1000.csv 2.1 MB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717
  1. ID,Name,Weakness Abstraction,Status,Description,Extended Description,Related Weaknesses,Weakness Ordinalities,Applicable Platforms,Background Details,Alternate Terms,Modes Of Introduction,Exploitation Factors,Likelihood of Exploit,Common Consequences,Detection Methods,Potential Mitigations,Observed Examples,Functional Areas,Affected Resources,Taxonomy Mappings,Related Attack Patterns,Notes
  2. 1004,"Sensitive Cookie Without 'HttpOnly' Flag",Variant,Incomplete,"The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.","The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.","::NATURE:ChildOf:CWE ID:732:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Undetermined::","::An HTTP cookie is a small piece of data attributed to a specific website and stored on the user's computer by the user's web browser. This data can be leveraged for a variety of purposes including saving information entered into form fields, recording user activity, and for authentication purposes. Cookies used to save or record information generated by the user are accessed and modified by script code embedded in a web page. While cookies used for authentication are created by the website's server and sent to the user to be attached to future requests. These authentication cookies are often not meant to be accessed by the web page sent to the user, and are instead just supposed to be attached to future requests to verify authentication details.::","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.::SCOPE:Integrity:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Integrity Gain Privileges or Assume Identity If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Leverage the HttpOnly flag when setting a sensitive cookie in a response.::","::REFERENCE:CVE-2014-3852:DESCRIPTION:CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3852REFERENCE:CVE-2015-4138:DESCRIPTION:Appliance for managing encrypted communications does not use HttpOnly flag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4138","","","","","",
  3. 1007,"Insufficient Visual Distinction of Homoglyphs Presented to User",Base,Incomplete,"The software displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.","Some glyphs, pictures, or icons can be semantically distinct to a program, while appearing very similar or identical to a human user. These are referred to as homoglyphs. For example, the lowercase l (ell) and uppercase I (eye) have different character codes, but these characters can be displayed in exactly the same way to a user, depending on the font. This can also occur between different character sets. For example, the Latin capital letter A and the Greek capital letter Α (Alpha) are treated as distinct by programs, but may be displayed in exactly the same way to a user. Accent marks may also cause letters to appear very similar, such as the Latin capital letter grave mark À and its equivalent À with the acute accent. Adversaries can exploit this visual similarity for attacks such as phishing, e.g. by providing a link to an attacker-controlled hostname that looks like a hostname that the victim trusts. In a different use of homoglyphs, an adversary may create a back door username that is visually similar to the username of a regular user, which then makes it more difficult for a system administrator to detect the malicious username while reviewing logs.","::NATURE:ChildOf:CWE ID:451:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:451:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Sometimes::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Sometimes::","","::TERM:Homograph Attack:DESCRIPTION:Homograph is often used as a synonym of homoglyph by researchers, but according to Wikipedia, a homograph is a word that has multiple, distinct meanings.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Other:NOTE:Integrity Confidentiality Other An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user's credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user's knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions.::","::METHOD:Manual Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a browser that displays Punycode for IDNs in the URL and status bars, or which color code various scripts in URLs. Due to the prominence of homoglyph attacks, several browsers now help safeguard against this attack via the use of Punycode. For example, Mozilla Firefox and Google Chrome will display IDNs as Punycode if top-level domains do not restrict which characters can be used in domain names or if labels mix scripts for different languages.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an email client that has strict filters and prevents messages that mix character sets to end up in a user's inbox. Certain email clients such as Google's GMail prevent the use of non-Latin characters in email addresses or in links contained within emails. This helps prevent homoglyph attacks by flagging these emails and redirecting them to a user's spam folder.::","::REFERENCE:CVE-2013-7236:DESCRIPTION:web forum allows impersonation of users with homoglyphs in account names:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7236REFERENCE:CVE-2012-0584:DESCRIPTION:Improper character restriction in URLs in web browser:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0584REFERENCE:CVE-2009-0652:DESCRIPTION:Incomplete blacklist does not include homoglyphs of / and ? characters in URLs:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0652REFERENCE:CVE-2017-5015:DESCRIPTION:web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5015REFERENCE:CVE-2005-0233:DESCRIPTION:homoglyph spoofing using punycode in URLs and certificates:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0233REFERENCE:CVE-2005-0234:DESCRIPTION:homoglyph spoofing using punycode in URLs and certificates:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0234REFERENCE:CVE-2005-0235:DESCRIPTION:homoglyph spoofing using punycode in URLs and certificates:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0235","","","","::632::","",
  4. 102,"Struts: Duplicate Validation Forms",Variant,Incomplete,"The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.","If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.","::NATURE:ChildOf:CWE ID:694:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Struts: Duplicate Validation Forms::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  5. 1021,"Improper Restriction of Rendered UI Layers or Frames",Base,Incomplete,"The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.","A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.","::NATURE:ChildOf:CWE ID:441:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:451:VIEW ID:699::NATURE:ChildOf:CWE ID:451:VIEW ID:1000::","","","","::TERM:Clickjacking:DESCRIPTION:::TERM:UI Redress Attack:DESCRIPTION:::TERM:Tapjacking:DESCRIPTION:Tapjacking is similar to clickjacking, except it is used for mobile applications in which the user taps the application instead of performing a mouse click.::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism Read Application Data Modify Application Data:NOTE:Access Control Gain Privileges or Assume Identity Bypass Protection Mechanism Read Application Data Modify Application Data An attacker can trick a user into performing actions that are masked and hidden from the user's view. The impact varies widely, depending on the functionality of the underlying application. For example, in a social media application, clickjacking could be used to trik the user into changing privacy settings.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:The use of X-Frame-Options allows developers of web content to restrict the usage of their application within the form of overlays, frames, or iFrames. The developer can indicate from which domains can frame the content. The concept of X-Frame-Options is well documented, but implementation of this protection mechanism is in development to cover gaps. There is a need for whitelisting and allowing frames from multiple domains.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:A developer can use a frame-breaker script in each page that should not be framed. This is very helpful for legacy browsers that do not support X-Frame-Options security feature previously mentioned. It is also important to note that this tactic has been circumvented or bypassed. Improper usage of frames can persist in the web application through nested frames. The frame-breaking script does not intuitively account for multiple nested frames that can be presented to the user.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:This defense-in-depth technique can be used to prevent the improper usage of frames in web applications. It prioritizes the valid sources of data to be loaded into the application through the usage of declarative policies. Based on which implementation of Content Security Policy is in use, the developer should use the frame-ancestors directive or the frame-src directive to mitigate this weakness. Both directives allow for the placement of restrictions when it comes to allowing embedded content.::","::REFERENCE:CVE-2017-7440:DESCRIPTION:E-mail preview feature in a desktop application allows clickjacking attacks via a crafted e-mail message:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7440REFERENCE:CVE-2017-5697:DESCRIPTION:Hardware/firmware product has insufficient clickjacking protection in its web user interface:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5697REFERENCE:CVE-2017-4015:DESCRIPTION:Clickjacking in data-loss prevention product via HTTP response header.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4015REFERENCE:CVE-2016-2496:DESCRIPTION:Tapjacking in permission dialog for mobile OS allows access of private storage using a partially-overlapping window.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2496REFERENCE:CVE-2015-1241:DESCRIPTION:Tapjacking in web browser related to page navigation and touch/gesture events.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1241REFERENCE:CVE-2017-0492:DESCRIPTION:System UI in mobile OS allows a malicious application to create a UI overlay of the entire screen to gain privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0492","","","","::103::506::","",
  6. 1022,"Use of Web Link to Untrusted Target with window.opener Access",Variant,Incomplete,"The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.","When a user clicks a link to an external site (target), the target=_blank attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection.","::NATURE:ChildOf:CWE ID:266:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:266:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:JavaScript:LANGUAGE PREVALENCE:Often::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Often::","","::TERM:tabnabbing:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Alter Execution Logic:NOTE:Confidentiality Alter Execution Logic The user may be redirected to an untrusted page that contains undesired content or malicious script code.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Specify in the design that any linked external document must not be granted access to the location object of the calling page.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When creating a link to an external document using the <a> tag with a defined target, for example _blank or a named frame, provide the rel attribute with a value noopener noreferrer. If opening the external document in a new window via javascript, then reset the opener by setting it equal to null.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use _blank targets. However, this can affect the usability of your application.::","","","","","","",
  7. 1023,"Incomplete Comparison with Missing Factors",Base,Incomplete,"The software performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. This can lead to resultant weaknesses, e.g. by operating on the wrong object.","","::NATURE:ChildOf:CWE ID:697:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:697:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Access Control:TECHNICAL IMPACT:Alter Execution Logic Bypass Protection Mechanism::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.::","","","","","","",
