CWE™

logo

Summary

Common Weakness Enumeration is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation and prevention efforts.

Version used: CWE™ List 4.11
Last official version: CWE™ List 4.11

Definitions

Definition	Requirements
5. Data transmission without encryption	336. Disable insecure TLS versions
6. Misconfiguration - Insufficient session-ID length	030. Avoid object reutilization 032. Avoid session ID leakages
11. Creating debug binary	078. Disable debugging events
13. Misconfiguration - Password in configuration file	026. Encrypt client-side session information 185. Encrypt sensitive information
15. External control of system or configuration setting	062. Define standard configurations 320. Avoid client-side control enforcement
20. Improper input validation	173. Discard unsafe inputs
22. Improper limitation of a pathname to a restricted directory ("path traversal")	037. Parameters without sensitive data 173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
23. Relative path traversal	037. Parameters without sensitive data
36. Absolute path traversal	037. Parameters without sensitive data 173. Discard unsafe inputs 320. Avoid client-side control enforcement 343. Respect the Do Not Track header
73. External control of file name or path	037. Parameters without sensitive data 320. Avoid client-side control enforcement 381. Use of absolute paths
74. Improper neutralization of special elements in output used by a downstream component ("injection")	158. Use a secure programming language 173. Discard unsafe inputs
78. Improper neutralization of special elements used in an OS command ("OS command injection")	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
79. Improper neutralization of input during web page generation ("cross-site scripting")	029. Cookies with security attributes 173. Discard unsafe inputs
80. Improper neutralization of script-related HTML tags in a web page (basic XSS)	117. Do not interpret HTML code 173. Discard unsafe inputs
89. Improper neutralization of special elements used in an SQL command ("SQL injection")	169. Use parameterized queries 173. Discard unsafe inputs
90. Improper neutralization of special elements used in an LDAP query ('LDAP Injection')	173. Discard unsafe inputs
91. XML injection	173. Discard unsafe inputs
94. Improper control of generation of code ("code injection")	173. Discard unsafe inputs
95. Improper neutralization of directives in dynamically evaluated code ("eval injection")	173. Discard unsafe inputs 321. Avoid deserializing untrusted data 344. Avoid dynamic code execution
98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
112. Missing XML validation	173. Discard unsafe inputs
114. Process control	266. Disable insecure functionalities
116. Improper encoding or escaping of output	160. Encode system outputs 173. Discard unsafe inputs 348. Use consistent encoding 349. Include HTTP security headers
117. Improper output neutralization for logs	160. Encode system outputs
120. Buffer copy without checking size of input ("classic buffer overflow")	345. Establish protections against overflows
130. Buffer copy without checking size of input ("classic buffer overflow")	169. Use parameterized queries 342. Validate request parameters
134. Use of externally-controlled format string	345. Establish protections against overflows
138. Improper neutralization of special elements	173. Discard unsafe inputs 340. Use octet stream downloads
147. Improper neutralization of input terminators	173. Discard unsafe inputs
150. Improper neutralization of escape, meta, or control sequences	173. Discard unsafe inputs
170. Improper null termination	345. Establish protections against overflows
173. Improper handling of alternate encoding	044. Define an explicit charset 160. Encode system outputs
190. Integer overflow or wraparound	345. Establish protections against overflows
200. Exposure of sensitive information to an unauthorized actor	032. Avoid session ID leakages 119. Hide recipients 181. Transmit data using secure protocols 261. Avoid exposing sensitive information 375. Remove sensitive data from client-side applications
203. Observable discrepancy	225. Proper authentication responses
208. Observable timing discrepancy	368. Use of indistinguishable response time
209. Generation of error message containing sensitive information	077. Avoid disclosing technical information
210. Self-generated error message containing sensitive information	077. Avoid disclosing technical information 078. Disable debugging events
212. Improper removal of sensitive information before storage or transfer	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
219. Storage of file with sensitive data under web root	339. Avoid storing sensitive files in the web root
221. Information loss or omission	075. Record exceptional events in logs 376. Register severity level
223. Omission of security-relevant information	376. Register severity level
226. Sensitive information in resource not removed before reuse	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
233. Improper handling of parameters	342. Validate request parameters
235. Improper handling of extra parameters	342. Validate request parameters
250. Execution with unnecessary privileges	095. Define users with privileges 096. Set user's required privileges 186. Use the principle of least privilege
256. Plaintext storage of a password	127. Store hashed passwords 380. Define a password management tool
257. Storing passwords in a recoverable format	238. Establish safe recovery
