Browse 132 Class level CWE entries. Abstract weakness types typically described independent of any specific language or technology.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
The product does not encrypt sensitive or critical information before storage or transmission.
The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
The product does not properly control the allocation and maintenance of a limited resource.
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
The product uses a broken or risky cryptographic algorithm or protocol.
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
The product does not handle or incorrectly handles an exceptional condition.
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
The product does not release or incorrectly releases a resource before it is made available for re-use.
The product does not initialize a critical resource.
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
This entry has been deprecated. It was originally used for organizing the Development View ( CWE-699 ) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
This category has been deprecated. It was originally used for organizing the Development View ( CWE-699 ), but it introduced unnecessary complexity and depth to the resulting tree.
This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category ( CWE-1219 ) or the class Use of Incorrectly-Resolved Name or Reference ( CWE-706 ).
Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
Weaknesses in this category are related to errors in the management of cryptographic keys.
Weaknesses in this category are related to improper calculation or conversion of numbers.
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004.
Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017.
Weaknesses in this category are related to improper assignment or handling of permissions.
Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.
The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.
This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
The product contains code that appears to be malicious in nature.
The product does not properly encode or decode the data, resulting in unexpected values.
The code is too complex, as calculated using a well-defined, quantitative measure.
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
The product does not prevent the definition of control spheres from external actors.
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
The product does not adequately filter user-controlled input for special elements with control implications.
The product uses a scheme that generates numbers or identifiers that are more predictable than required.
The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.
The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.
The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.
The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
The source code does not follow desired style or formatting for indentation, white space, comments, etc.
The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.
The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.
The code does not function according to its published specifications, potentially leading to incorrect usage.
The product specifies a regular expression in a way that causes data to be improperly matched or compared.
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
The product does not correctly convert an object, resource, or structure from one type to a different type.
The product does not properly manage a user within its environment.
The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.
The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.
Get a free security assessment from our experts. We'll identify vulnerabilities and create a protection plan tailored to your business.
Continue with these related tools
This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. All processing happens client-side in your browser — no data is sent to our servers.