Skip to main content

CWE

logo

Summary

Common Weakness Enumeration is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation and prevention efforts. The version used in this section is CWE List v4.5.

Definitions

DefinitionRequirements
20. Improper input validation160. Encode system outputs
164. Use optimized structures
173. Discard unsafe inputs
342. Validate request parameters
344. Avoid dynamic code execution
22. Improper limitation of a pathname to a restricted directory ("path traversal")037. Parameters without sensitive data
23. Relative path traversal037. Parameters without sensitive data
36. Absolute path traversal037. Parameters without sensitive data
73. External control of file name or path037. Parameters without sensitive data
381. Use of absolute paths
74. Improper neutralization of special elements in output used by a downstream component ("injection")173. Discard unsafe inputs
78. Improper neutralization of special elements used in an OS command ("OS command injection")173. Discard unsafe inputs
79. Improper neutralization of input during web page generation ("cross-site scripting")160. Encode system outputs
173. Discard unsafe inputs
80. Improper neutralization of script-related HTML tags in a web page (basic XSS)117. Do not interpret HTML code
173. Discard unsafe inputs
89. Improper neutralization of special elements used in an SQL command ("SQL injection")169. Use parameterized queries
173. Discard unsafe inputs
94. Improper control of generation of code ("code injection")173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
373. Use certificate pinning
95. Improper neutralization of directives in dynamically evaluated code ("eval injection")321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")037. Parameters without sensitive data
116. Improper encoding or escaping of output043. Define an explicit content type
044. Define an explicit charset
160. Encode system outputs
173. Discard unsafe inputs
348. Use consistent encoding
349. Include HTTP security headers
117. Improper output neutralization for logs160. Encode system outputs
120. Buffer copy without checking size of input ("classic buffer overflow")157. Use the strict mode
158. Use a secure programming language
345. Establish protections against overflows
134. Use of externally-controlled format string345. Establish protections against overflows
138. Improper neutralization of special elements173. Discard unsafe inputs
147. Improper neutralization of input terminators173. Discard unsafe inputs
159. Improper handling of invalid use of special elements173. Discard unsafe inputs
173. Improper handling of alternate encoding044. Define an explicit charset
160. Encode system outputs
349. Include HTTP security headers
176. Improper handling of unicode encoding160. Encode system outputs
190. Integer overflow or wraparound345. Establish protections against overflows
200. Exposure of sensitive information to an unauthorized actor032. Avoid session ID leakages
080. Prevent log modification
119. Hide recipients
180. Use mock data
181. Transmit data using secure protocols
184. Obfuscate application data
261. Avoid exposing sensitive information
355. Serve files with specific extensions
375. Remove sensitive data from client-side applications
203. Observable discrepancy225. Proper authentication responses
368. Use of indistinguishable response time
204. Observable response discrepancy225. Proper authentication responses
368. Use of indistinguishable response time
208. Observable timing discrepancy368. Use of indistinguishable response time
209. Generation of error message containing sensitive information077. Avoid disclosing technical information
078. Disable debugging events
210. Self-generated error message containing sensitive information077. Avoid disclosing technical information
078. Disable debugging events
212. Improper removal of sensitive information before storage or transfer317. Allow erasure requests
213. Exposure of sensitive information due to incompatible policies355. Serve files with specific extensions
219. Storage of file with sensitive data under web root339. Avoid storing sensitive files in the web root
223. Omission of security-relevant information376. Register severity level
226. Sensitive information in resource not removed before reuse146. Remove cryptographic keys from RAM
183. Delete sensitive data securely
233. Improper handling of parameters342. Validate request parameters
235. Improper handling of extra parameters342. Validate request parameters
250. Execution with unnecessary privileges095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege
326. Detect rooted devices
256. Plaintext storage of a password380. Define a password management tool
259. Use of hard-coded password156. Source code without sensitive information
172. Encrypt connection strings
263. Password aging with long expiration130. Limit password lifespan
136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
358. Notify upcoming expiration dates
367. Proper generation of temporary passwords
267. Privilege defined with unsafe actions035. Manage privilege modifications
