Data Neutralization Issues

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

Weaknesses

Addition of Data Structure Sentinel

The accidental addition of a data-structure sentinel can cause serious programming logic problems.

Deletion of Data Structure Sentinel

The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

Duplicate Key in Associative List (Alist)

Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, o...

Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF ...

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neut...

Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neu...

Improper Neutralization of Delimiters

The product does not neutralize or incorrectly neutralizes delimiters.

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable ...

Improper Neutralization of Equivalent Special Elements

The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could ...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an u...

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes...

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes...

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

Improper Null Termination

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

Improper Output Neutralization for Logs

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Improper Restriction of Names for Files and Other Resources

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

Inappropriate Encoding for Output Context

The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected...

Incomplete Filtering of Special Elements

The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.

Only Filtering Special Elements at a Specified Location

The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that m...

Reliance on Data/Memory Layout

The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is p...

Concepts

Software Development

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.