259. Use of hard-coded password	156. Source code without sensitive information 172. Encrypt connection strings
263. Password aging with long expiration	130. Limit password lifespan 138. Define lifespan for temporary passwords 367. Proper generation of temporary passwords
266. Incorrect privilege assignment	095. Define users with privileges
267. Privilege defined with unsafe actions	035. Manage privilege modifications
269. Improper privilege management	035. Manage privilege modifications 186. Use the principle of least privilege
272. Least privilege violation	186. Use the principle of least privilege
276. Incorrect default permissions	095. Define users with privileges 096. Set user's required privileges 186. Use the principle of least privilege 341. Use the principle of deny by default
284. Improper access control	176. Restrict system objects 229. Request access credentials 266. Disable insecure functionalities 320. Avoid client-side control enforcement
285. Improper authorization	095. Define users with privileges 177. Avoid caching and temporary files 320. Avoid client-side control enforcement 341. Use the principle of deny by default
287. Improper authentication	122. Validate credential ownership 228. Authenticate using standard protocols 236. Establish authentication time 264. Request authentication 319. Make authentication options equally secure 334. Avoid knowledge-based authentication 362. Assign MFA mechanisms to a single account
290. Authentication bypass by spoofing	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
294. Authentication bypass by capture-replay	030. Avoid object reutilization 335. Define out of band token lifespan
295. Improper certificate validation	089. Limit validity of certificates 091. Use internally signed certificates 093. Use consistent certificates 364. Provide extended validation (EV) certificates
297. Improper validation of certificate with host mismatch	093. Use consistent certificates 373. Use certificate pinning
298. Improper validation of certificate expiration	089. Limit validity of certificates 090. Use valid certificates 364. Provide extended validation (EV) certificates
299. Improper check for certificate revocation	088. Request client certificates 089. Limit validity of certificates 090. Use valid certificates
306. Missing authentication for critical function	229. Request access credentials 264. Request authentication 265. Restrict access to critical processes 319. Make authentication options equally secure
307. Improper restriction of excessive authentication attempts	210. Delete information from mobile devices 237. Ascertain human interaction 327. Set a rate limit
308. Use of single-factor authentication	030. Avoid object reutilization 231. Implement a biometric verification component
311. Missing encryption of sensitive data	172. Encrypt connection strings 181. Transmit data using secure protocols 185. Encrypt sensitive information
319. Cleartext transmission of sensitive information	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
321. Use of hard-coded cryptographic key	145. Protect system cryptographic keys 224. Use secure cryptographic mechanisms
322. Key exchange without entity authentication	145. Protect system cryptographic keys
323. Reusing a nonce, key Pair in encryption	145. Protect system cryptographic keys
324. Use of a key past its expiration date	361. Replace cryptographic keys
326. Inadequate encryption strength	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 346. Use initialization vectors once
327. Use of a broken or risky cryptographic algorithm	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
328. Use of weak hash	150. Set minimum size for hash functions
330. Use of insufficiently random values	223. Uniform distribution in random numbers
331. Insufficient entropy	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
334. Small space of random values	223. Uniform distribution in random numbers
340. Generation of predictable numbers or identifiers	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
345. Insufficient verification of data authenticity	030. Avoid object reutilization 178. Use digital signatures 238. Establish safe recovery
346. Origin validation error	128. Define unique data source
347. Improper verification of cryptographic signature	178. Use digital signatures
350. Reliance on reverse DNS resolution for a security-critical action	062. Define standard configurations 356. Verify sub-domain names
352. Cross-site request forgery (CSRF)	029. Cookies with security attributes 174. Transactions without a distinguishable pattern
353. Missing support for integrity check	178. Use digital signatures 262. Verify third-party components 330. Verify Subresource Integrity
359. Exposure of private personal information to an unauthorized actor	180. Use mock data 184. Obfuscate application data 261. Avoid exposing sensitive information 300. Mask sensitive data
362. Concurrent execution using shared resource with improper synchronization ("race condition")	337. Make critical logic flows thread safe
367. Time-of-check time-of-use (TOCTOU) race condition	337. Make critical logic flows thread safe 353. Schedule firmware updates
377. Insecure temporary file	036. Do not deploy temporary files 177. Avoid caching and temporary files
384. Session fixation	030. Avoid object reutilization
390. Detection of error condition without action	075. Record exceptional events in logs