269. Improper privilege management035. Manage privilege modifications
186. Use the principle of least privilege
265. Restrict access to critical processes
272. Least privilege violation186. Use the principle of least privilege
276. Incorrect default permissions095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege
341. Use the principle of deny by default
284. Improper access control176. Restrict system objects
265. Restrict access to critical processes
266. Disable insecure functionalities
320. Avoid client-side control enforcement
285. Improper authorization035. Manage privilege modifications
080. Prevent log modification
186. Use the principle of least privilege
265. Restrict access to critical processes
320. Avoid client-side control enforcement
287. Improper authentication030. Avoid object reutilization
096. Set user's required privileges
122. Validate credential ownership
140. Define OTP lifespan
153. Out of band transactions
176. Restrict system objects
227. Display access notification
232. Require equipment identity
237. Ascertain human interaction
264. Request authentication
265. Restrict access to critical processes
319. Make authentication options equally secure
335. Define out of band token lifespan
347. Invalidate previous OTPs
362. Assign MFA mechanisms to a single account
290. Authentication bypass by spoofing357. Use stateless session tokens
294. Authentication bypass by capture-replay030. Avoid object reutilization
335. Define out of band token lifespan
295. Improper certificate validation089. Limit validity of certificates
091. Use internally signed certificates
093. Use consistent certificates
364. Provide extended validation (EV) certificates
297. Improper validation of certificate with host mismatch093. Use consistent certificates
373. Use certificate pinning
298. Improper validation of certificate expiration089. Limit validity of certificates
090. Use valid certificates
364. Provide extended validation (EV) certificates
299. Improper check for certificate revocation088. Request client certificates
089. Limit validity of certificates
090. Use valid certificates
300. Channel accessible by non-endpoint092. Use externally signed certificates
373. Use certificate pinning
306. Missing authentication for critical function096. Set user's required privileges
176. Restrict system objects
227. Display access notification
229. Request access credentials
264. Request authentication
265. Restrict access to critical processes
319. Make authentication options equally secure
307. Improper restriction of excessive authentication attempts226. Avoid account lockouts
237. Ascertain human interaction
347. Invalidate previous OTPs
308. Use of single-factor authentication030. Avoid object reutilization
231. Implement a biometric verification component
311. Missing encryption of sensitive data172. Encrypt connection strings
181. Transmit data using secure protocols
185. Encrypt sensitive information
319. Cleartext transmission of sensitive information032. Avoid session ID leakages
153. Out of band transactions
181. Transmit data using secure protocols
336. Disable insecure TLS versions
349. Include HTTP security headers
321. Use of hard-coded cryptographic key145. Protect system cryptographic keys
156. Source code without sensitive information
322. Key exchange without entity authentication145. Protect system cryptographic keys
323. Reusing a nonce, key Pair in encryption145. Protect system cryptographic keys
324. Use of a key past its expiration date361. Replace cryptographic keys
326. Inadequate encryption strength140. Define OTP lifespan
147. Use pre-existent mechanisms
178. Use digital signatures
181. Transmit data using secure protocols
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
346. Use initialization vectors once
361. Replace cryptographic keys
327. Use of a broken or risky cryptographic algorithm147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
330. Use of insufficiently random values139. Set minimum OTP length
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
346. Use initialization vectors once
372. Proper Use of Initialization Vector (IV)
331. Insufficient entropy223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
332. Insufficient entropy in PRNG223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
333. Improper handling of insufficient entropy in TRNG224. Use secure cryptographic mechanisms
334. Small space of random values224. Use secure cryptographic mechanisms
335. Incorrect usage of seeds in pseudo-random number generator (PRNG)223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
338. Use of cryptographically weak pseudo-random number generator (PRNG)223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
340. Generation of predictable numbers or identifiers223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
345. Insufficient verification of data authenticity030. Avoid object reutilization
178. Use digital signatures
238. Establish safe recovery
357. Use stateless session tokens
346. Origin validation error029. Cookies with security attributes
175. Protect pages from clickjacking
