', + name: 'Improper Protection against Electromagnetic Fault Injection (EM-FI)', + }, + { id: 'CWE-132', name: 'DEPRECATED: Miscalculated Null Termination' }, + { + id: 'CWE-1320', + name: 'Improper Protection for Outbound Error Messages and Alert Signals', + }, + { + id: 'CWE-1321', + name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + }, + { + id: 'CWE-1322', + name: 'Use of Blocking Code in Single-threaded, Non-blocking Context', + }, + { id: 'CWE-1323', name: 'Improper Management of Sensitive Trace Data' }, + { + id: 'CWE-1324', + name: 'Sensitive Information Accessible by Physical Probing of JTAG Interface', + }, + { + id: 'CWE-1325', + name: 'Improperly Controlled Sequential Memory Allocation', + }, + { id: 'CWE-1326', name: 'Missing Immutable Root of Trust in Hardware' }, + { id: 'CWE-1327', name: 'Binding to an Unrestricted IP Address' }, + { + id: 'CWE-1328', + name: 'Security Version Number Mutable to Older Versions', + }, + { id: 'CWE-1329', name: 'Reliance on Component That is Not Updateable' }, + { id: 'CWE-1330', name: 'Remanent Data Readable after Memory Erase' }, + { + id: 'CWE-1331', + name: 'Improper Isolation of Shared Resources in Network On Chip (NoC)', + }, + { + id: 'CWE-1332', + name: 'Improper Handling of Faults that Lead to Instruction Skips', + }, + { id: 'CWE-1333', name: 'Inefficient Regular Expression Complexity' }, + { + id: 'CWE-1334', + name: 'Unauthorized Error Injection Can Degrade Hardware Redundancy', + }, + { id: 'CWE-1335', name: 'Incorrect Bitwise Shift of Integer' }, + { + id: 'CWE-1336', + name: 'Improper Neutralization of Special Elements Used in a Template Engine', + }, + { + id: 'CWE-1338', + name: 'Improper Protections Against Hardware Overheating', + }, + { + id: 'CWE-1339', + name: 'Insufficient Precision or Accuracy of a Real Number', + }, + { id: 'CWE-134', name: 'Use of Externally-Controlled Format String' }, + { id: 'CWE-1341', name: 'Multiple Releases of Same Resource or Handle' }, + { + id: 'CWE-1342', + name: 'Information Exposure through Microarchitectural State after Transient Execution', + }, + { + id: 'CWE-135', + name: 'Incorrect Calculation of Multi-Byte String Length', + }, + { + id: 'CWE-1351', + name: 'Improper Handling of Hardware Behavior in Exceptionally Cold Environments', + }, + { id: 'CWE-1357', name: 'Reliance on Uncontrolled Component' }, + { id: 'CWE-138', name: 'Improper Neutralization of Special Elements' }, + { + id: 'CWE-1384', + name: 'Improper Handling of Physical or Environmental Conditions', + }, + { id: 'CWE-1385', name: 'Missing Origin Validation in WebSockets' }, + { + id: 'CWE-1386', + name: 'Insecure Operation on Windows Junction / Mount Point', + }, + { + id: 'CWE-1389', + name: 'Incorrect Parsing of Numbers with Different Radices', + }, + { id: 'CWE-1390', name: 'Weak Authentication' }, + { id: 'CWE-1391', name: 'Use of Weak Credentials' }, + { id: 'CWE-1392', name: 'Use of Default Credentials' }, + { id: 'CWE-1393', name: 'Use of Default Password' }, + { id: 'CWE-1394', name: 'Use of Default Cryptographic Key' }, + { id: 'CWE-14', name: 'Compiler Removal of Code to Clear Buffers' }, + { id: 'CWE-140', name: 'Improper Neutralization of Delimiters' }, + { + id: 'CWE-141', + name: 'Improper Neutralization of Parameter/Argument Delimiters', + }, + { id: 'CWE-142', name: 'Improper Neutralization of Value Delimiters' }, + { id: 'CWE-143', name: 'Improper Neutralization of Record Delimiters' }, + { id: 'CWE-144', name: 'Improper Neutralization of Line Delimiters' }, + { id: 'CWE-145', name: 'Improper Neutralization of Section Delimiters' }, + { + id: 'CWE-146', + name: 'Improper Neutralization of Expression/Command Delimiters', + }, + { id: 'CWE-147', name: 'Improper Neutralization of Input Terminators' }, + { id: 'CWE-148', name: 'Improper Neutralization of Input Leaders' }, + { id: 'CWE-149', name: 'Improper Neutralization of Quoting Syntax' }, + { + id: 'CWE-15', + name: 'External Control of System or Configuration Setting', + }, + { + id: 'CWE-150', + name: 'Improper Neutralization of Escape, Meta, or Control Sequences', + }, + { id: 'CWE-151', name: 'Improper Neutralization of Comment Delimiters' }, + { id: 'CWE-152', name: 'Improper Neutralization of Macro Symbols' }, + { + id: 'CWE-153', + name: 'Improper Neutralization of Substitution Characters', + }, + { + id: 'CWE-154', + name: 'Improper Neutralization of Variable Name Delimiters', + }, + { + id: 'CWE-155', + name: 'Improper Neutralization of Wildcards or Matching Symbols', + }, + { id: 'CWE-156', name: 'Improper Neutralization of Whitespace' }, + { id: 'CWE-157', name: 'Failure to Sanitize Paired Delimiters' }, + { + id: 'CWE-158', + name: 'Improper Neutralization of Null Byte or NUL Character', + }, + { + id: 'CWE-159', + name: 'Improper Handling of Invalid Use of Special Elements', + }, + { + id: 'CWE-160', + name: 'Improper Neutralization of Leading Special Elements', + }, + { + id: 'CWE-161', + name: 'Improper Neutralization of Multiple Leading Special Elements', + }, + { + id: 'CWE-162', + name: 'Improper Neutralization of Trailing Special Elements', + }, + { + id: 'CWE-163', + name: 'Improper Neutralization of Multiple Trailing Special Elements', + }, + { + id: 'CWE-164', + name: 'Improper Neutralization of Internal Special Elements', + }, + { + id: 'CWE-165', + name: 'Improper Neutralization of Multiple Internal Special Elements', + }, + { id: 'CWE-166', name: 'Improper Handling of Missing Special Element' }, + { id: 'CWE-167', name: 'Improper Handling of Additional Special Element' }, + { + id: 'CWE-168', + name: 'Improper Handling of Inconsistent Special Elements', + }, + { id: 'CWE-170', name: 'Improper Null Termination' }, + { id: 'CWE-172', name: 'Encoding Error' }, + { id: 'CWE-173', name: 'Improper Handling of Alternate Encoding' }, + { id: 'CWE-174', name: 'Double Decoding of the Same Data' }, + { id: 'CWE-175', name: 'Improper Handling of Mixed Encoding' }, + { id: 'CWE-176', name: 'Improper Handling of Unicode Encoding' }, + { id: 'CWE-177', name: 'Improper Handling of URL Encoding (Hex Encoding)' }, + { id: 'CWE-178', name: 'Improper Handling of Case Sensitivity' }, + { id: 'CWE-179', name: 'Incorrect Behavior Order: Early Validation' }, + { + id: 'CWE-180', + name: 'Incorrect Behavior Order: Validate Before Canonicalize', + }, + { id: 'CWE-181', name: 'Incorrect Behavior Order: Validate Before Filter' }, + { id: 'CWE-182', name: 'Collapse of Data into Unsafe Value' }, + { id: 'CWE-183', name: 'Permissive List of Allowed Inputs' }, + { id: 'CWE-184', name: 'Incomplete List of Disallowed Inputs' }, + { id: 'CWE-185', name: 'Incorrect Regular Expression' }, + { id: 'CWE-186', name: 'Overly Restrictive Regular Expression' }, + { id: 'CWE-187', name: 'Partial String Comparison' }, + { id: 'CWE-188', name: 'Reliance on Data/Memory Layout' }, + { id: 'CWE-190', name: 'Integer Overflow or Wraparound' }, + { id: 'CWE-191', name: 'Integer Underflow (Wrap or Wraparound)' }, + { id: 'CWE-192', name: 'Integer Coercion Error' }, + { id: 