CWE™

Common Weakness Enumeration is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. The version used in this section is CWE List v4.4.

Correlation

• CWE-20: Improper Input Validation

  • 160. Encode system outputs

  • 164. Use optimized structures

  • 173. Discard unsafe inputs

  • 342. Validate request parameters

  • 344. Avoid dynamic code execution

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path traversal')

• CWE-23: Relative Path Traversal

• CWE-36: Absolute Path Traversal

• CWE-73: External Control of File Name or Path

  • 037. Parameters without sensitive data

  • 381. Use of absolute paths

• CWE-74: Injection

• CWE-78: OS Command Injection

• CWE-79: Cross-site Scripting

• CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page

  • 117. Do not interpret HTML code

  • 173. Discard unsafe inputs

• CWE-89: SQL Injection

  • 169. Use parameterized queries

  • 173. Discard unsafe inputs

• CWE-94: Code Injection

  • 321. Avoid deserializing untrusted data

  • 173. Discard unsafe inputs

  • 344. Avoid dynamic code execution

• CWE-95: Eval Injection

  • 321. Avoid deserializing untrusted data

  • 344. Avoid dynamic code execution

• CWE-98: PHP Remote File Inclusion

• CWE-116: Improper Encoding or Escaping of Output

  • 043. Define an explicit content type

  • 044. Define an explicit charset

  • 160. Encode system outputs

  • 173. Discard unsafe inputs

  • 348. Use consistent encoding

  • 349. Include HTTP security headers

• CWE-117: Improper Output Neutralization for Logs

• CWE-120: Classic Buffer Overflow

  • 157. Use the strict mode

  • 158. Use a secure programming language

  • 345. Establish protections against overflows

• CWE-134: Use of Externally-Controlled Format String

• CWE-138: Improper Neutralization of Special Elements

• CWE-147: Improper Neutralization of Input Terminators

• CWE-159: Improper Handling of Invalid Use of Special Elements

• CWE-173: Improper Handling of Alternate Encoding

  • 044. Define an explicit charset

  • 160. Encode system outputs

  • 349. Include HTTP security headers

• CWE-176: Improper Handling of Unicode Encoding

• CWE-190: Integer Overflow or Wraparound

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • 032. Avoid session ID leakages