347. Improper verification of cryptographic signature178. Use digital signatures
350. Reliance on reverse DNS resolution for a security-critical action356. Verify sub-domain names
352. Cross-site request forgery (CSRF)029. Cookies with security attributes
174. Transactions without a distinguishable pattern
349. Include HTTP security headers
353. Missing support for integrity check330. Verify Subresource Integrity
359. Exposure of private personal information to an unauthorized actor176. Restrict system objects
180. Use mock data
184. Obfuscate application data
261. Avoid exposing sensitive information
300. Mask sensitive data
375. Remove sensitive data from client-side applications
362. Concurrent execution using shared resource with improper synchronization ("race condition")337. Make critical logic flows thread safe
367. Time-of-check time-of-use (TOCTOU) race condition337. Make critical logic flows thread safe
353. Schedule firmware updates
384. Session fixation025. Manage concurrent sessions
390. Detection of error condition without action075. Record exceptional events in logs
396. Declaration of catch for generic exception359. Avoid using generic exceptions
397. Declaration of throws for generic exception359. Avoid using generic exceptions
400. Uncontrolled resource consumption039. Define maximum file size
072. Set maximum response time
404. Improper resource shutdown or release023. Terminate inactive user sessions
167. Close unused resources
409. Improper handling of highly compressed data (data amplification)039. Define maximum file size
419. Unprotected primary channel033. Restrict administrative access
434. Unrestricted upload of file with dangerous type040. Compare file format and extension
444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")348. Use consistent encoding
451. User interface (UI) misrepresentation of critical information175. Protect pages from clickjacking
349. Include HTTP security headers
456. Missing initialization of a variable168. Initialize variables explicitly
457. Use of uninitialized variable168. Initialize variables explicitly
459. Incomplete cleanup146. Remove cryptographic keys from RAM
183. Delete sensitive data securely
210. Delete information from mobile devices
474. Use of function with inconsistent implementations162. Avoid duplicate code
478. Missing default case in switch statement-
494. Download of code without integrity check178. Use digital signatures
330. Verify Subresource Integrity
497. Exposure of sensitive system information to an unauthorized control sphere078. Disable debugging events
502. Deserialization of untrusted data321. Avoid deserializing untrusted data
507. Trojan horse155. Application free of malicious code
262. Verify third-party components
509. Replicating malicious code (virus or worm)041. Scan files for malicious code
118. Inspect attachments
510. Trapdoor154. Eliminate backdoors
155. Application free of malicious code
323. Exclude unverifiable files
511. Logic/Time bomb155. Application free of malicious code
521. Weak password requirements088. Request client certificates
126. Set a password regeneration mechanism
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
332. Prevent the use of breached passwords
522. Insufficiently protected credentials128. Define unique data source
145. Protect system cryptographic keys
156. Source code without sensitive information
375. Remove sensitive data from client-side applications
380. Define a password management tool
523. Unprotected transport of credentials153. Out of band transactions
349. Include HTTP security headers
524. Use of cache containing sensitive information177. Avoid caching and temporary files
525. Use of web browser cache containing sensitive information177. Avoid caching and temporary files
349. Include HTTP security headers
532. Insertion of sensitive information into log file083. Avoid logging sensitive data
376. Register severity level
540. Inclusion of sensitive information in source code156. Source code without sensitive information
375. Remove sensitive data from client-side applications
544. Missing standardized error handling mechanism075. Record exceptional events in logs
548. Exposure of information through directory listing261. Avoid exposing sensitive information
339. Avoid storing sensitive files in the web root
552. Files or directories accessible to external parties-
561. Dead code162. Avoid duplicate code
598. Use of GET request method with sensitive query strings032. Avoid session ID leakages
181. Transmit data using secure protocols
601. URL redirection to untrusted site ("open redirect")324. Control redirects
602. Client-side enforcement of server-side security173. Discard unsafe inputs
238. Establish safe recovery
266. Disable insecure functionalities
320. Avoid client-side control enforcement
324. Control redirects
611. Improper restriction of XML External Entity reference157. Use the strict mode
613. Insufficient session expiration023. Terminate inactive user sessions
028. Allow users to log out
031. Discard user session data
140. Define OTP lifespan
