Data Processing Errors
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.
The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when...
The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserti...
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.
The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the as...
The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.
The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
The product does not handle or incorrectly handles inputs that are related to complex structures.
The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive...
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product ...
A regular expression is overly restrictive, which prevents dangerous values from being detected.
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...