  • 080. Prevent log modification

  • 180. Use mock data

  • 181. Transmit data using secure protocols

  • 184. Obfuscate application data

  • 261. Avoid exposing sensitive information

  • 355. Serve files with specific extensions

  • 375. Remove sensitive data from client-side applications

• CWE-203: Observable Differences in Behavior to Error Inputs

  • 225. Proper authentication responses

  • 368. Use of indistinguishable response time

• CWE-204: Observable Response Discrepancy

  • 225. Proper authentication responses

  • 368. Use of indistinguishable response time

• CWE-208: Observable Timing Discrepancy

• CWE-209: Generation of Error Message Containing Sensitive Information

  • Avoid disclosing technical information

  • 078. Disable debugging events

• CWE-210: Self-generated Error Message Containing Sensitive Information

  • 077. Avoid disclosing technical information

  • 078. Disable debugging events

• CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

• CWE-213: Exposure of Sensitive Information Due to Incompatible Policies

• CWE-219: Storage of File with Sensitive Data Under Web Root

• CWE-223: Omission of Security-relevant Information

• CWE-226: Sensitive Information Uncleared in Resource Before Release for Reuse

  • 146. Remove cryptographic keys from RAM

  • 183. Delete sensitive data securely

• CWE-233: Improper Handling of Parameters

• CWE-235: Improper Handling of Extra Parameters

• CWE-250: Execution with Unnecessary Privileges

  • 095. Define users with privileges

  • 096. Set users' required privileges

  • 186. Use the principle of least privilege

  • 326. Detect rooted devices

• CWE-256: Unprotected Storage of Credentials

• CWE-259: Use of Hard-coded Password

  • 172. Encrypt connection strings

  • 176. Restrict system objects

• CWE-263: Password Aging with Long Expiration

  • 130. Limit password lifespan

  • 136. Force temporary password change

  • 137. Change temporary passwords of third parties

  • 138. Define lifespan for temporary passwords

  • 358. Notify upcoming expiration dates

  • 367. Proper generation of temporary passwords

• CWE-267: Privilege Defined With Unsafe Actions

• CWE-269: Improper Privilege Management

  • 035. Manage privilege modifications

  • 186. Use the principle of least privilege

  • 265. Restrict access to critical processes

• CWE-272: Least Privilege Violation

• CWE-276: Incorrect Default Permissions

  • 095. Define users with privileges

  • 096. Set users' required privileges

  • 186. Use the principle of least privilege

  • 341. Use the principle of deny by default

• CWE-284: Improper Access Control

  • 176. Restrict system objects

  • 265. Restrict access to critical processes

  • 266. Disable insecure functionalities

  • 320. Avoid client-side control enforcement

• CWE-285: Improper Authorization

  • 035. Manage privilege modifications

  • 080. Prevent log modification

  • 186. Use the principle of least privilege

  • 265. Restrict access to critical processes

  • 320. Avoid client-side control enforcement

• CWE-287: Improper Authentication

  • 030. Avoid object reutilization

  • 096. Set users' required privileges

  • 140. Define OTP lifespan

  • 153. Out of band transactions

  • 176. Restrict system objects

  • 227. Display access notification

  • 237. Ascertain human interaction

  • 264. Request authentication

  • 265. Restrict access to critical processes

  • 319. Make authentication options equally secure

  • 335. Define out of band token lifespan

  • 347. Invalidate previous OTPs

  • 362. Assign MFA mechanisms to a single account

• CWE-290: Authentication Bypass by Spoofing

• CWE-294: Authentication Bypass by Capture-replay

  • 030. Avoid object reutilization

  • 335. Define out of band token lifespan

• CWE-295: Improper Certificate Validation

  • 091. Use internally signed certificates

  • 373. Use certificate pinning

• CWE-297: Improper Validation of Certificate with Host Mismatch

• CWE-299: Improper Check for Certificate Revocation

  • 088. Request client certificates

  • 090. Use valid certificates

• CWE-300: Channel Accessible by Non-Endpoint

  • 092. Use externally signed certificates

  • 373. Use certificate pinning

• CWE-306: Missing Authentication for Critical Function

  • 227. Display access notification

  • 229. Request access credentials

  • 096. Set users' required privileges

  • 176. Restrict system objects

  • 264. Request authentication

  • 265. Restrict access to critical processes

  • 319. Make authentication options equally secure

• CWE-307: Improper Restriction of Excessive Authentication Attempts

  • 226. Avoid account lockouts

  • 237. Ascertain human interaction

  • 347. Invalidate previous OTPs

• CWE-308: Use of Single-factor Authentication

  • 030. Avoid object reutilization

  • 231. Implement a biometric verification component

• CWE-311: Missing Encryption of Sensitive Data

  • 172. Encrypt connection strings

  • 181. Transmit data using secure protocols

  • 185. Encrypt sensitive information

• CWE-319: Cleartext Transmission of Sensitive Information

  • 032. Avoid session ID leakages

  • 153. Out of band transactions

  • 181. Transmit data using secure protocols

  • 336. Disable insecure TLS versions

  • 349. Include HTTP security headers

• CWE-321: Use of Hard-coded Cryptographic Key

  • 145. Protect system cryptographic keys

  • 156. Source code without sensitive information

• CWE-322: Key Exchange without Entity Authentication

• CWE-323: Reusing a Nonce, Key Pair in Encryption

• CWE-324: Use of a Key Past its Expiration Date

• CWE-326: Inadequate Encryption Strength

  • 140. Define OTP lifespan

  • 147. Use pre-existent mechanisms

  • 178. Use digital signatures

  • 181. Transmit data using secure protocols

  • 336. Disable insecure TLS versions

  • 338. Implement perfect forward secrecy

  • 346. Use initialization vectors once

  • 351. Assign unique keys to each device

  • 361. Replace cryptographic keys

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • 147. Use pre-existent mechanisms

  • 224. Use secure cryptographic mechanisms

• CWE-330: Use of Insufficiently Random Values

  • 139. Set minimum OTP length

  • 223. Uniform distribution in random numbers

  • 224. Use secure cryptographic mechanisms

  • 346. Use initialization vectors once

  • 351. Assign unique keys to each device

  • 372. Proper Use of Initialization Vector (IV)

• CWE-331: Insufficient Entropy

  • 223. Uniform distribution in random numbers

  • 224. Use secure cryptographic mechanisms

• CWE-332: Insufficient Entropy in PRNG

  • 223. Uniform distribution in random numbers

  • 224. Use secure cryptographic mechanisms

• CWE-333: Improper Handling of Insufficient Entropy in TRNG

• CWE-334: Small Space of Random Values

• CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • 223. Uniform distribution in random numbers

  • 224. Use secure cryptographic mechanisms

• CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • 223. Uniform distribution in random numbers

  • 224. Use secure cryptographic mechanisms

• CWE-340: Generation of Predictable Numbers or Identifiers

  • 223. Uniform distribution in random numbers

  • 224. Use secure cryptographic mechanisms

• CWE-345: Insufficient Verification of Data Authenticity

  • 030. Avoid object reutilization

  • 122. Validate credential ownership

  • 178. Use digital signatures

  • 238. Establish safe recovery

  • 357. Use stateless session tokens

• CWE-346: Origin Validation Error

  • 029. Cookies with security attributes

  • 175. Protect pages from clickjacking

• CWE-347: Improper Verification of Cryptographic Signature

• CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action

• CWE-352: Cross-Site Request Forgery (CSRF)