  8. 1024,"Comparison of Incompatible Types",Base,Incomplete,"The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.","In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same type as another entity will ensure that the comparison will be performed correctly, but this cannot be guaranteed. In languages that are not strictly typed, such as PHP or JavaScript, there may be implicit casting/conversion to a type that the programmer is unaware of, causing unexpected results; for example, the string 123 might be converted to a number type. See examples.","::NATURE:ChildOf:CWE ID:697:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:697:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:JavaScript:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.::","","","","","","",
  9. 1025,"Comparison Using Wrong Factors",Base,Incomplete,"The software performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.","A common example of this weakness occurs when the code inadvertently extracts the reference to an object, instead of its relevant contents.","::NATURE:ChildOf:CWE ID:697:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:697:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.::","","","","","","",
  10. 103,"Struts: Incomplete validate() Method Definition",Variant,Draft,"The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().","If you do not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form.","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","::The Struts Validator uses a form's validate() method to check the contents of the form properties against the constraints specified in the associated validation form. That means the following classes have a validate() method that is part of the validation framework: ValidatorForm, ValidatorActionForm, DynaValidatorForm, and DynaValidatorActionForm. If you create a class that extends one of these classes, and if your class implements custom validation logic by overriding the validate() method, you must call super.validate() in your validate() implementation.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Other Other Disabling the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection.::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Confidentiality Integrity Availability Other Other Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement the validate() method and call super.validate() within that method.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Struts: Erroneous validate() Method::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Relationship:NOTE:This could introduce other weaknesses related to missing input validation.::::TYPE:Maintenance:NOTE:The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.::",
  11. 1037,"Processor Optimization Removal or Modification of Security-critical Code",Base,Incomplete,"The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.","","::NATURE:ChildOf:CWE ID:1038:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:1038:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:This weakness does not depend on other weaknesses and is the result of choices made by the processor in executing the specified application.::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Rarely::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Integrity Bypass Protection Mechanism High A successful exploitation of this weakness will change the order of an application's execution and will likely be used to bypass specific protection mechanisms. This bypass can be exploited further to potentially read data that should otherwise be unaccessible.::","::METHOD:White Box:EFFECTIVENESS:Opportunistic:DESCRIPTION:In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.::","","::REFERENCE:CVE-2017-5715:DESCRIPTION:Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as Spectre.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715REFERENCE:CVE-2017-5753:DESCRIPTION:Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as Spectre.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753REFERENCE:CVE-2017-5754:DESCRIPTION:Intel processor optimizations related to speculative execution cause access control checks to be bypassed when placing data into the cache. Often known as Meltdown.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754","","","","","",
  12. 1038,"Insecure Automated Optimizations",Class,Draft,"The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.","","::NATURE:ChildOf:CWE ID:435:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:758:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:This weakness does not depend on other weaknesses and is the result of choices made during optimization.::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Alter Execution Logic:NOTE:Integrity Alter Execution Logic The optimizations alter the order of execution resulting in side effects that were not intended by the original developer.::","","","","","","","","",
  13. 1039,"Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",Class,Incomplete,"The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.","When techniques such as machine learning are used to automatically classify input streams, and those classifications are used for security-critical decisions, then any mistake in classification can introduce a vulnerability that allows attackers to cause the product to make the wrong security decision. If the automated mechanism is not developed or trained with enough input data, then attackers may be able to craft malicious input that intentionally triggers the incorrect classification. Targeted technologies include, but are not necessarily limited to: automated speech recognition automated image recognition For example, an attacker might modify road signs or road surface markings to trick autonomous vehicles into misreading the sign/marking and performing a dangerous action.","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:697:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:This weakness does not depend on other weaknesses and is the result of choices made during optimization.::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Integrity Bypass Protection Mechanism When the automated recognition is used in a protection mechanism, an attacker may be able to craft inputs that are misinterpreted in a way that grants excess privileges.::","","","","","","","","TYPE:Relationship:NOTE:Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to recognition of input as an incorrect type, which might place it as a sibling of CWE-704 (incorrect type conversion).::",
  14. 104,"Struts: Form Bean Does Not Extend Validation Class",Variant,Draft,"If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.","","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","::In order to use the Struts Validator, a form must extend one of the following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and DynaValidatorForm. You must extend one of these classes because the Struts Validator ties in to your application by implementing the validate() method in these classes. Forms derived from the ActionForm and DynaActionForm classes cannot use the Struts Validator.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Other Other Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection.::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Confidentiality Integrity Availability Other Other Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that all forms extend one of the Validation Classes.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Struts: Form Bean Does Not Extend Validation Class::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  15. 105,"Struts: Form Field Without Validator",Variant,Draft,"The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.","Omitting validation for even a single input field may give attackers the leeway they need to compromise the application. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::SCOPE:Integrity:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Integrity Bypass Protection Mechanism If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that you validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Struts: Form Field Without Validator::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  16. 106,"Struts: Plug-in Framework not in Use",Variant,Draft,"When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.","Unchecked input is the leading cause of vulnerabilities in J2EE applications. Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Use an input validation framework such as Struts.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use an input validation framework such as Struts.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in your configuration of the Struts Validator. Example uses of the validator include checking to ensure that: Phone number fields contain only valid characters in phone numbers Boolean values are only T or F Free-form strings are of a reasonable length and composition::PHASE:Implementation:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in your configuration of the Struts Validator. Example uses of the validator include checking to ensure that: Phone number fields contain only valid characters in phone numbers Boolean values are only T or F Free-form strings are of a reasonable length and composition::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Struts: Plug-in Framework Not In Use::","","",
  17. 107,"Struts: Unused Validation Form",Variant,Draft,"An unused validation form indicates that validation logic is not up-to-date.","It is easy for developers to forget to update validation logic when they remove or rename action form mappings. One indication that validation logic is not being properly maintained is the presence of an unused validation form.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove the unused Validation Form from the validation.xml file.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Struts: Unused Validation Form::","","",
  18. 108,"Struts: Unvalidated Action Form",Variant,Incomplete,"Every Action Form must have a corresponding validation form.","If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator.","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Other Other If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation.::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Confidentiality Integrity Availability Other Other Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Map every Action Form to a corresponding validation form. An action or a form may perform validation in other ways, but the Struts Validator provides an excellent way to verify that all input receives at least a basic level of validation. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Struts: Unvalidated Action Form::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  19. 109,"Struts: Validator Turned Off",Variant,Draft,"Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.","","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that an action form mapping enables validation. Set the validate field to true.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Struts: Validator Turned Off::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Other:NOTE:The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with &lt; and a > with &gt;. This action can be disabled by specifying filter=false as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.::",
  20. 11,"ASP.NET Misconfiguration: Creating Debug Binary",Variant,Draft,"Debugging messages help attackers learn about the system and plan a form of attack.","ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.","::NATURE:ChildOf:CWE ID:215:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:ASP.NET:LANGUAGE PREVALENCE:Undetermined::","::The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. The use of debug binaries causes an application to provide as much information about itself as possible to the user.::","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:ASP.NET Misconfiguration: Creating Debug Binary::","","",