396. Declaration of catch for generic exception	359. Avoid using generic exceptions
397. Declaration of throws for generic exception	359. Avoid using generic exceptions
400. Uncontrolled resource consumption	072. Set maximum response time 158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs
404. Improper resource shutdown or release	023. Terminate inactive user sessions 167. Close unused resources
409. Improper handling of highly compressed data (data amplification)	039. Define maximum file size
419. Unprotected primary channel	033. Restrict administrative access
434. Unrestricted upload of file with dangerous type	040. Compare file format and extension
444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")	062. Define standard configurations 173. Discard unsafe inputs 266. Disable insecure functionalities
453. Insecure default variable initialization	161. Define secure default options
456. Missing initialization of a variable	168. Initialize variables explicitly
457. Use of uninitialized variable	168. Initialize variables explicitly
459. Incomplete cleanup	183. Delete sensitive data securely 210. Delete information from mobile devices
474. Use of function with inconsistent implementations	162. Avoid duplicate code
494. Download of code without integrity check	330. Verify Subresource Integrity
497. Exposure of sensitive system information to an unauthorized control sphere	078. Disable debugging events 095. Define users with privileges
502. Deserialization of untrusted data	321. Avoid deserializing untrusted data
507. Trojan horse	155. Application free of malicious code 262. Verify third-party components
509. Replicating malicious code (virus or worm)	041. Scan files for malicious code 118. Inspect attachments
510. Trapdoor	154. Eliminate backdoors 155. Application free of malicious code
511. Logic/Time bomb	155. Application free of malicious code
512. Spyware	273. Define a fixed security suite
521. Weak password requirements	127. Store hashed passwords 129. Validate previous passwords 130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 332. Prevent the use of breached passwords
522. Insufficiently protected credentials	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 134. Store passwords with salt 135. Passwords with random salt 139. Set minimum OTP length 150. Set minimum size for hash functions
523. Unprotected transport of credentials	153. Out of band transactions 181. Transmit data using secure protocols
524. Use of cache containing sensitive information	177. Avoid caching and temporary files 209. Manage passwords in cache
525. Use of web browser cache containing sensitive information	177. Avoid caching and temporary files 349. Include HTTP security headers
526. Cleartext Storage of Sensitive Information in an Environment Variable	185. Encrypt sensitive information 300. Mask sensitive data
532. Insertion of sensitive information into log file	083. Avoid logging sensitive data
539. Use of persistent cookies containing sensitive information	029. Cookies with security attributes 342. Validate request parameters
540. Inclusion of sensitive information in source code	156. Source code without sensitive information
548. Exposure of information through directory listing	176. Restrict system objects 266. Disable insecure functionalities
549. Missing password field masking	300. Mask sensitive data
561. Dead code	162. Avoid duplicate code
598. Use of GET request method with sensitive query strings	169. Use parameterized queries 342. Validate request parameters
601. URL redirection to untrusted site ("open redirect")	324. Control redirects
602. Client-side enforcement of server-side security	266. Disable insecure functionalities 320. Avoid client-side control enforcement
603. Use of client-side authentication	264. Request authentication
611. Improper restriction of XML External Entity reference	157. Use the strict mode 173. Discard unsafe inputs
613. Insufficient session expiration	023. Terminate inactive user sessions 030. Avoid object reutilization 031. Discard user session data 369. Set a maximum lifetime in sessions
614. Sensitive cookie in HTTPS session without 'secure' attribute	029. Cookies with security attributes
615. Inclusion of sensitive information in source code comments	156. Source code without sensitive information
620. Unverified password change	131. Deny multiple password changing attempts 238. Establish safe recovery 301. Notify configuration changes
639. Authorization bypass through user-controlled key	035. Manage privilege modifications 176. Restrict system objects 320. Avoid client-side control enforcement
640. Weak password recovery mechanism for forgotten password	126. Set a password regeneration mechanism 130. Limit password lifespan 131. Deny multiple password changing attempts 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 139. Set minimum OTP length 238. Establish safe recovery 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication 367. Proper generation of temporary passwords
642. External control of critical state data	026. Encrypt client-side session information 328. Request MFA for critical systems
643. Improper neutralization of data within XPath expressions ("XPath injection")	173. Discard unsafe inputs
644. Improper neutralization of HTTP headers for scripting syntax	349. Include HTTP security headers
645. Overly restrictive account lockout mechanism	226. Avoid account lockouts
646. Reliance on file name or extension of externally-supplied file	040. Compare file format and extension 042. Validate file format 340. Use octet stream downloads