  • 029. Cookies with security attributes

  • 174. Transactions without a distinguishable pattern

  • 349. Include HTTP security headers

• CWE-353: Missing Support for Integrity Check

• CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

  • 176. Restrict system objects

  • 180. Use mock data

  • 184. Obfuscate application data

  • 261. Avoid exposing sensitive information

  • 300. Mask sensitive data

  • 375. Remove sensitive data from client-side applications

• CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

• CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

  • 337. Make critical logic flows thread safe

  • 353. Schedule firmware updates

• CWE-384: Session Fixation

• CWE-390: Detection of Error Condition Without Action

• CWE-396: Declaration of Catch for Generic Exception

  • 161. Define secure default options

  • 359. Avoid using generic exceptions

• CWE-397: Declaration of Throws for Generic Exception

  • 161. Define secure default options

  • 359. Avoid using generic exceptions

• CWE-400: Uncontrolled Resource Consumption

  • 039. Define maximum file size

  • 072. Set maximum response time

• CWE-404: Improper Resource Shutdown or Release

  • 023. Terminate inactive user sessions

  • 167. Close unused resources

• CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)

• CWE-419: Unprotected Primary Channel

• CWE-434: Unrestricted Upload of File with Dangerous Type

• CWE-444: HTTP Request Smuggling

• CWE-451: User Interface (UI) Misrepresentation of Critical Information

  • 175. Protect pages from clickjacking

  • 349. Include HTTP security headers

• CWE-459: Incomplete Cleanup

  • 146. Remove cryptographic keys from RAM

  • 183. Delete sensitive data securely

  • 210. Delete information from mobile devices

• CWE-474: Use of Function with Inconsistent Implementations

• CWE-478: Missing Default Case in Switch Statement

• CWE-494: Download of Code Without Integrity Check

  • 178. Use digital signatures

  • 330. Verify Subresource Integrity

• CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

• CWE-502: Deserialization of Untrusted Data

• CWE-507: Trojan Horse

  • 155. Application free of malicious code

  • 262. Verify third-party components

• CWE-509: Replicating Malicious Code (Virus or Worm)