'CWE-193', name: 'Off-by-one Error' }, + { id: 'CWE-194', name: 'Unexpected Sign Extension' }, + { id: 'CWE-195', name: 'Signed to Unsigned Conversion Error' }, + { id: 'CWE-196', name: 'Unsigned to Signed Conversion Error' }, + { id: 'CWE-197', name: 'Numeric Truncation Error' }, + { id: 'CWE-198', name: 'Use of Incorrect Byte Ordering' }, + { id: 'CWE-20', name: 'Improper Input Validation' }, + { + id: 'CWE-200', + name: 'Exposure of Sensitive Information to an Unauthorized Actor', + }, + { + id: 'CWE-201', + name: 'Insertion of Sensitive Information Into Sent Data', + }, + { + id: 'CWE-202', + name: 'Exposure of Sensitive Information Through Data Queries', + }, + { id: 'CWE-203', name: 'Observable Discrepancy' }, + { id: 'CWE-204', name: 'Observable Response Discrepancy' }, + { id: 'CWE-205', name: 'Observable Behavioral Discrepancy' }, + { id: 'CWE-206', name: 'Observable Internal Behavioral Discrepancy' }, + { + id: 'CWE-207', + name: 'Observable Behavioral Discrepancy With Equivalent Products', + }, + { id: 'CWE-208', name: 'Observable Timing Discrepancy' }, + { + id: 'CWE-209', + name: 'Generation of Error Message Containing Sensitive Information', + }, + { + id: 'CWE-210', + name: 'Self-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-211', + name: 'Externally-Generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-212', + name: 'Improper Removal of Sensitive Information Before Storage or Transfer', + }, + { + id: 'CWE-213', + name: 'Exposure of Sensitive Information Due to Incompatible Policies', + }, + { + id: 'CWE-214', + name: 'Invocation of Process Using Visible Sensitive Information', + }, + { + id: 'CWE-215', + name: 'Insertion of Sensitive Information Into Debugging Code', + }, + { + id: 'CWE-216', + name: 'DEPRECATED: Containment Errors (Container Errors)', + }, + { + id: 'CWE-217', + name: 'DEPRECATED: Failure to Protect Stored Data from Modification', + }, + { + id: 'CWE-218', + name: 'DEPRECATED: Failure to provide confidentiality for stored data', + }, + { + id: 'CWE-219', + name: 'Storage of File with Sensitive Data Under Web Root', + }, + { + id: 'CWE-22', + name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + }, + { + id: 'CWE-220', + name: 'Storage of File With Sensitive Data Under FTP Root', + }, + { id: 'CWE-221', name: 'Information Loss or Omission' }, + { id: 'CWE-222', name: 'Truncation of Security-relevant Information' }, + { id: 'CWE-223', name: 'Omission of Security-relevant Information' }, + { + id: 'CWE-224', + name: 'Obscured Security-relevant Information by Alternate Name', + }, + { + id: 'CWE-225', + name: 'DEPRECATED: General Information Management Problems', + }, + { + id: 'CWE-226', + name: 'Sensitive Information in Resource Not Removed Before Reuse', + }, + { + id: 'CWE-228', + name: 'Improper Handling of Syntactically Invalid Structure', + }, + { id: 'CWE-229', name: 'Improper Handling of Values' }, + { id: 'CWE-23', name: 'Relative Path Traversal' }, + { id: 'CWE-230', name: 'Improper Handling of Missing Values' }, + { id: 'CWE-231', name: 'Improper Handling of Extra Values' }, + { id: 'CWE-232', name: 'Improper Handling of Undefined Values' }, + { id: 'CWE-233', name: 'Improper Handling of Parameters' }, + { id: 'CWE-234', name: 'Failure to Handle Missing Parameter' }, + { id: 'CWE-235', name: 'Improper Handling of Extra Parameters' }, + { id: 'CWE-236', name: 'Improper Handling of Undefined Parameters' }, + { id: 'CWE-237', name: 'Improper Handling of Structural Elements' }, + { + id: 'CWE-238', + name: 'Improper Handling of Incomplete Structural Elements', + }, + { id: 'CWE-239', name: 'Failure to Handle Incomplete Element' }, + { id: 'CWE-24', name: "Path Traversal: '../filedir'" }, + { + id: 'CWE-240', + name: 'Improper Handling of Inconsistent Structural Elements', + }, + { id: 'CWE-241', name: 'Improper Handling of Unexpected Data Type' }, + { id: 'CWE-242', name: 'Use of Inherently Dangerous Function' }, + { + id: 'CWE-243', + name: 'Creation of chroot Jail Without Changing Working Directory', + }, + { + id: 'CWE-244', + name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", + }, + { + id: 'CWE-245', + name: 'J2EE Bad Practices: Direct Management of Connections', + }, + { id: 'CWE-246', name: 'J2EE Bad Practices: Direct Use of Sockets' }, + { + id: 'CWE-247', + name: 'DEPRECATED: Reliance on DNS Lookups in a Security Decision', + }, + { id: 'CWE-248', name: 'Uncaught Exception' }, + { id: 'CWE-249', name: 'DEPRECATED: Often Misused: Path Manipulation' }, + { id: 'CWE-25', name: "Path Traversal: '/../filedir'" }, + { id: 'CWE-250', name: 'Execution with Unnecessary Privileges' }, + { id: 'CWE-252', name: 'Unchecked Return Value' }, + { id: 'CWE-253', name: 'Incorrect Check of Function Return Value' }, + { id: 'CWE-256', name: 'Plaintext Storage of a Password' }, + { id: 'CWE-257', name: 'Storing Passwords in a Recoverable Format' }, + { id: 'CWE-258', name: 'Empty Password in Configuration File' }, + { id: 'CWE-259', name: 'Use of Hard-coded Password' }, + { id: 'CWE-26', name: "Path Traversal: '/dir/../filename'" }, + { id: 'CWE-260', name: 'Password in Configuration File' }, + { id: 'CWE-261', name: 'Weak Encoding for Password' }, + { id: 'CWE-262', name: 'Not Using Password Aging' }, + { id: 'CWE-263', name: 'Password Aging with Long Expiration' }, + { id: 'CWE-266', name: 'Incorrect Privilege Assignment' }, + { id: 'CWE-267', name: 'Privilege Defined With Unsafe Actions' }, + { id: 'CWE-268', name: 'Privilege Chaining' }, + { id: 'CWE-269', name: 'Improper Privilege Management' }, + { id: 'CWE-27', name: "Path Traversal: 'dir/../../filename'" }, + { id: 'CWE-270', name: 'Privilege Context Switching Error' }, + { id: 'CWE-271', name: 'Privilege Dropping / Lowering Errors' }, + { id: 'CWE-272', name: 'Least Privilege Violation' }, + { id: 'CWE-273', name: 'Improper Check for Dropped Privileges' }, + { id: 'CWE-274', name: 'Improper Handling of Insufficient Privileges' }, + { id: 'CWE-276', name: 'Incorrect Default Permissions' }, + { id: 'CWE-277', name: 'Insecure Inherited Permissions' }, + { id: 'CWE-278', name: 'Insecure Preserved Inherited Permissions' }, + { id: 'CWE-279', name: 'Incorrect Execution-Assigned Permissions' }, + { id: 'CWE-28', name: "Path Traversal: '..\\filedir'" }, + { + id: 'CWE-280', + name: 'Improper Handling of Insufficient Permissions or Privileges ', + }, + { id: 'CWE-281', name: 'Improper Preservation of Permissions' }, + { id: 'CWE-282', name: 'Improper Ownership Management' }, + { id: 'CWE-283', name: 'Unverified Ownership' }, + { id: 'CWE-284', name: 'Improper Access Control' }, + { id: 'CWE-285', name: 'Improper Authorization' }, + { id: 'CWE-286', name: 'Incorrect User Management' }, + { id: 'CWE-287', name: 'Improper Authentication' }, + { + id: 'CWE-288', + name: 'Authentication Bypass Using an Alternate Path or Channel', + }, + { id: 'CWE-289', name: 'Authentication Bypass by Alternate Name' }, + { id: 'CWE-29', name: "Path Traversal: '\\..