CWE Class Weaknesses

Browse 132 Class level CWE entries. Abstract weakness types typically described independent of any specific language or technology.

132
Total
18
High Likelihood
8
Medium
2
Low
Showing 100 of 132 Class weaknesses
CWE-200High

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-642High

External Control of Critical State Data

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

CWE-287High

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-285High

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-99High

Improper Control of Resource Identifiers ('Resource Injection')

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

CWE-116High

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-20High

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-74High

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE-77High

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-119High

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

CWE-863High

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

CWE-732High

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CWE-862High

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-311High

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

CWE-271High

Privilege Dropping / Lowering Errors

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.

CWE-400High

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

CWE-330High

Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CWE-327High

Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

CWE-602Medium

Client-Side Enforcement of Server-Side Security

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

CWE-362Medium

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

CWE-754Medium

Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

CWE-755Medium

Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

CWE-665Medium

Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

CWE-269Medium

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-404Medium

Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

CWE-909Medium

Missing Initialization of Resource

The product does not initialize a critical resource.

CWE-407Low

Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

CWE-1038Low

Insecure Automated Optimizations

The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.

CWE-670

Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

CWE-405

Asymmetric Resource Consumption (Amplification)

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

CWE-2

CWE CATEGORY: 7PK - Environment

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

CWE-388

CWE CATEGORY: 7PK - Errors

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

CWE-254

CWE CATEGORY: 7PK - Security Features

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

CWE-361

CWE CATEGORY: 7PK - Time and State

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

CWE-840

CWE CATEGORY: Business Logic Errors

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

CWE-882

CWE CATEGORY: CERT C++ Secure Coding Section 14 - Concurrency (CON)

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CWE-17

CWE CATEGORY: DEPRECATED: Code

This entry has been deprecated. It was originally used for organizing the Development View ( CWE-699 ) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CWE-1

CWE CATEGORY: DEPRECATED: Location

This category has been deprecated. It was originally used for organizing the Development View ( CWE-699 ), but it introduced unnecessary complexity and depth to the resulting tree.

CWE-21

CWE CATEGORY: DEPRECATED: Pathname Traversal and Equivalence Errors

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category ( CWE-1219 ) or the class Use of Incorrectly-Resolved Name or Reference ( CWE-706 ).

CWE-19

CWE CATEGORY: Data Processing Errors

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

CWE-1219

CWE CATEGORY: File Handling Issues

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

CWE-320

CWE CATEGORY: Key Management Errors

Weaknesses in this category are related to errors in the management of cryptographic keys.

CWE-189

CWE CATEGORY: Numeric Errors

Weaknesses in this category are related to improper calculation or conversion of numbers.

CWE-730

CWE CATEGORY: OWASP Top Ten 2004 Category A9 - Denial of Service

Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004.

CWE-1032

CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration

Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017.

CWE-275

CWE CATEGORY: Permission Issues

Weaknesses in this category are related to improper assignment or handling of permissions.

CWE-265

CWE CATEGORY: Privilege Issues

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

CWE-300

Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

CWE-514

Covert Channel

A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.

CWE-1229

Creation of Emergent Resource

The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.

CWE-592

DEPRECATED: Authentication Bypass Issues

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

CWE-216

DEPRECATED: Containment Errors (Container Errors)

This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.

CWE-1395

Dependency on Vulnerable Third-Party Component

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

CWE-506

Embedded Malicious Code

The product contains code that appears to be malicious in nature.

CWE-172

Encoding Error

The product does not properly encode or decode the data, resulting in unexpected values.

CWE-1120

Excessive Code Complexity

The code is too complex, as calculated using a well-defined, quantitative measure.

CWE-834

Excessive Iteration

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

CWE-1093

Excessively Complex Data Representation

The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.

CWE-668

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

CWE-673

External Influence of Sphere Definition

The product does not prevent the definition of control spheres from external actors.

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

CWE-75

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

The product does not adequately filter user-controlled input for special elements with control implications.

CWE-340

Generation of Predictable Numbers or Identifiers

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

CWE-912

Hidden Functionality

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.

CWE-913

Improper Control of Dynamically-Managed Code Resources

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

CWE-799

Improper Control of Interaction Frequency

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

CWE-841

Improper Enforcement of Behavioral Workflow

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

CWE-790

Improper Filtering of Special Elements

The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.

CWE-573

Improper Following of Specification by Caller

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

CWE-159

Improper Handling of Invalid Use of Special Elements

The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.

CWE-1384

Improper Handling of Physical or Environmental Conditions

The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.

CWE-228

Improper Handling of Syntactically Invalid Structure

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

CWE-653

Improper Isolation or Compartmentalization

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

CWE-667

Improper Locking

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

CWE-138

Improper Neutralization of Special Elements

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

CWE-282

Improper Ownership Management

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

CWE-1263

Improper Physical Access Control

The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.

CWE-424

Improper Protection of Alternate Path

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

CWE-923

Improper Restriction of Communication Channel to Intended Endpoints

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

CWE-662

Improper Synchronization

The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

CWE-1039

Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism

The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.

CWE-326

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

CWE-1078

Inappropriate Source Code Style or Formatting

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

CWE-1023

Incomplete Comparison with Missing Factors

The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.

CWE-118

Incorrect Access of Indexable Resource ('Range Error')

The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.

CWE-696

Incorrect Behavior Order

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.

CWE-705

Incorrect Control Flow Scoping

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

CWE-1419

Incorrect Initialization of Resource

The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.

CWE-684

Incorrect Provision of Specified Functionality

The code does not function according to its published specifications, potentially leading to incorrect usage.

CWE-185

Incorrect Regular Expression

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

CWE-669

Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

CWE-704

Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

CWE-286

Incorrect User Management

The product does not properly manage a user within its environment.

CWE-1176

Inefficient CPU Computation

The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.

CWE-221

Information Loss or Omission

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

CWE-1294

Insecure Security Identifier Mechanism

The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.

CWE-922

Insecure Storage of Sensitive Information

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

CWE-377

Insecure Temporary File

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

CWE-1076

Insufficient Adherence to Expected Conventions

The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.

Don't leave your security to chance

Get a free security assessment from our experts. We'll identify vulnerabilities and create a protection plan tailored to your business.

⚠️ Security Notice

This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. All processing happens client-side in your browser — no data is sent to our servers.