  • 041. Scan files for malicious code

  • 118. Inspect attachments

• CWE-510: Trapdoor

  • 154. Eliminate backdoors

  • 155. Application free of malicious code

  • 323. Exclude unverifiable files

• CWE-511: Logic or Time Bomb

• CWE-521: Weak Password Requirements

  • 088. Request client certificates

  • 126. Set a password regeneration mechanism

  • 132. Passphrases with at least 4 words

  • 133. Passwords with at least 20 characters

  • 332. Prevent the use of breached passwords

• CWE-522: Insufficiently Protected Credentials

  • 128. Define unique data source

  • 145. Protect system cryptographic keys

  • 156. Source code without sensitive information

  • 375. Remove sensitive data from client-side applications

  • 380. Define a password management tool

• CWE-523: Unprotected Transport of Credentials

  • 153. Out of band transactions

  • 349. Include HTTP security headers

• CWE-524: Use of Cache Containing Sensitive Information

• CWE-525: Use of Web Browser Cache Containing Sensitive Information

  • 177. Avoid caching and temporary files

  • 349. Include HTTP security headers

• CWE-532: Insertion of Sensitive Information into Log File

  • 083. Avoid logging sensitive data

  • 376. Register severity level

• CWE-540: Inclusion of Sensitive Information in Source Code

  • 156. Source code without sensitive information

  • 375. Remove sensitive data from client-side applications

• CWE-544: Missing Standardized Error Handling Mechanism

  • 075. Record exceptional events in logs

  • 161. Define secure default options

• CWE-548: Exposure of Information Through Directory Listing

  • 339. Avoid storing sensitive files in the web root

  • 261. Avoid exposing sensitive information

• CWE-552: Files or Directories Accessible to External Parties

• CWE-561: Dead Code

• CWE-598: Use of GET Request Method With Sensitive Query Strings

  • 032. Avoid session ID leakages

  • 181. Transmit data using secure protocols

• CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

• CWE-602: Client-Side Enforcement of Server-Side Security

  • 122. Validate credential ownership

  • 173. Discard unsafe inputs

  • 238. Establish safe recovery

  • 266. Disable insecure functionalities

  • 320. Avoid client-side control enforcement

  • 324. Control redirects

• CWE-611: Improper Restriction of XML External Entity Reference

• CWE-613: Insufficient Session Expiration

  • 023. Terminate inactive user sessions

  • 028. Allow users to log out

  • 031. Discard user session data

  • 140. Define OTP lifespan

  • 141. Force re-authentication

  • 335. Define out of band token lifespan

  • 369. Set a maximum lifetime in sessions

• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

• CWE-615: Inclusion of Sensitive Information in Source Code Comments

• CWE-620: Unverified Password Change

  • 131. Deny multiple password changing attempts

  • 238. Establish safe recovery

  • 301. Notify configuration changes

• CWE-639: Authorization Bypass Through User-Controlled Key

  • 035. Manage privilege modifications

  • 176. Restrict system objects

  • 320. Avoid client-side control enforcement

• CWE-640: Weak Password Recovery Mechanism for Forgotten Password

  • 126. Set a password regeneration mechanism

  • 131. Deny multiple password changing attempts

  • 238. Establish safe recovery

  • 334. Avoid knowledge-based authentication

  • 367. Proper generation of temporary passwords

• CWE-641: Improper Restriction of Names for Files and Other Resources

• CWE-642: External Control of Critical State Data

  • 026. Encrypt client-side session information

  • 328. Request MFA for critical systems

• CWE-643: XPath Injection

• CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax

• CWE-645: Overly Restrictive Account Lockout Mechanism

• CWE-646: Reliance on File Name or Extension of Externally-Supplied File

  • 040. Compare file format and extension

  • 042. Validate file format

  • 340. Use octet stream downloads

• CWE-651: Exposure of WSDL File Containing Sensitive Information

• CWE-693: Protection Mechanism Failure

  • 326. Detect rooted devices

  • 350. Enable memory protection mechanisms

  • 352. Enable trusted execution

  • 354. Prevent firmware downgrades

• CWE-710: Improper Adherence to Coding Standards

  • 366. Associate type to variables

  • 381. Use of absolute paths

• CWE-732: Incorrect Permission Assignment for Critical Resource

  • 186. Use the principle of least privilege

  • 341. Use the principle of deny by default

• CWE-749: Exposed Dangerous Method or Function

  • 041. Scan files for malicious code

  • 266. Disable insecure functionalities

• CWE-759: Use of a One-Way Hash without a Salt

  • 134. Store passwords with salt

  • 135. Passwords with random salt

• CWE-760: Use of a One-Way Hash with a Predictable Salt

  • 134. Store passwords with salt

  • 135. Passwords with random salt

• CWE-770: Allocation of Resources Without Limits or Throttling

  • 039. Define maximum file size

  • 072. Set maximum response time

  • 327. Set a rate limit

• CWE-778: Insufficient Logging

  • 046. Manage the integrity of critical files

  • 075. Record exceptional events in logs

  • 079. Record exact occurrence time of events

  • 376. Register severity level

  • 377. Store logs based on valid regulation

  • 378. Use of log management system

• CWE-779: Logging of Excessive Data

• CWE-798: Use of Hard-coded Credentials

  • 156. Source code without sensitive information

  • 172. Encrypt connection strings

  • 357. Use stateless session tokens

• CWE-799: Improper Control of Interaction Frequency

  • 237. Ascertain human interaction

  • 327. Set a rate limit

• CWE-804: Guessable CAPTCHA

• CWE-829: Inclusion of Functionality from Untrusted Control Sphere

  • 050. Control calls to interpreted code

  • 302. Declare dependencies explicitly

• CWE-830: Inclusion of Web Functionality from an Untrusted Source

• CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

• CWE-916: Use of Password Hash With Insufficient Computational Effort

  • 127. Store hashed passwords

  • 134. Store passwords with salt

  • 135. Passwords with random salt

  • 333. Store salt values separately

• CWE-918: Server-Side Request Forgery (SSRF)

• CWE-922: Insecure Storage of Sensitive Information

  • 329. Keep client-side storage without sensitive data

  • 339. Avoid storing sensitive files in the web root

• CWE-923: Improper Restriction of Communication Channel to Intended Endpoints

  • 259. Segment the organization network

  • 273. Define a fixed security suite

• CWE-943: Improper Neutralization of Special Elements in Data Query Logic

• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

• CWE-1021: Improper Restriction of Rendered UI Layers or Frames

  • 324. Control redirects

  • 340. Use octet stream downloads

  • 349. Include HTTP security headers

• CWE-1085: Invokable Control Element with Excessive Volume of Commented-out Code

• CWE-1120: Excessive Code Complexity

• CWE-1121: Excessive McCabe Cyclomatic Complexity

• CWE-1204: Generation of Weak Initialization Vector (IV)

• CWE-1230: Exposure of Sensitive Information Through Metadata

• CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls

  • 350. Enable memory protection mechanisms

  • 352. Enable trusted execution

• CWE-1269: Product Released in Non-Release Configuration

  • 078. Disable debugging events

  • 154. Eliminate backdoors

  • 159. Obfuscate code