\\filename'" }, + { id: 'CWE-290', name: 'Authentication Bypass by Spoofing' }, + { id: 'CWE-291', name: 'Reliance on IP Address for Authentication' }, + { id: 'CWE-292', name: 'DEPRECATED: Trusting Self-reported DNS Name' }, + { id: 'CWE-293', name: 'Using Referer Field for Authentication' }, + { id: 'CWE-294', name: 'Authentication Bypass by Capture-replay' }, + { id: 'CWE-295', name: 'Improper Certificate Validation' }, + { + id: 'CWE-296', + name: "Improper Following of a Certificate's Chain of Trust", + }, + { + id: 'CWE-297', + name: 'Improper Validation of Certificate with Host Mismatch', + }, + { id: 'CWE-298', name: 'Improper Validation of Certificate Expiration' }, + { id: 'CWE-299', name: 'Improper Check for Certificate Revocation' }, + { id: 'CWE-30', name: "Path Traversal: '\\dir\\..\\filename'" }, + { id: 'CWE-300', name: 'Channel Accessible by Non-Endpoint' }, + { id: 'CWE-301', name: 'Reflection Attack in an Authentication Protocol' }, + { id: 'CWE-302', name: 'Authentication Bypass by Assumed-Immutable Data' }, + { + id: 'CWE-303', + name: 'Incorrect Implementation of Authentication Algorithm', + }, + { id: 'CWE-304', name: 'Missing Critical Step in Authentication' }, + { id: 'CWE-305', name: 'Authentication Bypass by Primary Weakness' }, + { id: 'CWE-306', name: 'Missing Authentication for Critical Function' }, + { + id: 'CWE-307', + name: 'Improper Restriction of Excessive Authentication Attempts', + }, + { id: 'CWE-308', name: 'Use of Single-factor Authentication' }, + { + id: 'CWE-309', + name: 'Use of Password System for Primary Authentication', + }, + { id: 'CWE-31', name: "Path Traversal: 'dir\\..\\..\\filename'" }, + { id: 'CWE-311', name: 'Missing Encryption of Sensitive Data' }, + { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' }, + { id: 'CWE-313', name: 'Cleartext Storage in a File or on Disk' }, + { id: 'CWE-314', name: 'Cleartext Storage in the Registry' }, + { + id: 'CWE-315', + name: 'Cleartext Storage of Sensitive Information in a Cookie', + }, + { + id: 'CWE-316', + name: 'Cleartext Storage of Sensitive Information in Memory', + }, + { + id: 'CWE-317', + name: 'Cleartext Storage of Sensitive Information in GUI', + }, + { + id: 'CWE-318', + name: 'Cleartext Storage of Sensitive Information in Executable', + }, + { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' }, + { id: 'CWE-32', name: "Path Traversal: '...' (Triple Dot)" }, + { id: 'CWE-321', name: 'Use of Hard-coded Cryptographic Key' }, + { id: 'CWE-322', name: 'Key Exchange without Entity Authentication' }, + { id: 'CWE-323', name: 'Reusing a Nonce, Key Pair in Encryption' }, + { id: 'CWE-324', name: 'Use of a Key Past its Expiration Date' }, + { id: 'CWE-325', name: 'Missing Cryptographic Step' }, + { id: 'CWE-326', name: 'Inadequate Encryption Strength' }, + { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' }, + { id: 'CWE-328', name: 'Use of Weak Hash' }, + { id: 'CWE-329', name: 'Generation of Predictable IV with CBC Mode' }, + { id: 'CWE-33', name: "Path Traversal: '....' (Multiple Dot)" }, + { id: 'CWE-330', name: 'Use of Insufficiently Random Values' }, + { id: 'CWE-331', name: 'Insufficient Entropy' }, + { id: 'CWE-332', name: 'Insufficient Entropy in PRNG' }, + { + id: 'CWE-333', + name: 'Improper Handling of Insufficient Entropy in TRNG', + }, + { id: 'CWE-334', name: 'Small Space of Random Values' }, + { + id: 'CWE-335', + name: 'Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-336', + name: 'Same Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-337', + name: 'Predictable Seed in Pseudo-Random Number Generator (PRNG)', + }, + { + id: 'CWE-338', + name: 'Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)', + }, + { id: 'CWE-339', name: 'Small Seed Space in PRNG' }, + { id: 'CWE-34', name: "Path Traversal: '....//'" }, + { id: 'CWE-340', name: 'Generation of Predictable Numbers or Identifiers' }, + { id: 'CWE-341', name: 'Predictable from Observable State' }, + { id: 'CWE-342', name: 'Predictable Exact Value from Previous Values' }, + { id: 'CWE-343', name: 'Predictable Value Range from Previous Values' }, + { + id: 'CWE-344', + name: 'Use of Invariant Value in Dynamically Changing Context', + }, + { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity' }, + { id: 'CWE-346', name: 'Origin Validation Error' }, + { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' }, + { id: 'CWE-348', name: 'Use of Less Trusted Source' }, + { + id: 'CWE-349', + name: 'Acceptance of Extraneous Untrusted Data With Trusted Data', + }, + { id: 'CWE-35', name: "Path Traversal: '.../...//'" }, + { + id: 'CWE-350', + name: 'Reliance on Reverse DNS Resolution for a Security-Critical Action', + }, + { id: 'CWE-351', name: 'Insufficient Type Distinction' }, + { id: 'CWE-352', name: 'Cross-Site Request Forgery (CSRF)' }, + { id: 'CWE-353', name: 'Missing Support for Integrity Check' }, + { id: 'CWE-354', name: 'Improper Validation of Integrity Check Value' }, + { id: 'CWE-356', name: 'Product UI does not Warn User of Unsafe Actions' }, + { id: 'CWE-357', name: 'Insufficient UI Warning of Dangerous Operations' }, + { + id: 'CWE-358', + name: 'Improperly Implemented Security Check for Standard', + }, + { + id: 'CWE-359', + name: 'Exposure of Private Personal Information to an Unauthorized Actor', + }, + { id: 'CWE-36', name: 'Absolute Path Traversal' }, + { id: 'CWE-360', name: 'Trust of System Event Data' }, + { + id: 'CWE-362', + name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", + }, + { id: 'CWE-363', name: 'Race Condition Enabling Link Following' }, + { id: 'CWE-364', name: 'Signal Handler Race Condition' }, + { id: 'CWE-365', name: 'DEPRECATED: Race Condition in Switch' }, + { id: 'CWE-366', name: 'Race Condition within a Thread' }, + { + id: 'CWE-367', + name: 'Time-of-check Time-of-use (TOCTOU) Race Condition', + }, + { id: 'CWE-368', name: 'Context Switching Race Condition' }, + { id: 'CWE-369', name: 'Divide By Zero' }, + { id: 'CWE-37', name: "Path Traversal: '/absolute/pathname/here'" }, + { + id: 'CWE-370', + name: 'Missing Check for Certificate Revocation after Initial Check', + }, + { id: 'CWE-372', name: 'Incomplete Internal State Distinction' }, + { id: 'CWE-373', name: 'DEPRECATED: State Synchronization Error' }, + { id: 'CWE-374', name: 'Passing Mutable Objects to an Untrusted Method' }, + { + id: 'CWE-375', + name: 'Returning a Mutable Object to an Untrusted Caller', + }, + { id: 'CWE-377', name: 'Insecure Temporary File' }, + { + id: 'CWE-378', + name: 'Creation of Temporary File With Insecure Permissions', + }, + { + id: 'CWE-379', + name: 'Creation of Temporary File in Directory with Insecure Permissions', + }, + { id: 'CWE-38', name: "Path Traversal: '\\absolute\\pathname\\here'" }, + { id: 'CWE-382', name: 'J2EE Bad Practices: Use of System.exit()' }, + { id: 'CWE-383', name: 'J2EE Bad Practices: Direct Use of Threads' }, + { id: 'CWE-384', name: 'Session Fixation' }, + { id: 'CWE-385', name: 'Covert Timing Channel' }, + { id: 'CWE-386', name: 'Symbolic Name not Mapping to Correct Object' }, + { id: 'CWE-39', name: "Path Traversal: 'C:dirname'" }, + { id: 'CWE-390', name: 'Detection of Error Condition Without Action' }, + { id: 'CWE-391', name: 'Unchecked Error Condition' }, + { id: 'CWE-392', name: 'Missing Report of Error Condition' }, + { id: 'CWE-393', name: 'Return of Wrong Status Code' }, + { id: 'CWE-394', name: 'Unexpected Status Code or Return Value' }, + { + id: 'CWE-395', + name: 'Use of NullPointerException Catch to Detect NULL Pointer Dereference', + }, + { id: 'CWE-396', name: 'Declaration of Catch for Generic Exception' }, + { id: 'CWE-397', name: 'Declaration of Throws for Generic Exception' }, + { + id: 'CWE-40', + name: "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", + }, + { id: 'CWE-400', name: 'Uncontrolled Resource Consumption' }, + { + id: 'CWE-401', + name: 'Missing Release of Memory after Effective Lifetime', + }, + { + id: 'CWE-402', + name: "Transmission of Private Resources into a New Sphere ('Resource Leak')", + }, + { + id: 'CWE-403', + name: "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", + }, + { id: 'CWE-404', name: 'Improper Resource Shutdown or Release' }, + { id: 'CWE-405', name: 'Asymmetric Resource Consumption (Amplification)' }, + { + id: 'CWE-406', + name: 'Insufficient Control of Network Message Volume (Network Amplification)', + }, + { id: 'CWE-407', name: 'Inefficient Algorithmic Complexity' }, + { id: 'CWE-408', name: 'Incorrect Behavior Order: Early Amplification' }, + { + id: 'CWE-409', + name: 'Improper Handling of Highly Compressed Data (Data Amplification)', + }, + { id: 'CWE-41', name: 'Improper Resolution of Path Equivalence' }, + { id: 'CWE-410', name: 'Insufficient Resource Pool' }, + { id: 'CWE-412', name: 'Unrestricted Externally Accessible Lock' }, + { id: 'CWE-413', name: 'Improper Resource Locking' }, + { id: 'CWE-414', name: 'Missing Lock Check' }, + { id: 'CWE-415', name: 'Double Free' }, + { id: 'CWE-416', name: 'Use After Free' }, + { id: 'CWE-419', name: 'Unprotected Primary Channel' }, + { id: 'CWE-42', name: "Path Equivalence: 'filename.' (Trailing Dot)" }, + { id: 'CWE-420', name: 'Unprotected Alternate Channel' }, + { + id: 'CWE-421', + name: 'Race Condition During Access to Alternate Channel', + }, + { + id: 'CWE-422', + name: "Unprotected Windows Messaging Channel ('Shatter')", + }, + { id: 'CWE-423', name: 'DEPRECATED: Proxied Trusted Channel' }, + { id: 'CWE-424', name: 'Improper Protection of Alternate Path' }, + { id: 'CWE-425', name: "Direct Request ('Forced Browsing')" }, + { id: 'CWE-426', name: 'Untrusted Search Path' }, + { id: 'CWE-427', name: 'Uncontrolled Search Path Element' }, + { id: 'CWE-428', name: 'Unquoted Search Path or Element' }, + { + id: 'CWE-43', + name: "Path Equivalence: 'filename....' (Multiple Trailing Dot)", + }, + { id: 'CWE-430', name: 'Deployment of Wrong Handler' }, + { id: 'CWE-431', name: 'Missing Handler' }, + { + id: 'CWE-432', + name: 'Dangerous Signal Handler not Disabled During Sensitive Operations', + }, + { id: 'CWE-433', name: 'Unparsed Raw Web Content Delivery' }, + { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' }, + { + id: 'CWE-435', + name: 'Improper Interaction Between Multiple Correctly-Behaving Entities', + }, + { id: 'CWE-436', name: 'Interpretation Conflict' }, + { id: 'CWE-437', name: 'Incomplete Model of Endpoint Features' }, + { id: 'CWE-439', name: 'Behavioral Change in New Version or Environment' }, + { id: 'CWE-44', name: "Path Equivalence: 'file.name' (Internal Dot)" }, + { id: 'CWE-440', name: 'Expected Behavior Violation' }, + { + id: 'CWE-441', + name: "Unintended Proxy or Intermediary ('Confused Deputy')", + }, + { id: 'CWE-443', name: 'DEPRECATED: HTTP response splitting' }, + { + id: 'CWE-444', + name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + }, + { id: 'CWE-446', name: 'UI Discrepancy for Security Feature' }, + { id: 'CWE-447', name: 'Unimplemented or Unsupported Feature in UI' }, + { id: 'CWE-448', name: 'Obsolete Feature in UI' }, + { id: 'CWE-449', name: 'The UI Performs the Wrong Action' }, + { + id: 'CWE-45', + name: "Path Equivalence: 'file...name' (Multiple Internal Dot)", + }, + { id: 'CWE-450', name: 'Multiple Interpretations of UI Input' }, + { + id: 'CWE-451', + name: 'User Interface (UI) Misrepresentation of Critical Information', + }, + { id: 'CWE-453', name: 'Insecure Default Variable Initialization' }, + { + id: 'CWE-454', + name: 'External Initialization of Trusted Variables or Data Stores', + }, + { id: 'CWE-455', name: 'Non-exit on Failed Initialization' }, + { id: 'CWE-456', name: 'Missing Initialization of a Variable' }, + { id: 'CWE-457', name: 'Use of Uninitialized Variable' }, + { id: 'CWE-458', name: 'DEPRECATED: Incorrect Initialization' }, + { id: 'CWE-459', name: 'Incomplete Cleanup' }, + { id: 'CWE-46', name: "Path Equivalence: 'filename ' (Trailing Space)" }, + { id: 'CWE-460', name: 'Improper Cleanup on Thrown Exception' }, + { id: 'CWE-462', name: 'Duplicate Key in Associative List (Alist)' }, + { id: 'CWE-463', name: 'Deletion of Data Structure Sentinel' }, + { id: 'CWE-464', name: 'Addition of Data Structure Sentinel' }, + { + id: 'CWE-466', + name: 'Return of Pointer Value Outside of Expected Range', + }, + { id: 'CWE-467', name: 'Use of sizeof() on a Pointer Type' }, + { id: 'CWE-468', name: 'Incorrect Pointer Scaling' }, + { id: 'CWE-469', name: 'Use of Pointer Subtraction to Determine Size' }, + { id: 'CWE-47', name: "Path Equivalence: ' filename' (Leading Space)" }, + { + id: 'CWE-470', + name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", + }, + { id: 'CWE-471', name: 'Modification of Assumed-Immutable Data (MAID)' }, + { + id: 'CWE-472', + name: 'External Control of Assumed-Immutable Web Parameter', + }, + { id: 'CWE-473', name: 'PHP External Variable Modification' }, + { + id: 'CWE-474', + name: 'Use of Function with Inconsistent Implementations', + }, + { id: 'CWE-475', name: 'Undefined Behavior for Input to API' }, + { id: 'CWE-476', name: 'NULL Pointer Dereference' }, + { id: 'CWE-477', name: 'Use of Obsolete Function' }, + { + id: 'CWE-478', + name: 'Missing Default Case in Multiple Condition Expression', + }, + { id: 'CWE-479', name: 'Signal Handler Use of a Non-reentrant Function' }, + { + id: 'CWE-48', + name: "Path Equivalence: 'file name' (Internal Whitespace)", + }, + { id: 'CWE-480', name: 'Use of Incorrect Operator' }, + { id: 'CWE-481', name: 'Assigning instead of Comparing' }, + { id: 'CWE-482', name: 'Comparing instead of Assigning' }, + { id: 'CWE-483', name: 'Incorrect Block Delimitation' }, + { id: 'CWE-484', name: 'Omitted Break Statement in Switch' }, + { id: 'CWE-486', name: 'Comparison of Classes by Name' }, + { id: 'CWE-487', name: 'Reliance on Package-level Scope' }, + { id: 'CWE-488', name: 'Exposure of Data Element to Wrong Session' }, + { id: 'CWE-489', name: 'Active Debug Code' }, + { id: 'CWE-49', name: "Path Equivalence: 'filename/' (Trailing Slash)" }, + { + id: 'CWE-491', + name: "Public cloneable() Method Without Final ('Object Hijack')", + }, + { id: 'CWE-492', name: 