  21. 110,"Struts: Validator Without Form Field",Variant,Draft,"Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.","It is easy for developers to forget to update validation logic when they make changes to an ActionForm class. One indication that validation logic is not being properly maintained is inconsistencies between the action form and the validation form. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Other Other It is critically important that validation logic be maintained and kept in sync with the rest of the application. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.::METHOD:Manual Static Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.::","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Struts: Validator Without Form Field::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  22. 111,"Direct Use of Unsafe JNI",Base,Draft,"When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.","Many safety features that programmers may take for granted simply do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking.","::NATURE:ChildOf:CWE ID:695:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement error handling around the JNI call.::PHASE:Implementation:STRATEGY:Refactoring:EFFECTIVENESS::DESCRIPTION:Do not use JNI calls if you don't trust the native library.::PHASE:Implementation:STRATEGY:Refactoring:EFFECTIVENESS::DESCRIPTION:Be reluctant to use JNI calls. A Java API equivalent may exist.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Unsafe JNI::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC08-J:ENTRY NAME:Define wrappers around native methods::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  23. 112,"Missing XML Validation",Base,Draft,"The software accepts XML from an untrusted source but does not validate the XML against the proper schema.","Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Always validate XML input against a known XML Schema or DTD. It is not possible for an XML parser to validate all aspects of a document's content because a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Missing XML Validation::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::230::231::484::99::","",
  24. 113,"Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",Base,Incomplete,"The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.","Including unvalidated data in an HTTP header allows an attacker to specify the entirety of the HTTP response rendered by the browser. When an HTTP request contains unexpected CR (carriage return, also given by %0d or r) and LF (line feed, also given by %0a or n) characters the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks. HTTP response splitting weaknesses may be present when: Data enters a web application through an untrusted source, most frequently an HTTP request. The data is included in an HTTP response header sent to a web user without being validated for malicious characters.","::NATURE:ChildOf:CWE ID:93:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:93:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:79:VIEW ID:1000::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Access Control:TECHNICAL IMPACT:Modify Application Data Gain Privileges or Assume Identity:NOTE:Integrity Access Control Modify Application Data Gain Privileges or Assume Identity CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the response the application intends to send, as well as allowing them to create additional responses entirely under their control.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Construct HTTP headers very carefully, avoiding the use of non-validated input data.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2004-2146:DESCRIPTION:Application accepts CRLF in an object ID, allowing HTTP response splitting.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2146REFERENCE:CVE-2004-1620:DESCRIPTION:HTTP response splitting via CRLF in parameter related to URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1620REFERENCE:CVE-2004-1656:DESCRIPTION:HTTP response splitting via CRLF in parameter related to URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1656REFERENCE:CVE-2005-2060:DESCRIPTION:Bulletin board allows response splitting via CRLF in parameter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2060REFERENCE:CVE-2005-2065:DESCRIPTION:Bulletin board allows response splitting via CRLF in parameter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2065REFERENCE:CVE-2004-2512:DESCRIPTION:Response splitting via CRLF in PHPSESSID.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2512REFERENCE:CVE-2005-1951:DESCRIPTION:Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1951REFERENCE:CVE-2004-1687:DESCRIPTION:Chain: HTTP response splitting via CRLF in parameter related to URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1687","","","TAXONOMY NAME:PLOVER:ENTRY NAME:HTTP response splitting::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:HTTP Response Splitting::::TAXONOMY NAME:WASC:ENTRY ID:25:ENTRY NAME:HTTP Response Splitting::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::31::34::85::","TYPE:Theoretical:NOTE:HTTP response splitting is probably only multi-factor in an environment that uses intermediaries.::",
  25. 114,"Process Control",Base,Incomplete,"Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.","Process control vulnerabilities take two forms: 1. An attacker can change the command that the program executes: the attacker explicitly controls what the command is. 2. An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Libraries that are loaded should be well understood and come from a trusted source. The application can execute code contained in the native libraries, which often contain calls that are susceptible to other security problems, such as buffer overflows or command injection. All native libraries should be validated to determine if the application requires the use of the library. It is very difficult to determine what these native libraries actually do, and the potential for malicious code is high. In addition, the potential for an inadvertent mistake in these native libraries is also high, as many are written in C or C++ and may be susceptible to buffer overflow or race condition problems. To help prevent buffer overflow attacks, validate all input to native calls for content and length. If the native library does not come from a trusted source, review the source code of the library. The library should be built from the reviewed source before using it.::","","","System Process::","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Process Control::","::108::","",
  26. 115,"Misinterpretation of Input",Base,Incomplete,"The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.","","::NATURE:ChildOf:CWE ID:436:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:436:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","::REFERENCE:CVE-2005-2225:DESCRIPTION:Product sees dangerous file extension in free text of a group discussion, disconnects all users.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2225REFERENCE:CVE-2001-0003:DESCRIPTION:Product does not correctly import and process security settings from another product.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0003","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Misinterpretation Error::","","TYPE:Research Gap:NOTE:This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE).::",
  27. 116,"Improper Encoding or Escaping of Output",Class,Draft,"The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.","Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead. Most software follows a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, GET /index.html HTTP/1.1 is a structured message containing a command (GET) with a single argument (/index.html) and metadata about which protocol version is being used (HTTP/1.1). If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly.","::NATURE:ChildOf:CWE ID:707:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:707:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:74:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Database Server:TECHNOLOGY PREVALENCE:Often::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Often::","","::TERM:Output Sanitization:DESCRIPTION:::TERM:Output Validation:DESCRIPTION:::TERM:Output Encoding:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Access Control Execute Unauthorized Code or Commands The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.::SCOPE:Confidentiality:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Confidentiality Bypass Protection Mechanism The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::","::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.::PHASE:Architecture and Design:STRATEGY:Parameterization:EFFECTIVENESS::DESCRIPTION:If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict whitelist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Fully specify which encodings are required by components that will be communicating with each other.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.::","::REFERENCE:CVE-2008-4636:DESCRIPTION:OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4636REFERENCE:CVE-2008-0769:DESCRIPTION:Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0769REFERENCE:CVE-2008-0005:DESCRIPTION:Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005REFERENCE:CVE-2008-5573:DESCRIPTION:SQL injection via password parameter; a strong password might contain &:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5573REFERENCE:CVE-2008-3773:DESCRIPTION:Cross-site scripting in chat application via a message subject, which normally might contain & and other XSS-related characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3773REFERENCE:CVE-2008-0757:DESCRIPTION:Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0757","","","TAXONOMY NAME:WASC:ENTRY ID:22:ENTRY NAME:Improper Output Handling::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS00-J:ENTRY NAME:Sanitize untrusted data passed across a trust boundary::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS05-J:ENTRY NAME:Use a subset of ASCII for file and path names::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:IDS33-PL:ENTRY NAME:Sanitize untrusted data passed across a trust boundary:MAPPING FIT:Exact::","::104::73::81::85::","TYPE:Relationship:NOTE:This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.::::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::::TYPE:Terminology:NOTE:The usage of the encoding and escaping terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the escape JavaScript function whose purpose is stated to be encoding. Of course, the concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.::::TYPE:Theoretical:NOTE:This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.::::TYPE:Research Gap:NOTE:While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.::",
  28. 117,"Improper Output Neutralization for Logs",Base,Draft,"The software does not neutralize or incorrectly neutralizes output that is written to logs.","This can allow an attacker to forge log entries or inject malicious content into logs. Log forging vulnerabilities occur when: Data enters an application from an untrusted source. The data is written to an application or system log file.","::NATURE:ChildOf:CWE ID:116:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:116:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Non-Repudiation:TECHNICAL IMPACT:Modify Application Data Hide Activities Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Non-Repudiation Modify Application Data Hide Activities Execute Unauthorized Code or Commands Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. Forged or otherwise corrupted log files can be used to cover an attacker's tracks, possibly by skewing statistics, or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2006-4624:DESCRIPTION:Chain: inject fake log entries with fake timestamps using CRLF injection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4624","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Log Forging::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::81::93::","",
  29. 118,"Incorrect Access of Indexable Resource ('Range Error')",Class,Incomplete,"The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.","","","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::","::10::14::24::45::46::47::8::9::","",
