Data Processing Errors
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
The software filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.
The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results whe...
The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserti...
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.
The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
The software does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.
The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the a...
The software receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.
The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
The software does not handle or incorrectly handles inputs that are related to complex structures.
The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursiv...
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product...
The software does not properly protect an assumed-immutable element from being modified by an attacker.
A regular expression is overly restrictive, which prevents dangerous values from being detected.
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...