651. Exposure of WSDL file containing sensitive information	325. Protect WSDL files
693. Protection mechanism failure	266. Disable insecure functionalities 326. Detect rooted devices 351. Assign unique keys to each device 352. Enable trusted execution 354. Prevent firmware downgrades
710. Improper adherence to coding standards	158. Use a secure programming language 366. Associate type to variables 381. Use of absolute paths
732. Incorrect permission assignment for critical resource	186. Use the principle of least privilege 341. Use the principle of deny by default
749. Exposed dangerous method or function	041. Scan files for malicious code 266. Disable insecure functionalities
759. Use of a one-way hash without a salt	134. Store passwords with salt 135. Passwords with random salt
760. Use of a one-way hash with a predictable salt	134. Store passwords with salt 135. Passwords with random salt
770. Allocation of resources without limits or throttling	039. Define maximum file size 072. Set maximum response time 327. Set a rate limit
778. Insufficient logging	075. Record exceptional events in logs 376. Register severity level
779. Logging of excessive data	322. Avoid excessive logging
780. Use of RSA algorithm without OAEP	370. Use OAEP padding with RSA
798. Use of hard-coded credentials	156. Source code without sensitive information 172. Encrypt connection strings 357. Use stateless session tokens
799. Improper control of interaction frequency	237. Ascertain human interaction 327. Set a rate limit
804. Guessable CAPTCHA	237. Ascertain human interaction
830. Inclusion of web functionality from an untrusted source	050. Control calls to interpreted code 353. Schedule firmware updates
838. Inappropriate encoding for output context	348. Use consistent encoding
862. Missing authorization	319. Make authentication options equally secure
915. Improperly controlled modification of dynamically-determined object attributes	342. Validate request parameters 344. Avoid dynamic code execution
916. Use of password hash with insufficient computational effort	127. Store hashed passwords 134. Store passwords with salt 135. Passwords with random salt 333. Store salt values separately
918. Server-side request forgery (SSRF)	173. Discard unsafe inputs 324. Control redirects
922. Insecure storage of sensitive information	329. Keep client-side storage without sensitive data 339. Avoid storing sensitive files in the web root
923. Improper restriction of communication channel to intended endpoints	259. Segment the organization network 273. Define a fixed security suite
1004. Sensitive cookie without 'HttpOnly' flag	029. Cookies with security attributes
1021. Improper restriction of rendered UI layers or frames	340. Use octet stream downloads 349. Include HTTP security headers
1022. Use of web link to untrusted target with window.opener access	324. Control redirects
1041. Use of redundant code	171. Remove commented-out code
1085. Invokable control element with excessive volume of commented-out code	171. Remove commented-out code
1120. Excessive code complexity	379. Keep low McCabe cyclomatic complexity
1121. Excessive McCabe cyclomatic complexity	379. Keep low McCabe cyclomatic complexity
1192. System-on-Chip (SoC) using components without unique identifiers	352. Enable trusted execution
1204. Generation of weak initialization vector (IV)	372. Proper Use of Initialization Vector (IV)
1230. Exposure of sensitive information through metadata	045. Remove metadata when sharing files
1233. Improper hardware lock protection for security sensitive controls	351. Assign unique keys to each device 352. Enable trusted execution
1262. Improper access control for register interface	235. Define credential interface 252. Configure key encryption
1269. Product released in non-release configuration	078. Disable debugging events 154. Eliminate backdoors 159. Obfuscate code
1272. Sensitive information uncleared before debug/power state transition	360. Remove unnecessary sensitive information
1275. Sensitive cookie with improper sameSite attribute	029. Cookies with security attributes
1284. Improper validation of specified quantity in input	173. Discard unsafe inputs
1287. Improper validation of specified type of input	173. Discard unsafe inputs
1295. Debug messages revealing unnecessary information	083. Avoid logging sensitive data
1325. Improperly controlled sequential memory allocation	072. Set maximum response time 158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs
1390. Weak Authentication	228. Authenticate using standard protocols 264. Request authentication 319. Make authentication options equally secure 334. Avoid knowledge-based authentication 362. Assign MFA mechanisms to a single account
1391. Use of Weak Credentials	130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 135. Passwords with random salt 139. Set minimum OTP length 332. Prevent the use of breached passwords
1392. Use of Default Credentials	142. Change system default credentials 266. Disable insecure functionalities
1393. Use of Default Password	142. Change system default credentials 266. Disable insecure functionalities
1394. Use of Default Cryptographic Key	142. Change system default credentials 266. Disable insecure functionalities
1395. Dependency on Vulnerable Third-Party Component	262. Verify third-party components

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.

Summary​

Definitions​

Summary

Definitions