  30. 119,"Improper Restriction of Operations within the Bounds of a Memory Buffer",Class,Usable,"The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.","Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory locations that may be associated with other variables, data structures, or internal program data. As a result, an attacker may be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash.","::NATURE:ChildOf:CWE ID:118:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:118:VIEW ID:1003:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Assembly:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Memory Corruption:DESCRIPTION:The generic term memory corruption is often used to describe the consequences of writing to memory outside the bounds of a buffer, when the root cause is something other than a sequential copies of excessive data from a fixed starting location (i.e., classic buffer overflows or CWE-120). This may include issues such as incorrect pointer arithmetic, accessing invalid pointers due to incomplete initialization or memory release, etc.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Modify Memory:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Modify Memory If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator.::SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability Confidentiality Read Memory DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory:NOTE:Confidentiality Read Memory In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode Quality Analysis Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.::PHASE:Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider adhering to the following rules when allocating and managing an application's memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space. If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64].::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].::PHASE:Implementation:STRATEGY::EFFECTIVENESS:Moderate:DESCRIPTION:Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.::","::REFERENCE:CVE-2009-2550:DESCRIPTION:Classic stack-based buffer overflow in media player using a long entry in a playlist:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2550REFERENCE:CVE-2009-2403:DESCRIPTION:Heap-based buffer overflow in media player using a long entry in a playlist:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2403REFERENCE:CVE-2009-0689:DESCRIPTION:large precision value in a format string triggers overflow:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689REFERENCE:CVE-2009-0690:DESCRIPTION:negative offset value leads to out-of-bounds read:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0690REFERENCE:CVE-2009-1532:DESCRIPTION:malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1532REFERENCE:CVE-2009-1528:DESCRIPTION:chain: lack of synchronization leads to memory corruption:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1528REFERENCE:CVE-2009-0558:DESCRIPTION:attacker-controlled array index leads to code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0558REFERENCE:CVE-2009-0269:DESCRIPTION:chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0269REFERENCE:CVE-2009-0566:DESCRIPTION:chain: incorrect calculations lead to incorrect pointer dereference and memory corruption:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0566REFERENCE:CVE-2009-1350:DESCRIPTION:product accepts crafted messages that lead to a dereference of an arbitrary pointer:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1350REFERENCE:CVE-2009-0191:DESCRIPTION:chain: malformed input causes dereference of uninitialized memory:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0191REFERENCE:CVE-2008-4113:DESCRIPTION:OS kernel trusts userland-supplied length value, allowing reading of sensitive information:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113REFERENCE:CVE-2003-0542:DESCRIPTION:buffer overflow involving a regular expression with a large number of captures:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0542REFERENCE:CVE-2017-1000121:DESCRIPTION:chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000121","","Memory::","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A5:ENTRY NAME:Buffer Overflows:MAPPING FIT:Exact::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR00-C:ENTRY NAME:Understand how arrays work::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR30-C:ENTRY NAME:Do not form or use out-of-bounds pointers or array subscripts:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR38-C:ENTRY NAME:Guarantee that library functions do not form invalid pointers:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ENV01-C:ENTRY NAME:Do not make assumptions about the size of an environment variable::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP39-C:ENTRY NAME:Do not access a variable through a pointer of an incompatible type:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO37-C:ENTRY NAME:Do not assume character data has been read::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR31-C:ENTRY NAME:Guarantee that storage for strings has sufficient space for character data and the null terminator:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR32-C:ENTRY NAME:Do not pass a non-null-terminated character sequence to a library function that expects a string:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:WASC:ENTRY ID:7:ENTRY NAME:Buffer Overflow::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::","::10::100::14::24::42::44::45::46::47::8::9::","TYPE:Applicable Platform:NOTE:It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture.::",
  31. 12,"ASP.NET Misconfiguration: Missing Custom Error Page",Variant,Draft,"An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.","","::NATURE:ChildOf:CWE ID:756:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:ASP.NET:LANGUAGE PREVALENCE:Undetermined::","::The mode attribute of the <customErrors> tag defines whether custom or default error pages are used.::","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not attempt to process an error or attempt to mask it.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Verify return values are correct and do not supply sensitive information about the system.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:ASP.NET Misconfiguration: Missing Custom Error Handling::","","",
  32. 120,"Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",Base,Incomplete,"The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.","A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the classic case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:123:VIEW ID:1000::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined:::LANGUAGE CLASS:Assembly:LANGUAGE PREVALENCE:Undetermined::","","::TERM:buffer overrun:DESCRIPTION:Some prominent vendors and researchers use the term buffer overrun, but most people use buffer overflow.::TERM:Unbounded Transfer:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU):NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.::PHASE:Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider adhering to the following rules when allocating and managing an application's memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space. If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64].::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].::PHASE:Build and Compilation Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution.::PHASE:Implementation:STRATEGY::EFFECTIVENESS:Moderate:DESCRIPTION:Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.::PHASE:Architecture and Design:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::","::REFERENCE:CVE-2000-1094:DESCRIPTION:buffer overflow using command with long argument:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1094REFERENCE:CVE-1999-0046:DESCRIPTION:buffer overflow in local program using long environment variable:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0046REFERENCE:CVE-2002-1337:DESCRIPTION:buffer overflow in comment characters, when product increments a counter for a > but does not decrement for <:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1337REFERENCE:CVE-2003-0595:DESCRIPTION:By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0595REFERENCE:CVE-2001-0191:DESCRIPTION:By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0191","::Memory Management","Memory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Unbounded Transfer ('classic overflow')::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Buffer Overflow::::TAXONOMY NAME:CLASP:ENTRY NAME:Buffer overflow::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A5:ENTRY NAME:Buffer Overflows:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR31-C:ENTRY NAME:Guarantee that storage for strings has sufficient space for character data and the null terminator:MAPPING FIT:Exact::::TAXONOMY NAME:WASC:ENTRY ID:7:ENTRY NAME:Buffer Overflow::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::","::10::100::14::24::42::44::45::46::47::67::8::9::92::","TYPE:Relationship:NOTE:At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.::::TYPE:Terminology:NOTE:Many issues that are now called buffer overflows are substantively different than the classic overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported.::",
  33. 121,"Stack-based Buffer Overflow",Variant,Draft,"A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).","","::NATURE:ChildOf:CWE ID:788:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:788:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:787:VIEW ID:1000::NATURE:ChildOf:CWE ID:787:VIEW ID:699::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","::There are generally several security-critical data on an execution stack that can lead to arbitrary code execution. The most prominent is the stored return address, the memory address at which execution should continue once the current function is finished executing. The attacker can overwrite this value with some memory address to which the attacker also has write access, into which they place arbitrary code to be run with the full privileges of the vulnerable program. Alternately, the attacker can supply the address of an important call, for instance the POSIX system() call, leaving arguments to the call on the stack. This is often called a return into libc exploit, since the attacker generally forces the program to jump at return time into an interesting routine in the C standard library (libc). Other important data commonly on the stack include the stack pointer and frame pointer, two values that indicate offsets for computing memory addresses. Modifying those values can often be leveraged into a write-what-where condition.::","::TERM:Stack Overflow:DESCRIPTION:Stack Overflow is often used to mean the same thing as stack-based buffer overflow, however it is also used on occasion to mean stack exhaustion, usually a result from an excessively recursive function call. Due to the ambiguity of the term, use of stack overflow to describe either circumstance is discouraged.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism:NOTE:Integrity Confidentiality Availability Access Control Execute Unauthorized Code or Commands Bypass Protection Mechanism Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism Other:NOTE:Integrity Confidentiality Availability Access Control Other Execute Unauthorized Code or Commands Bypass Protection Mechanism Other When the consequence is arbitrary code execution, this can often be used to subvert any other security service.::","","::PHASE:Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an abstraction library to abstract away risky APIs. Not a complete solution.::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement and perform bounds checking on input.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use OS-level preventative functionality, such as ASLR. This is not a complete solution.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Stack overflow::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR38-C:ENTRY NAME:Guarantee that library functions do not form invalid pointers:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR31-C:ENTRY NAME:Guarantee that storage for strings has sufficient space for character data and the null terminator:MAPPING FIT:CWE More Specific::","","TYPE:Other:NOTE:Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc.::",