'Use of Inner Class Containing Sensitive Data' }, + { id: 'CWE-493', name: 'Critical Public Variable Without Final Modifier' }, + { id: 'CWE-494', name: 'Download of Code Without Integrity Check' }, + { + id: 'CWE-495', + name: 'Private Data Structure Returned From A Public Method', + }, + { + id: 'CWE-496', + name: 'Public Data Assigned to Private Array-Typed Field', + }, + { + id: 'CWE-497', + name: 'Exposure of Sensitive System Information to an Unauthorized Control Sphere', + }, + { id: 'CWE-498', name: 'Cloneable Class Containing Sensitive Information' }, + { id: 'CWE-499', name: 'Serializable Class Containing Sensitive Data' }, + { + id: 'CWE-5', + name: 'J2EE Misconfiguration: Data Transmission Without Encryption', + }, + { id: 'CWE-50', name: "Path Equivalence: '//multiple/leading/slash'" }, + { id: 'CWE-500', name: 'Public Static Field Not Marked Final' }, + { id: 'CWE-501', name: 'Trust Boundary Violation' }, + { id: 'CWE-502', name: 'Deserialization of Untrusted Data' }, + { id: 'CWE-506', name: 'Embedded Malicious Code' }, + { id: 'CWE-507', name: 'Trojan Horse' }, + { id: 'CWE-508', name: 'Non-Replicating Malicious Code' }, + { id: 'CWE-509', name: 'Replicating Malicious Code (Virus or Worm)' }, + { id: 'CWE-51', name: "Path Equivalence: '/multiple//internal/slash'" }, + { id: 'CWE-510', name: 'Trapdoor' }, + { id: 'CWE-511', name: 'Logic/Time Bomb' }, + { id: 'CWE-512', name: 'Spyware' }, + { id: 'CWE-514', name: 'Covert Channel' }, + { id: 'CWE-515', name: 'Covert Storage Channel' }, + { id: 'CWE-516', name: 'DEPRECATED: Covert Timing Channel' }, + { id: 'CWE-52', name: "Path Equivalence: '/multiple/trailing/slash//'" }, + { id: 'CWE-520', name: '.NET Misconfiguration: Use of Impersonation' }, + { id: 'CWE-521', name: 'Weak Password Requirements' }, + { id: 'CWE-522', name: 'Insufficiently Protected Credentials' }, + { id: 'CWE-523', name: 'Unprotected Transport of Credentials' }, + { id: 'CWE-524', name: 'Use of Cache Containing Sensitive Information' }, + { + id: 'CWE-525', + name: 'Use of Web Browser Cache Containing Sensitive Information', + }, + { + id: 'CWE-526', + name: 'Exposure of Sensitive Information Through Environmental Variables', + }, + { + id: 'CWE-527', + name: 'Exposure of Version-Control Repository to an Unauthorized Control Sphere', + }, + { + id: 'CWE-528', + name: 'Exposure of Core Dump File to an Unauthorized Control Sphere', + }, + { + id: 'CWE-529', + name: 'Exposure of Access Control List Files to an Unauthorized Control Sphere', + }, + { + id: 'CWE-53', + name: "Path Equivalence: '\\multiple\\\\internal\\backslash'", + }, + { + id: 'CWE-530', + name: 'Exposure of Backup File to an Unauthorized Control Sphere', + }, + { id: 'CWE-531', name: 'Inclusion of Sensitive Information in Test Code' }, + { id: 'CWE-532', name: 'Insertion of Sensitive Information into Log File' }, + { + id: 'CWE-533', + name: 'DEPRECATED: Information Exposure Through Server Log Files', + }, + { + id: 'CWE-534', + name: 'DEPRECATED: Information Exposure Through Debug Log Files', + }, + { + id: 'CWE-535', + name: 'Exposure of Information Through Shell Error Message', + }, + { + id: 'CWE-536', + name: 'Servlet Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-537', + name: 'Java Runtime Error Message Containing Sensitive Information', + }, + { + id: 'CWE-538', + name: 'Insertion of Sensitive Information into Externally-Accessible File or Directory', + }, + { + id: 'CWE-539', + name: 'Use of Persistent Cookies Containing Sensitive Information', + }, + { + id: 'CWE-54', + name: "Path Equivalence: 'filedir\\' (Trailing Backslash)", + }, + { + id: 'CWE-540', + name: 'Inclusion of Sensitive Information in Source Code', + }, + { + id: 'CWE-541', + name: 'Inclusion of Sensitive Information in an Include File', + }, + { + id: 'CWE-542', + name: 'DEPRECATED: Information Exposure Through Cleanup Log Files', + }, + { + id: 'CWE-543', + name: 'Use of Singleton Pattern Without Synchronization in a Multithreaded Context', + }, + { id: 'CWE-544', name: 'Missing Standardized Error Handling Mechanism' }, + { id: 'CWE-545', name: 'DEPRECATED: Use of Dynamic Class Loading' }, + { id: 'CWE-546', name: 'Suspicious Comment' }, + { id: 'CWE-547', name: 'Use of Hard-coded, Security-relevant Constants' }, + { + id: 'CWE-548', + name: 'Exposure of Information Through Directory Listing', + }, + { id: 'CWE-549', name: 'Missing Password Field Masking' }, + { id: 'CWE-55', name: "Path Equivalence: '/./' (Single Dot Directory)" }, + { + id: 'CWE-550', + name: 'Server-generated Error Message Containing Sensitive Information', + }, + { + id: 'CWE-551', + name: 'Incorrect Behavior Order: Authorization Before Parsing and Canonicalization', + }, + { + id: 'CWE-552', + name: 'Files or Directories Accessible to External Parties', + }, + { id: 'CWE-553', name: 'Command Shell in Externally Accessible Directory' }, + { + id: 'CWE-554', + name: 'ASP.NET Misconfiguration: Not Using Input Validation Framework', + }, + { + id: 'CWE-555', + name: 'J2EE Misconfiguration: Plaintext Password in Configuration File', + }, + { + id: 'CWE-556', + name: 'ASP.NET Misconfiguration: Use of Identity Impersonation', + }, + { id: 'CWE-558', name: 'Use of getlogin() in Multithreaded Application' }, + { id: 'CWE-56', name: "Path Equivalence: 'filedir*' (Wildcard)" }, + { id: 'CWE-560', name: 'Use of umask() with chmod-style Argument' }, + { id: 'CWE-561', name: 'Dead Code' }, + { id: 'CWE-562', name: 'Return of Stack Variable Address' }, + { id: 'CWE-563', name: 'Assignment to Variable without Use' }, + { id: 'CWE-564', name: 'SQL Injection: Hibernate' }, + { + id: 'CWE-565', + name: 'Reliance on Cookies without Validation and Integrity Checking', + }, + { + id: 'CWE-566', + name: 'Authorization Bypass Through User-Controlled SQL Primary Key', + }, + { + id: 'CWE-567', + name: 'Unsynchronized Access to Shared Data in a Multithreaded Context', + }, + { id: 'CWE-568', name: 'finalize() Method Without super.finalize()' }, + { id: 'CWE-57', name: "Path Equivalence: 'fakedir/../realdir/filename'" }, + { id: 'CWE-570', name: 'Expression is Always False' }, + { id: 'CWE-571', name: 'Expression is Always True' }, + { id: 'CWE-572', name: 'Call to Thread run() instead of start()' }, + { id: 'CWE-573', name: 'Improper Following of Specification by Caller' }, + { + id: 'CWE-574', + name: 'EJB Bad Practices: Use of Synchronization Primitives', + }, + { id: 'CWE-575', name: 'EJB Bad Practices: Use of AWT Swing' }, + { id: 'CWE-576', name: 'EJB Bad Practices: Use of Java I/O' }, + { id: 'CWE-577', name: 'EJB Bad Practices: Use of Sockets' }, + { id: 'CWE-578', name: 'EJB Bad Practices: Use of Class Loader' }, + { + id: 'CWE-579', + name: 'J2EE Bad Practices: Non-serializable Object Stored in Session', + }, + { id: 'CWE-58', name: 'Path Equivalence: Windows 8.3 Filename' }, + { id: 'CWE-580', name: 'clone() Method Without super.clone()' }, + { + id: 'CWE-581', + name: 'Object Model Violation: Just One of Equals and Hashcode Defined', + }, + { id: 