141. Force re-authentication
335. Define out of band token lifespan
369. Set a maximum lifetime in sessions
614. Sensitive cookie in HTTPS session without 'secure' attribute029. Cookies with security attributes
615. Inclusion of sensitive information in source code comments156. Source code without sensitive information
620. Unverified password change131. Deny multiple password changing attempts
238. Establish safe recovery
301. Notify configuration changes
639. Authorization bypass through user-controlled key035. Manage privilege modifications
176. Restrict system objects
320. Avoid client-side control enforcement
640. Weak password recovery mechanism for forgotten password126. Set a password regeneration mechanism
131. Deny multiple password changing attempts
238. Establish safe recovery
334. Avoid knowledge-based authentication
367. Proper generation of temporary passwords
641. Improper restriction of names for files and other resources037. Parameters without sensitive data
642. External control of critical state data026. Encrypt client-side session information
328. Request MFA for critical systems
643. Improper neutralization of data within XPath expressions ("XPath injection")173. Discard unsafe inputs
644. Improper neutralization of HTTP headers for scripting syntax349. Include HTTP security headers
645. Overly restrictive account lockout mechanism226. Avoid account lockouts
646. Reliance on file name or extension of externally-supplied file040. Compare file format and extension
042. Validate file format
340. Use octet stream downloads
651. Exposure of WSDL file containing sensitive information325. Protect WSDL files
693. Protection mechanism failure326. Detect rooted devices
351. Assign unique keys to each device
352. Enable trusted execution
354. Prevent firmware downgrades
710. Improper adherence to coding standards366. Associate type to variables
381. Use of absolute paths
732. Incorrect permission assignment for critical resource186. Use the principle of least privilege
341. Use the principle of deny by default
749. Exposed dangerous method or function041. Scan files for malicious code
266. Disable insecure functionalities
757. Selection of less-secure algorithm during negotiation ("algorithm downgrade")336. Disable insecure TLS versions
354. Prevent firmware downgrades
759. Use of a one-way hash without a salt134. Store passwords with salt
135. Passwords with random salt
760. Use of a one-way hash with a predictable salt134. Store passwords with salt
135. Passwords with random salt
770. Allocation of resources without limits or throttling039. Define maximum file size
072. Set maximum response time
327. Set a rate limit
778. Insufficient logging046. Manage the integrity of critical files
075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
779. Logging of excessive data322. Avoid excessive logging
798. Use of hard-coded credentials156. Source code without sensitive information
172. Encrypt connection strings
357. Use stateless session tokens
799. Improper control of interaction frequency237. Ascertain human interaction
327. Set a rate limit
804. Guessable CAPTCHA237. Ascertain human interaction
829. Inclusion of functionality from untrusted control sphere050. Control calls to interpreted code
302. Declare dependencies explicitly
830. Inclusion of web functionality from an untrusted source050. Control calls to interpreted code
915. Improperly controlled modification of dynamically-determined object attributes342. Validate request parameters
916. Use of password hash with insufficient computational effort127. Store hashed passwords
134. Store passwords with salt
135. Passwords with random salt
333. Store salt values separately
918. Server-side request forgery (SSRF)324. Control redirects
922. Insecure storage of sensitive information329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
923. Improper restriction of communication channel to intended endpoints259. Segment the organization network
273. Define a fixed security suite
943. Improper neutralization of special elements in data query logic173. Discard unsafe inputs
1004. Sensitive cookie without 'HttpOnly' flag029. Cookies with security attributes
1021. Improper restriction of rendered UI layers or frames340. Use octet stream downloads
349. Include HTTP security headers
1022. Use of web link to untrusted target with window.opener access324. Control redirects
1085. Invokable control element with excessive volume of commented-out code171. Remove commented-out code
1120. Excessive code complexity379. Keep low McCabe ciclomatic complexity
1121. Excessive McCabe cyclomatic complexity379. Keep low McCabe ciclomatic complexity
1204. Generation of weak initialization vector (IV)372. Proper Use of Initialization Vector (IV)
1230. Exposure of sensitive information through metadata045. Remove metadata when sharing files
1233. Improper hardware lock protection for security sensitive controls351. Assign unique keys to each device
352. Enable trusted execution
1269. Product released in non-release configuration078. Disable debugging events
154. Eliminate backdoors
159. Obfuscate code