  34. 122,"Heap-based Buffer Overflow",Variant,Draft,"A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().","","::NATURE:ChildOf:CWE ID:788:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:788:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:787:VIEW ID:1000::NATURE:ChildOf:CWE ID:787:VIEW ID:699::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism Modify Memory:NOTE:Integrity Confidentiality Availability Access Control Execute Unauthorized Code or Commands Bypass Protection Mechanism Modify Memory Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism Other:NOTE:Integrity Confidentiality Availability Access Control Other Execute Unauthorized Code or Commands Bypass Protection Mechanism Other When the consequence is arbitrary code execution, this can often be used to subvert any other security service.::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Pre-design: Use a language or compiler that performs automatic bounds checking.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an abstraction library to abstract away risky APIs. Not a complete solution.::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Pre-design through Build: Canary style bounds checking, library changes which ensure the validity of chunk data, and other such fixes are possible, but should not be relied upon.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement and perform bounds checking on input.::PHASE:Implementation:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.::","::REFERENCE:CVE-2007-4268:DESCRIPTION:Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268REFERENCE:CVE-2009-2523:DESCRIPTION:Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2523","","Memory::","TAXONOMY NAME:CLASP:ENTRY NAME:Heap overflow::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR31-C:ENTRY NAME:Guarantee that storage for strings has sufficient space for character data and the null terminator:MAPPING FIT:CWE More Specific::","::92::","TYPE:Relationship:NOTE:Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.::",
  35. 123,"Write-what-where Condition",Base,Draft,"Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.","","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:1003:ORDINAL:Primary::NATURE:PeerOf:CWE ID:134:VIEW ID:1000::","::ORDINALITY:Resultant:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Modify Memory Execute Unauthorized Code or Commands Gain Privileges or Assume Identity DoS: Crash, Exit, or Restart Bypass Protection Mechanism:NOTE:Integrity Confidentiality Availability Access Control Modify Memory Execute Unauthorized Code or Commands Gain Privileges or Assume Identity DoS: Crash, Exit, or Restart Bypass Protection Mechanism Clearly, write-what-where conditions can be used to write data to areas of memory outside the scope of a policy. Also, they almost invariably can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator.::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Modify Memory:NOTE:Integrity Availability DoS: Crash, Exit, or Restart Modify Memory Many memory accesses can lead to program termination, such as when writing to addresses that are invalid for the current process.::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other When the consequence is arbitrary code execution, this can often be used to subvert any other security service.::","","::PHASE:Architecture and Design:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that provides appropriate memory abstractions.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use OS-level preventative functionality integrated after the fact. Not a complete solution.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Write-what-where condition::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR30-C:ENTRY NAME:Do not form or use out-of-bounds pointers or array subscripts:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR38-C:ENTRY NAME:Guarantee that library functions do not form invalid pointers:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR31-C:ENTRY NAME:Guarantee that storage for strings has sufficient space for character data and the null terminator:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR32-C:ENTRY NAME:Do not pass a non-null-terminated character sequence to a library function that expects a string:MAPPING FIT:Imprecise::","","",
  36. 124,"Buffer Underwrite ('Buffer Underflow')",Base,Incomplete,"The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.","This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.","::NATURE:ChildOf:CWE ID:786:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:786:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:787:VIEW ID:1000::NATURE:ChildOf:CWE ID:787:VIEW ID:699::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","::TERM:buffer underrun:DESCRIPTION:Some prominent vendors and researchers use the term buffer underrun. Buffer underflow is more commonly used, although both terms are also sometimes used to describe a buffer under-read (CWE-127).::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Modify Memory DoS: Crash, Exit, or Restart:NOTE:Integrity Availability Modify Memory DoS: Crash, Exit, or Restart Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Modify Memory Bypass Protection Mechanism Other:NOTE:Integrity Confidentiality Availability Access Control Other Execute Unauthorized Code or Commands Modify Memory Bypass Protection Mechanism Other If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, possibly in violation of an implicit or explicit policy. The consequences would only be limited by how the affected data is used, such as an adjacent memory location that is used to specify whether the user has special privileges.::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other When the consequence is arbitrary code execution, this can often be used to subvert any other security service.::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Requirements specification: The choice could be made to use a language that is not susceptible to these issues.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Sanity checks should be performed on all calculated values used as index or for pointer arithmetic.::","::REFERENCE:CVE-2002-2227:DESCRIPTION:Unchecked length of SSLv2 challenge value leads to buffer underflow.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2227REFERENCE:CVE-2007-4580:DESCRIPTION:Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130):LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4580REFERENCE:CVE-2007-1584:DESCRIPTION:Buffer underflow from an all-whitespace string, which causes a counter to be decremented before the buffer while looking for a non-whitespace character.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1584REFERENCE:CVE-2007-0886:DESCRIPTION:Buffer underflow resultant from encoded data that triggers an integer overflow.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0886REFERENCE:CVE-2006-6171:DESCRIPTION:Product sets an incorrect buffer size limit, leading to off-by-two buffer underflow.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171REFERENCE:CVE-2006-4024:DESCRIPTION:Negative value is used in a memcpy() operation, leading to buffer underflow.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4024REFERENCE:CVE-2004-2620:DESCRIPTION:Buffer underflow due to mishandled special characters:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2620","","","TAXONOMY NAME:PLOVER:ENTRY NAME:UNDER - Boundary beginning violation ('buffer underflow'?)::::TAXONOMY NAME:CLASP:ENTRY NAME:Buffer underwrite::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::","","TYPE:Relationship:NOTE:This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129).::::TYPE:Research Gap:NOTE:Much attention has been paid to buffer overflows, but underflows sometimes exist in products that are relatively free of overflows, so it is likely that this variant has been under-studied.::",
  37. 125,"Out-of-bounds Read",Base,Draft,"The software reads data past the end, or before the beginning, of the intended buffer.","Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causinfg excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:1003:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory::","","","::REFERENCE:CVE-2009-2523:DESCRIPTION:Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2523REFERENCE:CVE-2004-0112:DESCRIPTION:out-of-bounds read due to improper length check:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0112REFERENCE:CVE-2004-0183:DESCRIPTION:packet with large number of specified elements cause out-of-bounds read.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0183REFERENCE:CVE-2004-0221:DESCRIPTION:packet with large number of specified elements cause out-of-bounds read.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0221REFERENCE:CVE-2004-0184:DESCRIPTION:out-of-bounds read, resultant from integer underflow:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0184REFERENCE:CVE-2004-1940:DESCRIPTION:large length value causes out-of-bounds read:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1940REFERENCE:CVE-2004-0421:DESCRIPTION:malformed image causes out-of-bounds read:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0421","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Out-of-bounds Read::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR30-C:ENTRY NAME:Do not form or use out-of-bounds pointers or array subscripts:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR38-C:ENTRY NAME:Guarantee that library functions do not form invalid pointers:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP39-C:ENTRY NAME:Do not access a variable through a pointer of an incompatible type:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR31-C:ENTRY NAME:Guarantee that storage for strings has sufficient space for character data and the null terminator:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR32-C:ENTRY NAME:Do not pass a non-null-terminated character sequence to a library function that expects a string:MAPPING FIT:CWE More Abstract::","::540::","TYPE:Research Gap:NOTE:Under-studied and under-reported. Most issues are probably labeled as buffer overflows.::",
  38. 126,"Buffer Over-read",Variant,Draft,"The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.","This typically occurs when the pointer or its index is incremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in exposure of sensitive information or possibly a crash.","::NATURE:ChildOf:CWE ID:125:VIEW ID:1000::NATURE:ChildOf:CWE ID:125:VIEW ID:699::NATURE:ChildOf:CWE ID:788:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:788:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory::","","","::REFERENCE:CVE-2014-0160:DESCRIPTION:Chain: Heartbleed bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160REFERENCE:CVE-2009-2523:DESCRIPTION:Chain: product does not handle when an input string is not NULL terminated, leading to buffer over-read or heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2523","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Buffer over-read::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::","","TYPE:Relationship:NOTE:These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.::",
  39. 127,"Buffer Under-read",Variant,Draft,"The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.","This typically occurs when the pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. This may result in exposure of sensitive information or possibly a crash.","::NATURE:ChildOf:CWE ID:125:VIEW ID:1000::NATURE:ChildOf:CWE ID:125:VIEW ID:699::NATURE:ChildOf:CWE ID:786:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:786:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Buffer under-read::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::","","TYPE:Research Gap:NOTE:Under-studied.::",
  40. 128,"Wrap-around Error",Base,Incomplete,"Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore wraps around to a very small, negative, or undefined value.","","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:119:VIEW ID:1000::NATURE:PeerOf:CWE ID:190:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often::","::Due to how addition is performed by computers, if a primitive is incremented past the maximum value possible for its storage space, the system will not recognize this, and therefore increment each bit as if it still had extra space. Because of how negative numbers are represented in binary, primitives interpreted as signed may wrap to very large negative values.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Instability:NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Instability This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.::SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism:NOTE:Confidentiality Availability Access Control Execute Unauthorized Code or Commands Bypass Protection Mechanism This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Requirements specification: The choice could be made to use a language that is not susceptible to these issues.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Provide clear upper and lower bounds on the scale of any protocols designed.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Place sanity checks on all incremented variables to ensure that they remain within reasonable bounds.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Wrap-around error::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM07-C:ENTRY NAME:Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","::92::","TYPE:Relationship:NOTE:The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.::",