'CWE-582', name: 'Array Declared Public, Final, and Static' }, + { id: 'CWE-583', name: 'finalize() Method Declared Public' }, + { id: 'CWE-584', name: 'Return Inside Finally Block' }, + { id: 'CWE-585', name: 'Empty Synchronized Block' }, + { id: 'CWE-586', name: 'Explicit Call to Finalize()' }, + { id: 'CWE-587', name: 'Assignment of a Fixed Address to a Pointer' }, + { + id: 'CWE-588', + name: 'Attempt to Access Child of a Non-structure Pointer', + }, + { id: 'CWE-589', name: 'Call to Non-ubiquitous API' }, + { + id: 'CWE-59', + name: "Improper Link Resolution Before File Access ('Link Following')", + }, + { id: 'CWE-590', name: 'Free of Memory not on the Heap' }, + { + id: 'CWE-591', + name: 'Sensitive Data Storage in Improperly Locked Memory', + }, + { id: 'CWE-592', name: 'DEPRECATED: Authentication Bypass Issues' }, + { + id: 'CWE-593', + name: 'Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created', + }, + { + id: 'CWE-594', + name: 'J2EE Framework: Saving Unserializable Objects to Disk', + }, + { + id: 'CWE-595', + name: 'Comparison of Object References Instead of Object Contents', + }, + { id: 'CWE-596', name: 'DEPRECATED: Incorrect Semantic Object Comparison' }, + { id: 'CWE-597', name: 'Use of Wrong Operator in String Comparison' }, + { + id: 'CWE-598', + name: 'Use of GET Request Method With Sensitive Query Strings', + }, + { id: 'CWE-599', name: 'Missing Validation of OpenSSL Certificate' }, + { + id: 'CWE-6', + name: 'J2EE Misconfiguration: Insufficient Session-ID Length', + }, + { id: 'CWE-600', name: 'Uncaught Exception in Servlet ' }, + { + id: 'CWE-601', + name: "URL Redirection to Untrusted Site ('Open Redirect')", + }, + { id: 'CWE-602', name: 'Client-Side Enforcement of Server-Side Security' }, + { id: 'CWE-603', name: 'Use of Client-Side Authentication' }, + { id: 'CWE-605', name: 'Multiple Binds to the Same Port' }, + { id: 'CWE-606', name: 'Unchecked Input for Loop Condition' }, + { + id: 'CWE-607', + name: 'Public Static Final Field References Mutable Object', + }, + { id: 'CWE-608', name: 'Struts: Non-private Field in ActionForm Class' }, + { id: 'CWE-609', name: 'Double-Checked Locking' }, + { id: 'CWE-61', name: 'UNIX Symbolic Link (Symlink) Following' }, + { + id: 'CWE-610', + name: 'Externally Controlled Reference to a Resource in Another Sphere', + }, + { + id: 'CWE-611', + name: 'Improper Restriction of XML External Entity Reference', + }, + { + id: 'CWE-612', + name: 'Improper Authorization of Index Containing Sensitive Information', + }, + { id: 'CWE-613', name: 'Insufficient Session Expiration' }, + { + id: 'CWE-614', + name: "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", + }, + { + id: 'CWE-615', + name: 'Inclusion of Sensitive Information in Source Code Comments', + }, + { + id: 'CWE-616', + name: 'Incomplete Identification of Uploaded File Variables (PHP)', + }, + { id: 'CWE-617', name: 'Reachable Assertion' }, + { id: 'CWE-618', name: 'Exposed Unsafe ActiveX Method' }, + { id: 'CWE-619', name: "Dangling Database Cursor ('Cursor Injection')" }, + { id: 'CWE-62', name: 'UNIX Hard Link' }, + { id: 'CWE-620', name: 'Unverified Password Change' }, + { id: 'CWE-621', name: 'Variable Extraction Error' }, + { id: 'CWE-622', name: 'Improper Validation of Function Hook Arguments' }, + { id: 'CWE-623', name: 'Unsafe ActiveX Control Marked Safe For Scripting' }, + { id: 'CWE-624', name: 'Executable Regular Expression Error' }, + { id: 'CWE-625', name: 'Permissive Regular Expression' }, + { id: 'CWE-626', name: 'Null Byte Interaction Error (Poison Null Byte)' }, + { id: 'CWE-627', name: 'Dynamic Variable Evaluation' }, + { + id: 'CWE-628', + name: 'Function Call with Incorrectly Specified Arguments', + }, + { id: 'CWE-636', name: "Not Failing Securely ('Failing Open')" }, + { + id: 'CWE-637', + name: "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')", + }, + { id: 'CWE-638', name: 'Not Using Complete Mediation' }, + { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' }, + { id: 'CWE-64', name: 'Windows Shortcut Following (.LNK)' }, + { + id: 'CWE-640', + name: 'Weak Password Recovery Mechanism for Forgotten Password', + }, + { + id: 'CWE-641', + name: 'Improper Restriction of Names for Files and Other Resources', + }, + { id: 'CWE-642', name: 'External Control of Critical State Data' }, + { + id: 'CWE-643', + name: "Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + }, + { + id: 'CWE-644', + name: 'Improper Neutralization of HTTP Headers for Scripting Syntax', + }, + { id: 'CWE-645', name: 'Overly Restrictive Account Lockout Mechanism' }, + { + id: 'CWE-646', + name: 'Reliance on File Name or Extension of Externally-Supplied File', + }, + { + id: 'CWE-647', + name: 'Use of Non-Canonical URL Paths for Authorization Decisions', + }, + { id: 'CWE-648', name: 'Incorrect Use of Privileged APIs' }, + { + id: 'CWE-649', + name: 'Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking', + }, + { id: 'CWE-65', name: 'Windows Hard Link' }, + { + id: 'CWE-650', + name: 'Trusting HTTP Permission Methods on the Server Side', + }, + { + id: 'CWE-651', + name: 'Exposure of WSDL File Containing Sensitive Information', + }, + { + id: 'CWE-652', + name: "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')", + }, + { id: 'CWE-653', name: 'Improper Isolation or Compartmentalization' }, + { + id: 'CWE-654', + name: 'Reliance on a Single Factor in a Security Decision', + }, + { id: 'CWE-655', name: 'Insufficient Psychological Acceptability' }, + { id: 'CWE-656', name: 'Reliance on Security Through Obscurity' }, + { id: 'CWE-657', name: 'Violation of Secure Design Principles' }, + { + id: 'CWE-66', + name: 'Improper Handling of File Names that Identify Virtual Resources', + }, + { id: 'CWE-662', name: 'Improper Synchronization' }, + { + id: 'CWE-663', + name: 'Use of a Non-reentrant Function in a Concurrent Context', + }, + { + id: 'CWE-664', + name: 'Improper Control of a Resource Through its Lifetime', + }, + { id: 'CWE-665', name: 'Improper Initialization' }, + { id: 'CWE-666', name: 'Operation on Resource in Wrong Phase of Lifetime' }, + { id: 'CWE-667', name: 'Improper Locking' }, + { id: 'CWE-668', name: 'Exposure of Resource to Wrong Sphere' }, + { id: 'CWE-669', name: 'Incorrect Resource Transfer Between Spheres' }, + { id: 'CWE-67', name: 'Improper Handling of Windows Device Names' }, + { id: 'CWE-670', name: 'Always-Incorrect Control Flow Implementation' }, + { id: 'CWE-671', name: 'Lack of Administrator Control over Security' }, + { + id: 'CWE-672', + name: 'Operation on a Resource after Expiration or Release', + }, + { id: 'CWE-673', name: 'External Influence of Sphere Definition' }, + { id: 'CWE-674', name: 'Uncontrolled Recursion' }, + { + id: 'CWE-675', + name: 'Multiple Operations on Resource in Single-Operation Context', + }, + { id: 'CWE-676', name: 'Use of Potentially Dangerous Function' }, + { id: 'CWE-680', name: 'Integer Overflow to Buffer Overflow' }, + { id: 'CWE-681', name: 'Incorrect Conversion between Numeric Types' }, + { id: 'CWE-682', name: 