SFP Secondary Cluster: Design
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
This category identifies Software Fault Patterns (SFPs) within the Design cluster.
The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
The accidental addition of a data-structure sentinel can cause serious programming logic problems.
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is n...
Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.
The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
The accidental deletion of a data-structure sentinel can cause serious programming logic problems.
The wrong "handler" is assigned to process an object.
Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.
The web application sends a redirect to another location, but instead of exiting, it executes additional code.
An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. t...
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
The software allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.
The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing t...
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typ...
The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should ...
The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) ...
The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.
The software does not maintain equal hashcodes for equal objects.
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weak...
The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.
CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).