  41. 129,"Improper Validation of Array Index",Base,Draft,"The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.","","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:119:VIEW ID:1000::NATURE:CanPrecede:CWE ID:823:VIEW ID:1000::NATURE:CanPrecede:CWE ID:789:VIEW ID:1000::","::ORDINALITY:Resultant:DESCRIPTION:The most common condition situation leading to an out-of-bounds array index is the use of loop index variables as buffer indexes. If the end condition for the loop is subject to a flaw, the index can grow or shrink unbounded, therefore causing a buffer overflow or underflow. Another common situation leading to this condition is the use of a function's return value, or the resulting value of a calculation directly as an index in to a buffer.::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:out-of-bounds array index:DESCRIPTION:::TERM:index-out-of-range:DESCRIPTION:::TERM:array index underflow:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Integrity Availability DoS: Crash, Exit, or Restart Use of an index that is outside the bounds of an array will very likely result in the corruption of relevant memory and perhaps instructions, leading to a crash, if the values are outside of the valid memory area.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory If the memory corrupted is data, rather than instructions, the system will continue to function with improper values.::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory Read Memory:NOTE:Confidentiality Integrity Modify Memory Read Memory Use of an index that is outside the bounds of an array can also trigger out-of-bounds read or write operations, or operations on the wrong objects; i.e., buffer overflows are not always the result. This may result in the exposure or modification of sensitive data.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow and possibly without the use of large inputs if a precise index can be controlled.::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands Read Memory Modify Memory:NOTE:Integrity Availability Confidentiality DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands Read Memory Modify Memory A single fault could allow either an overflow (CWE-788) or underflow (CWE-786) of the array index. What happens next will depend on the type of operation being performed out of bounds, but can expose sensitive information, cause a system crash, or possibly lead to arbitrary code execution.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.::","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Use an input validation framework such as Struts or the OWASP ESAPI Validation API. If you use Struts, be mindful of weaknesses covered by the CWE-101 category.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use an input validation framework such as Struts or the OWASP ESAPI Validation API. If you use Struts, be mindful of weaknesses covered by the CWE-101 category.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings.::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, Ada allows the programmer to constrain the values of a variable and languages such as Java and Ruby will allow the programmer to handle exceptions when an out-of-bounds index is accessed.::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64].::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When accessing a user-controlled array index, use a stringent range of values that are within the target array. Make sure that you do not allow negative values to be used. That is, verify the minimum as well as the maximum of the range of acceptable values.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::","::REFERENCE:CVE-2005-0369:DESCRIPTION:large ID in packet used as array index:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0369REFERENCE:CVE-2001-1009:DESCRIPTION:negative array index as argument to POP LIST command:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1009REFERENCE:CVE-2003-0721:DESCRIPTION:Integer signedness error leads to negative array index:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0721REFERENCE:CVE-2004-1189:DESCRIPTION:product does not properly track a count and a maximum number, which can lead to resultant array index overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1189REFERENCE:CVE-2007-5756:DESCRIPTION:Chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5756REFERENCE:CVE-2005-2456:DESCRIPTION:Chain: array index error (CWE-129) leads to deadlock (CWE-833):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2456","","Memory::","TAXONOMY NAME:CLASP:ENTRY NAME:Unchecked array indexing::::TAXONOMY NAME:PLOVER:ENTRY NAME:INDEX - Array index overflow::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR00-C:ENTRY NAME:Understand how arrays work::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR30-C:ENTRY NAME:Do not form or use out-of-bounds pointers or array subscripts:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR38-C:ENTRY NAME:Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT32-C:ENTRY NAME:Ensure that operations on signed integers do not result in overflow::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:IDS32-PL:ENTRY NAME:Validate any integer that is used as an array index:MAPPING FIT:Imprecise::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP8:ENTRY NAME:Faulty Buffer Access::","::100::","TYPE:Relationship:NOTE:This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.::::TYPE:Theoretical:NOTE:An improperly validated array index might lead directly to the always-incorrect behavior of access of array using out-of-bounds index.::",
  42. 13,"ASP.NET Misconfiguration: Password in Configuration File",Variant,Draft,"Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.","","::NATURE:ChildOf:CWE ID:260:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:ASP.NET Misconfiguration: Password in Configuration File::","","",
  43. 130,"Improper Handling of Length Parameter Inconsistency ",Base,Incomplete,"The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.","If an attacker can manipulate the length parameter associated with an input such that it is inconsistent with the actual length of the input, this can be leveraged to cause the target application to behave in unexpected, and possibly, malicious ways. One of the possible motives for doing so is to pass in arbitrarily large input to the application. Another possible motivation is the modification of application state by including invalid data for subsequent properties of the application. Such weaknesses commonly lead to attacks such as buffer overflows and execution of arbitrary code.","::NATURE:ChildOf:CWE ID:240:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:805:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Sometimes:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:length manipulation:DESCRIPTION:::TERM:length tampering:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When processing structured incoming data containing a size field followed by raw data, ensure that you identify and resolve any inconsistencies between the size field and the actual size of the data.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not let the user control the size of the buffer.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Validate that the length of the user-supplied data is consistent with the buffer size.::","::REFERENCE:CVE-2014-0160:DESCRIPTION:Chain: Heartbleed bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160REFERENCE:CVE-2009-2299:DESCRIPTION:Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2299REFERENCE:CVE-2001-0825:DESCRIPTION:Buffer overflow in internal string handling routine allows remote attackers to execute arbitrary commands via a length argument of zero or less, which disables the length check.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0825REFERENCE:CVE-2001-1186:DESCRIPTION:Web server allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents server from timing out the connection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1186REFERENCE:CVE-2001-0191:DESCRIPTION:Service does not properly check the specified length of a cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0191REFERENCE:CVE-2003-0429:DESCRIPTION:Traffic analyzer allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0429REFERENCE:CVE-2000-0655:DESCRIPTION:Chat client allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0655REFERENCE:CVE-2004-0492:DESCRIPTION:Server allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length HTTP header field causing a heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0492REFERENCE:CVE-2004-0201:DESCRIPTION:Help program allows remote attackers to execute arbitrary commands via a heap-based buffer overflow caused by a .CHM file with a large length field:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0201REFERENCE:CVE-2003-0825:DESCRIPTION:Name services does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Can overlap zero-length issues:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0825REFERENCE:CVE-2004-0095:DESCRIPTION:Policy manager allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0095REFERENCE:CVE-2004-0826:DESCRIPTION:Heap-based buffer overflow in library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0826REFERENCE:CVE-2004-0808:DESCRIPTION:When domain logons are enabled, server allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0808REFERENCE:CVE-2002-1357:DESCRIPTION:Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1357REFERENCE:CVE-2004-0774:DESCRIPTION:Server allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0774REFERENCE:CVE-2004-0989:DESCRIPTION:Multiple buffer overflows in xml library that may allow remote attackers to execute arbitrary code via long URLs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0989REFERENCE:CVE-2004-0568:DESCRIPTION:Application does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0568REFERENCE:CVE-2003-0327:DESCRIPTION:Server allows remote attackers to cause a denial of service via a remote password array with an invalid length, which triggers a heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0327REFERENCE:CVE-2003-0345:DESCRIPTION:Product allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0345REFERENCE:CVE-2004-0430:DESCRIPTION:Server allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0430REFERENCE:CVE-2005-0064:DESCRIPTION:PDF viewer allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0064REFERENCE:CVE-2004-0413:DESCRIPTION:SVN client trusts the length field of SVN protocol URL strings, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0413REFERENCE:CVE-2004-0940:DESCRIPTION:Is effectively an accidental double increment of a counter that prevents a length check conditional from exiting a loop.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0940REFERENCE:CVE-2002-1235:DESCRIPTION:Length field of a request not verified.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1235REFERENCE:CVE-2005-3184:DESCRIPTION:Buffer overflow by modifying a length value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3184REFERENCE:SECUNIA:18747:DESCRIPTION:Length field inconsistency crashes cell phone.:LINK:http://secunia.com/advisories/18747/","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Length Parameter Inconsistency::","::47::","TYPE:Relationship:NOTE:This probably overlaps other categories including zero-length issues.::",