'Incorrect Calculation' }, + { id: 'CWE-683', name: 'Function Call With Incorrect Order of Arguments' }, + { id: 'CWE-684', name: 'Incorrect Provision of Specified Functionality' }, + { id: 'CWE-685', name: 'Function Call With Incorrect Number of Arguments' }, + { id: 'CWE-686', name: 'Function Call With Incorrect Argument Type' }, + { + id: 'CWE-687', + name: 'Function Call With Incorrectly Specified Argument Value', + }, + { + id: 'CWE-688', + name: 'Function Call With Incorrect Variable or Reference as Argument', + }, + { id: 'CWE-689', name: 'Permission Race Condition During Resource Copy' }, + { + id: 'CWE-69', + name: 'Improper Handling of Windows ::DATA Alternate Data Stream', + }, + { + id: 'CWE-690', + name: 'Unchecked Return Value to NULL Pointer Dereference', + }, + { id: 'CWE-691', name: 'Insufficient Control Flow Management' }, + { id: 'CWE-692', name: 'Incomplete Denylist to Cross-Site Scripting' }, + { id: 'CWE-693', name: 'Protection Mechanism Failure' }, + { + id: 'CWE-694', + name: 'Use of Multiple Resources with Duplicate Identifier', + }, + { id: 'CWE-695', name: 'Use of Low-Level Functionality' }, + { id: 'CWE-696', name: 'Incorrect Behavior Order' }, + { id: 'CWE-697', name: 'Incorrect Comparison' }, + { id: 'CWE-698', name: 'Execution After Redirect (EAR)' }, + { id: 'CWE-7', name: 'J2EE Misconfiguration: Missing Custom Error Page' }, + { + id: 'CWE-703', + name: 'Improper Check or Handling of Exceptional Conditions', + }, + { id: 'CWE-704', name: 'Incorrect Type Conversion or Cast' }, + { id: 'CWE-705', name: 'Incorrect Control Flow Scoping' }, + { id: 'CWE-706', name: 'Use of Incorrectly-Resolved Name or Reference' }, + { id: 'CWE-707', name: 'Improper Neutralization' }, + { id: 'CWE-708', name: 'Incorrect Ownership Assignment' }, + { id: 'CWE-71', name: "DEPRECATED: Apple '.DS_Store'" }, + { id: 'CWE-710', name: 'Improper Adherence to Coding Standards' }, + { + id: 'CWE-72', + name: 'Improper Handling of Apple HFS+ Alternate Data Stream Path', + }, + { id: 'CWE-73', name: 'External Control of File Name or Path' }, + { + id: 'CWE-732', + name: 'Incorrect Permission Assignment for Critical Resource', + }, + { + id: 'CWE-733', + name: 'Compiler Optimization Removal or Modification of Security-critical Code', + }, + { + id: 'CWE-74', + name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + }, + { id: 'CWE-749', name: 'Exposed Dangerous Method or Function' }, + { + id: 'CWE-75', + name: 'Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)', + }, + { + id: 'CWE-754', + name: 'Improper Check for Unusual or Exceptional Conditions', + }, + { id: 'CWE-755', name: 'Improper Handling of Exceptional Conditions' }, + { id: 'CWE-756', name: 'Missing Custom Error Page' }, + { + id: 'CWE-757', + name: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + }, + { + id: 'CWE-758', + name: 'Reliance on Undefined, Unspecified, or Implementation-Defined Behavior', + }, + { id: 'CWE-759', name: 'Use of a One-Way Hash without a Salt' }, + { + id: 'CWE-76', + name: 'Improper Neutralization of Equivalent Special Elements', + }, + { id: 'CWE-760', name: 'Use of a One-Way Hash with a Predictable Salt' }, + { id: 'CWE-761', name: 'Free of Pointer not at Start of Buffer' }, + { id: 'CWE-762', name: 'Mismatched Memory Management Routines' }, + { id: 'CWE-763', name: 'Release of Invalid Pointer or Reference' }, + { id: 'CWE-764', name: 'Multiple Locks of a Critical Resource' }, + { id: 'CWE-765', name: 'Multiple Unlocks of a Critical Resource' }, + { id: 'CWE-766', name: 'Critical Data Element Declared Public' }, + { + id: 'CWE-767', + name: 'Access to Critical Private Variable via Public Method', + }, + { id: 'CWE-768', name: 'Incorrect Short Circuit Evaluation' }, + { + id: 'CWE-769', + name: 'DEPRECATED: Uncontrolled File Descriptor Consumption', + }, + { + id: 'CWE-77', + name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", + }, + { + id: 'CWE-770', + name: 'Allocation of Resources Without Limits or Throttling', + }, + { id: 'CWE-771', name: 'Missing Reference to Active Allocated Resource' }, + { + id: 'CWE-772', + name: 'Missing Release of Resource after Effective Lifetime', + }, + { + id: 'CWE-773', + name: 'Missing Reference to Active File Descriptor or Handle', + }, + { + id: 'CWE-774', + name: 'Allocation of File Descriptors or Handles Without Limits or Throttling', + }, + { + id: 'CWE-775', + name: 'Missing Release of File Descriptor or Handle after Effective Lifetime', + }, + { + id: 'CWE-776', + name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", + }, + { id: 'CWE-777', name: 'Regular Expression without Anchors' }, + { id: 'CWE-778', name: 'Insufficient Logging' }, + { id: 'CWE-779', name: 'Logging of Excessive Data' }, + { + id: 'CWE-78', + name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + }, + { id: 'CWE-780', name: 'Use of RSA Algorithm without OAEP' }, + { + id: 'CWE-781', + name: 'Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code', + }, + { id: 'CWE-782', name: 'Exposed IOCTL with Insufficient Access Control' }, + { id: 'CWE-783', name: 'Operator Precedence Logic Error' }, + { + id: 'CWE-784', + name: 'Reliance on Cookies without Validation and Integrity Checking in a Security Decision', + }, + { + id: 'CWE-785', + name: 'Use of Path Manipulation Function without Maximum-sized Buffer', + }, + { id: 'CWE-786', name: 'Access of Memory Location Before Start of Buffer' }, + { id: 'CWE-787', name: 'Out-of-bounds Write' }, + { id: 'CWE-788', name: 'Access of Memory Location After End of Buffer' }, + { id: 'CWE-789', name: 'Memory Allocation with Excessive Size Value' }, + { + id: 'CWE-79', + name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + }, + { id: 'CWE-790', name: 'Improper Filtering of Special Elements' }, + { id: 'CWE-791', name: 'Incomplete Filtering of Special Elements' }, + { + id: 'CWE-792', + name: 'Incomplete Filtering of One or More Instances of Special Elements', + }, + { id: 'CWE-793', name: 'Only Filtering One Instance of a Special Element' }, + { + id: 'CWE-794', + name: 'Incomplete Filtering of Multiple Instances of Special Elements', + }, + { + id: 'CWE-795', + name: 'Only Filtering Special Elements at a Specified Location', + }, + { + id: 'CWE-796', + name: 'Only Filtering Special Elements Relative to a Marker', + }, + { + id: 'CWE-797', + name: 'Only Filtering Special Elements at an Absolute Position', + }, + { id: 'CWE-798', name: 'Use of Hard-coded Credentials' }, + { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' }, + { id: 'CWE-8', name: 'J2EE Misconfiguration: Entity Bean Declared Remote' }, + { + id: 'CWE-80', + name: 'Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)', + }, + { id: 'CWE-804', name: 'Guessable CAPTCHA' }, + { id: 'CWE-805', name: 'Buffer Access with Incorrect Length Value' }, + { id: 'CWE-806', name: 'Buffer Access Using Size of Source Buffer' }, + { + id: 'CWE-807', + name: 'Reliance on Untrusted Inputs in a Security Decision', + }, + { + id: 'CWE-81', + name: 'Improper Neutralization of