Weaknesses for Simplified Mapping of Published Vulnerabilities
A view in the Common Weakness Enumeration published by The MITRE Corporation.
Objective
Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.
CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Weaknesses
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is n...
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a ...
The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the so...
The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or ex...
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a r...
The software does not handle or incorrectly handles an exceptional condition.
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process th...
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or...
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
The program does not release or incorrectly releases a resource before it is made available for re-use.
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not...
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows...
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides ...
The software does not correctly convert an object, resource, or structure from one type to a different type.
The software stores sensitive information without properly limiting read or write access by unauthorized actors.
The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
The software does not encrypt sensitive or critical information before storage or transmission.
The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, e...
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
See Also
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.