  44. 131,"Incorrect Calculation of Buffer Size",Base,Draft,"The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.","","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:119:VIEW ID:1000::NATURE:CanPrecede:CWE ID:119:VIEW ID:699::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands Read Memory Modify Memory:NOTE:Integrity Availability Confidentiality DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands Read Memory Modify Memory If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing arbitrary code execution, or exposing sensitive data.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Manual Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts & characters to &amp; for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, not-a-number calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7] Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.::PHASE:Implementation:STRATEGY::EFFECTIVENESS:Moderate:DESCRIPTION:Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use sizeof() on the appropriate data type to avoid CWE-467.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify sanity checks and will reduce surprises related to unexpected casting.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Use libraries or frameworks that make it easier to handle numbers without unexpected consequences, or buffer allocation routines that automatically track buffer size. Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]::PHASE:Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64].::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-61] [REF-60].::PHASE:Implementation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS::DESCRIPTION:Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::","::REFERENCE:CVE-2004-1363:DESCRIPTION:substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1363REFERENCE:CVE-2004-0747:DESCRIPTION:substitution overflow: buffer overflow using expansion of environment variables:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0747REFERENCE:CVE-2005-2103:DESCRIPTION:substitution overflow: buffer overflow using a large number of substitution strings:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2103REFERENCE:CVE-2005-3120:DESCRIPTION:transformation overflow: product adds extra escape characters to incoming data, but does not account for them in the buffer length:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120REFERENCE:CVE-2003-0899:DESCRIPTION:transformation overflow: buffer overflow when expanding > to &gt;, etc.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0899REFERENCE:CVE-2001-0334:DESCRIPTION:expansion overflow: buffer overflow using wildcards:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0334REFERENCE:CVE-2001-0248:DESCRIPTION:expansion overflow: long pathname + glob = overflow:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0248REFERENCE:CVE-2001-0249:DESCRIPTION:expansion overflow: long pathname + glob = overflow:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0249REFERENCE:CVE-2002-0184:DESCRIPTION:special characters in argument are not properly expanded:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0184REFERENCE:CVE-2004-0434:DESCRIPTION:small length value leads to heap overflow:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0434REFERENCE:CVE-2002-1347:DESCRIPTION:multiple variants:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1347REFERENCE:CVE-2005-0490:DESCRIPTION:needs closer investigation, but probably expansion-based:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0490REFERENCE:CVE-2004-0940:DESCRIPTION:needs closer investigation, but probably expansion-based:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0940REFERENCE:CVE-2008-0599:DESCRIPTION:Chain: Language interpreter calculates wrong buffer size (CWE-131) by using size = ptr ? X : Y instead of size = (ptr ? X : Y) expression.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Other length calculation error::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT30-C:ENTRY NAME:Ensure that unsigned integer operations do not wrap:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM35-C:ENTRY NAME:Allocate sufficient memory for an object:MAPPING FIT:CWE More Abstract::","::100::47::","TYPE:Maintenance:NOTE:This is a broad category. Some examples include: simple math errors, incorrectly updating parallel counters, not accounting for size differences when transforming one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. expansion). This level of detail is rarely available in public reports, so it is difficult to find good examples.::::TYPE:Maintenance:NOTE:This weakness may be a composite or a chain. It also may contain layering or perspective differences. This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.::",
  45. 134,"Use of Externally-Controlled Format String",Base,Draft,"The software uses a function that accepts a format string as an argument, but the format string originates from an external source.","When an attacker can modify an externally-controlled format string, this can lead to buffer overflows, denial of service, or data representation problems. It should be noted that in some circumstances, such as internationalization, the set of format strings is externally controlled by design. If the source of these format strings is trusted (e.g. only contained in library files that are only modifiable by the system administrator), then the external control might not itself pose a vulnerability.","::NATURE:ChildOf:CWE ID:74:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:1003:ORDINAL:Primary::NATURE:PeerOf:CWE ID:123:VIEW ID:1000::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Rarely::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory:NOTE:Confidentiality Read Memory Format string problems allow for information disclosure which can severely simplify exploitation of the program.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Format string problems can result in the execution of arbitrary code.::","::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:EFFECTIVENESS:Limited:DESCRIPTION:Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor – strings, ELF readers, etc.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Choose a language that is not subject to this flaw.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Heed the warnings of compilers and linkers, since they may alert you to improper usage.::","::REFERENCE:CVE-2002-1825:DESCRIPTION:format string in Perl program:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1825REFERENCE:CVE-2001-0717:DESCRIPTION:format string in bad call to syslog function:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0717REFERENCE:CVE-2002-0573:DESCRIPTION:format string in bad call to syslog function:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0573REFERENCE:CVE-2002-1788:DESCRIPTION:format strings in NNTP server responses:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1788REFERENCE:CVE-2006-2480:DESCRIPTION:Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480REFERENCE:CVE-2007-2027:DESCRIPTION:Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2027","::LoggingError HandlingString Processing","Memory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Format string vulnerability::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Format String::::TAXONOMY NAME:CLASP:ENTRY NAME:Format string problem::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO30-C:ENTRY NAME:Exclude user input from format strings:MAPPING FIT:Exact::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO47-C:ENTRY NAME:Use valid format strings:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:6:ENTRY NAME:Format String::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS06-J:ENTRY NAME:Exclude user input from format strings::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:IDS30-PL:ENTRY NAME:Exclude user input from format strings:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::135::67::","TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that support format strings.::::TYPE:Other:NOTE:While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. Frequently targeted entities are file names, process names, identifiers. Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended.::::TYPE:Research Gap:NOTE:Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.::",
  46. 135,"Incorrect Calculation of Multi-Byte String Length",Base,Draft,"The software does not correctly calculate the length of strings that can contain wide or multi-byte characters.","","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands This weakness may lead to a buffer overflow. Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service.::SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability Confidentiality Read Memory DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory:NOTE:Confidentiality Read Memory In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Always verify the length of the string unit character.::PHASE:Implementation:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use length computing functions (e.g. strlen, wcslen, etc.) appropriately with their equivalent type (e.g.: byte, wchar_t, etc.)::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Improper string length checking::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO10-J:ENTRY NAME:Ensure the array is filled when using read() to fill an array::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP10:ENTRY NAME:Incorrect Buffer Length Computation::","","",
  47. 138,"Improper Neutralization of Special Elements",Class,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.","Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If software does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < (less than) as meaning read input from a file.","::NATURE:ChildOf:CWE ID:707:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Alter Execution Logic DoS: Crash, Exit, or Restart::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their software system. One defense is to create a whitelist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the whitelist. Properly encode your output, and quote any elements that have special meaning to the component with which you are communicating.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::","::REFERENCE:CVE-2001-0677:DESCRIPTION:Read arbitrary files from mail client by providing a special MIME header that is internally used to store pathnames for attachments.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0677REFERENCE:CVE-2000-0703:DESCRIPTION:Setuid program does not cleanse special escape sequence before sending data to a mail program, causing the mail program to process those sequences.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0703REFERENCE:CVE-2003-0020:DESCRIPTION:Multi-channel issue. Terminal escape sequences not filtered from log files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020REFERENCE:CVE-2003-0083:DESCRIPTION:Multi-channel issue. Terminal escape sequences not filtered from log files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Special Elements (Characters or Reserved Words)::::TAXONOMY NAME:PLOVER:ENTRY NAME:Custom Special Character Injection::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::15::","TYPE:Relationship:NOTE:This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.::::TYPE:Relationship:NOTE:See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.::::TYPE:Research Gap:NOTE:This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.::",
  48. 14,"Compiler Removal of Code to Clear Buffers",Variant,Draft,"Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka dead store removal.","This compiler optimization error occurs when: 1. Secret data are stored in memory. 2. The secret data are scrubbed from memory by overwriting its contents. 3. The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently.","::NATURE:ChildOf:CWE ID:733:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:733:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Build and Compilation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Read Memory Bypass Protection Mechanism:NOTE:Confidentiality Access Control Read Memory Bypass Protection Mechanism This weakness will allow data that has not been cleared from memory to be read. If this data contains sensitive password information, then an attacker can read the password and use the information to bypass protection mechanisms.::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:EFFECTIVENESS::DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Store the sensitive data in a volatile memory location if available.::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If possible, configure your compiler so that it does not remove dead stores.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Where possible, encrypt sensitive data that are used by a software system.::","","","Memory::","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Insecure Compiler Optimization::::TAXONOMY NAME:PLOVER:ENTRY NAME:Sensitive memory uncleared by compiler optimization::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A8:ENTRY NAME:Insecure Storage:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC06-C:ENTRY NAME:Be aware of compiler optimization when dealing with sensitive data::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  49. 140,"Improper Neutralization of Delimiters",Base,Draft,"The software does not neutralize or incorrectly neutralizes delimiters.","","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Developers should anticipate that delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Delimiter Problems::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::15::","",