Script in an Error Message Web Page', + }, + { + id: 'CWE-82', + name: 'Improper Neutralization of Script in Attributes of IMG Tags in a Web Page', + }, + { id: 'CWE-820', name: 'Missing Synchronization' }, + { id: 'CWE-821', name: 'Incorrect Synchronization' }, + { id: 'CWE-822', name: 'Untrusted Pointer Dereference' }, + { id: 'CWE-823', name: 'Use of Out-of-range Pointer Offset' }, + { id: 'CWE-824', name: 'Access of Uninitialized Pointer' }, + { id: 'CWE-825', name: 'Expired Pointer Dereference' }, + { + id: 'CWE-826', + name: 'Premature Release of Resource During Expected Lifetime', + }, + { id: 'CWE-827', name: 'Improper Control of Document Type Definition' }, + { + id: 'CWE-828', + name: 'Signal Handler with Functionality that is not Asynchronous-Safe', + }, + { + id: 'CWE-829', + name: 'Inclusion of Functionality from Untrusted Control Sphere', + }, + { + id: 'CWE-83', + name: 'Improper Neutralization of Script in Attributes in a Web Page', + }, + { + id: 'CWE-830', + name: 'Inclusion of Web Functionality from an Untrusted Source', + }, + { + id: 'CWE-831', + name: 'Signal Handler Function Associated with Multiple Signals', + }, + { id: 'CWE-832', name: 'Unlock of a Resource that is not Locked' }, + { id: 'CWE-833', name: 'Deadlock' }, + { id: 'CWE-834', name: 'Excessive Iteration' }, + { + id: 'CWE-835', + name: "Loop with Unreachable Exit Condition ('Infinite Loop')", + }, + { + id: 'CWE-836', + name: 'Use of Password Hash Instead of Password for Authentication', + }, + { id: 'CWE-837', name: 'Improper Enforcement of a Single, Unique Action' }, + { id: 'CWE-838', name: 'Inappropriate Encoding for Output Context' }, + { id: 'CWE-839', name: 'Numeric Range Comparison Without Minimum Check' }, + { + id: 'CWE-84', + name: 'Improper Neutralization of Encoded URI Schemes in a Web Page', + }, + { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' }, + { id: 'CWE-842', name: 'Placement of User into Incorrect Group' }, + { + id: 'CWE-843', + name: "Access of Resource Using Incompatible Type ('Type Confusion')", + }, + { id: 'CWE-85', name: 'Doubled Character XSS Manipulations' }, + { + id: 'CWE-86', + name: 'Improper Neutralization of Invalid Characters in Identifiers in Web Pages', + }, + { id: 'CWE-862', name: 'Missing Authorization' }, + { id: 'CWE-863', name: 'Incorrect Authorization' }, + { id: 'CWE-87', name: 'Improper Neutralization of Alternate XSS Syntax' }, + { + id: 'CWE-88', + name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", + }, + { + id: 'CWE-89', + name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + }, + { + id: 'CWE-9', + name: 'J2EE Misconfiguration: Weak Access Permissions for EJB Methods', + }, + { + id: 'CWE-90', + name: "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + }, + { id: 'CWE-908', name: 'Use of Uninitialized Resource' }, + { id: 'CWE-909', name: 'Missing Initialization of Resource' }, + { id: 'CWE-91', name: 'XML Injection (aka Blind XPath Injection)' }, + { id: 'CWE-910', name: 'Use of Expired File Descriptor' }, + { id: 'CWE-911', name: 'Improper Update of Reference Count' }, + { id: 'CWE-912', name: 'Hidden Functionality' }, + { + id: 'CWE-913', + name: 'Improper Control of Dynamically-Managed Code Resources', + }, + { + id: 'CWE-914', + name: 'Improper Control of Dynamically-Identified Variables', + }, + { + id: 'CWE-915', + name: 'Improperly Controlled Modification of Dynamically-Determined Object Attributes', + }, + { + id: 'CWE-916', + name: 'Use of Password Hash With Insufficient Computational Effort', + }, + { + id: 'CWE-917', + name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + }, + { id: 'CWE-918', name: 'Server-Side Request Forgery (SSRF)' }, + { + id: 'CWE-92', + name: 'DEPRECATED: Improper Sanitization of Custom Special Characters', + }, + { id: 'CWE-920', name: 'Improper Restriction of Power Consumption' }, + { + id: 'CWE-921', + name: 'Storage of Sensitive Data in a Mechanism without Access Control', + }, + { id: 'CWE-922', name: 'Insecure Storage of Sensitive Information' }, + { + id: 'CWE-923', + name: 'Improper Restriction of Communication Channel to Intended Endpoints', + }, + { + id: 'CWE-924', + name: 'Improper Enforcement of Message Integrity During Transmission in a Communication Channel', + }, + { + id: 'CWE-925', + name: 'Improper Verification of Intent by Broadcast Receiver', + }, + { + id: 'CWE-926', + name: 'Improper Export of Android Application Components', + }, + { + id: 'CWE-927', + name: 'Use of Implicit Intent for Sensitive Communication', + }, + { + id: 'CWE-93', + name: "Improper Neutralization of CRLF Sequences ('CRLF Injection')", + }, + { + id: 'CWE-939', + name: 'Improper Authorization in Handler for Custom URL Scheme', + }, + { + id: 'CWE-94', + name: "Improper Control of Generation of Code ('Code Injection')", + }, + { + id: 'CWE-940', + name: 'Improper Verification of Source of a Communication Channel', + }, + { + id: 'CWE-941', + name: 'Incorrectly Specified Destination in a Communication Channel', + }, + { + id: 'CWE-942', + name: 'Permissive Cross-domain Policy with Untrusted Domains', + }, + { + id: 'CWE-943', + name: 'Improper Neutralization of Special Elements in Data Query Logic', + }, + { + id: 'CWE-95', + name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + }, + { + id: 'CWE-96', + name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", + }, + { + id: 'CWE-97', + name: 'Improper Neutralization of Server-Side Includes (SSI) Within a Web Page', + }, + { + id: 'CWE-98', + name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + }, + { + id: 'CWE-99', + name: "Improper Control of Resource Identifiers ('Resource Injection')", + }, + ], +} diff --git a/scripts/cwe-importCatalogue.js b/scripts/cwe-importCatalogue.js index 66954cd..3eb6c71 100755 --- a/scripts/cwe-importCatalogue.js +++ b/scripts/cwe-importCatalogue.js @@ -6,8 +6,13 @@ import xml2js from 'xml2js' // The registry file can be downloaded from https://cwe.mitre.org/data/xml/cwec_latest.xml.zip +const fileNameRegex = /^cwec_v(?.+)\.xml/ + const [, , REGISTRY_FILE] = process.argv -const OUTPUT_FILE = 'lib/shared/cwec.js' +const fileNameMatch = fileNameRegex.exec(REGISTRY_FILE) +if (!fileNameMatch) throw new Error('Failed to parse filename') +const version = fileNameMatch.groups?.version +const OUTPUT_FILE = `lib/cwec/${version}.js` /** * @typedef {{ ID: string; Name: string }} Weakness @@ -34,11 +39,8 @@ const json = { await writeFile( OUTPUT_FILE, - prettier.format( - `export default /** @type {const} */ (${JSON.stringify(json)})`, - { - ...(await prettier.resolveConfig(OUTPUT_FILE)), - filepath: OUTPUT_FILE, - } - ) + prettier.format(`export default (${JSON.stringify(json)})`, { + ...(await prettier.resolveConfig(OUTPUT_FILE)), + filepath: OUTPUT_FILE, + }) ) diff --git a/tests/csaf_2_1/oasis.js b/tests/csaf_2_1/oasis.js index e3bb154..88a3fc7 100644 --- a/tests/csaf_2_1/oasis.js +++ b/tests/csaf_2_1/oasis.js @@ -14,7 +14,6 @@ const excluded = [ '6.1.8', '6.1.9', '6.1.10', - '6.1.11', '6.1.13', '6.1.14', '6.1.16',