  50. 141,"Improper Neutralization of Parameter/Argument Delimiters",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.","As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.","::NATURE:ChildOf:CWE ID:140:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:140:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that parameter/argument delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2003-0307:DESCRIPTION:Attacker inserts field separator into input to specify admin privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0307","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Parameter Delimiter::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  51. 142,"Improper Neutralization of Value Delimiters",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.","As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.","::NATURE:ChildOf:CWE ID:140:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:140:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that value delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2000-0293:DESCRIPTION:Multiple internal space, insufficient quoting - program does not use proper delimiter between values.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0293","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Value Delimiter::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  52. 143,"Improper Neutralization of Record Delimiters",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.","As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.","::NATURE:ChildOf:CWE ID:140:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:140:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that record delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2004-1982:DESCRIPTION:Carriage returns in subject field allow adding new records to data file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1982REFERENCE:CVE-2001-0527:DESCRIPTION:Attacker inserts carriage returns and | field separator characters to add new user/privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0527","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Record Delimiter::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  53. 144,"Improper Neutralization of Line Delimiters",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.","As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.","::NATURE:ChildOf:CWE ID:140:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:140:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:93:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that line delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0267:DESCRIPTION:Linebreak in field of PHP script allows admin privileges when written to data file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0267","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Line Delimiter::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS03-J:ENTRY NAME:Do not log unsanitized user input::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",
  54. 145,"Improper Neutralization of Section Delimiters",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.","As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions. One example of a section delimiter is the boundary string in a multipart MIME message. In many cases, doubled line delimiters can serve as a section delimiter.","::NATURE:ChildOf:CWE ID:140:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:140:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:93:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that section delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Section Delimiter::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",
  55. 146,"Improper Neutralization of Expression/Command Delimiters",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.","As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.","::NATURE:ChildOf:CWE ID:140:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:140:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Alter Execution Logic::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that inter-expression and inter-command delimiters will be injected/removed/manipulated in the input vectors of their software system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Delimiter between Expressions or Commands::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::15::6::","TYPE:Relationship:NOTE:A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized.::",
  56. 147,"Improper Neutralization of Input Terminators",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.","For example, a . in SMTP signifies the end of mail message data, whereas a null character can be used for the end of a string.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that terminators will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2000-0319:DESCRIPTION:MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0319REFERENCE:CVE-2000-0320:DESCRIPTION:MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0320REFERENCE:CVE-2001-0996:DESCRIPTION:Mail server does not quote end-of-input terminator if it appears in the middle of a message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0996REFERENCE:CVE-2002-0001:DESCRIPTION:Improperly terminated comment or phrase allows commands.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0001","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Input Terminator::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::460::","",
  57. 148,"Improper Neutralization of Input Leaders",Variant,Draft,"The application does not properly handle when a leading character or sequence (leader) is missing or malformed, or if multiple leaders are used when only one should be allowed.","","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that leading characters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Input Leader::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  58. 149,"Improper Neutralization of Quoting Syntax",Variant,Draft,"Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.","","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that quotes will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2004-0956:DESCRIPTION:Database allows remote attackers to cause a denial of service (application crash) via a MATCH AGAINST query with an opening double quote but no closing double quote.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0956REFERENCE:CVE-2003-1016:DESCRIPTION:MIE. MFV too? bypass AV/security with fields that should not be quoted, duplicate quotes, missing leading/trailing quotes.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1016","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Quoting Element::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::468::","",
  59. 15,"External Control of System or Configuration Setting",Base,Incomplete,"One or more system settings or configuration elements can be externally controlled by a user.","Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.","::NATURE:ChildOf:CWE ID:642:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:642:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:610:VIEW ID:1000::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Setting Manipulation::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP25:ENTRY NAME:Tainted input to variable::","::13::146::69::76::77::","",
  60. 150,"Improper Neutralization of Escape, Meta, or Control Sequences",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.","As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0542:DESCRIPTION:The mail program processes special ~ escape sequence even when not in interactive mode.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0542REFERENCE:CVE-2000-0703:DESCRIPTION:Setuid program does not filter escape sequences before calling mail program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0703REFERENCE:CVE-2002-0986:DESCRIPTION:Mail function does not filter control characters from arguments, allowing mail message content to be modified.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0986REFERENCE:CVE-2003-0020:DESCRIPTION:Multi-channel issue. Terminal escape sequences not filtered from log files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020REFERENCE:CVE-2003-0083:DESCRIPTION:Multi-channel issue. Terminal escape sequences not filtered from log files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083REFERENCE:CVE-2003-0021:DESCRIPTION:Terminal escape sequences not filtered by terminals when displaying files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0021REFERENCE:CVE-2003-0022:DESCRIPTION:Terminal escape sequences not filtered by terminals when displaying files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0022REFERENCE:CVE-2003-0023:DESCRIPTION:Terminal escape sequences not filtered by terminals when displaying files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0023REFERENCE:CVE-2003-0063:DESCRIPTION:Terminal escape sequences not filtered by terminals when displaying files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0063REFERENCE:CVE-2000-0476:DESCRIPTION:Terminal escape sequences not filtered by terminals when displaying files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0476REFERENCE:CVE-2001-1556:DESCRIPTION:MFV. (multi-channel). Injection of control characters into log files that allow information hiding when using raw Unix programs to read the files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1556","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Escape, Meta, or Control Character / Sequence::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS03-J:ENTRY NAME:Do not log unsanitized user input::","::41::81::93::","",
  61. 151,"Improper Neutralization of Comment Delimiters",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.","","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that comments will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0001:DESCRIPTION:Mail client command execution due to improperly terminated comment in address list.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0001REFERENCE:CVE-2004-0162:DESCRIPTION:MIE. RFC822 comment fields may be processed as other fields by clients.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0162REFERENCE:CVE-2004-1686:DESCRIPTION:Well-placed comment bypasses security warning.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1686REFERENCE:CVE-2005-1909:DESCRIPTION:Information hiding using a manipulation involving injection of comment code into product. Note: these vulnerabilities are likely vulnerable to more general XSS problems, although a regexp might allow >!-- while denying most other tags.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1909REFERENCE:CVE-2005-1969:DESCRIPTION:Information hiding using a manipulation involving injection of comment code into product. Note: these vulnerabilities are likely vulnerable to more general XSS problems, although a regexp might allow <!-- while denying most other tags.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1969","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Comment Element::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  62. 152,"Improper Neutralization of Macro Symbols",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.","","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Developers should anticipate that macro symbols will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0770:DESCRIPTION:Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0770REFERENCE:CVE-2008-2018:DESCRIPTION:Attacker can obtain sensitive information from a database by using a comment containing a macro, which inserts the data during expansion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2018","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Macro Symbol::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Research Gap:NOTE:Under-studied.::",
  63. 153,"Improper Neutralization of Substitution Characters",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.","","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that substitution characters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0770:DESCRIPTION:Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0770","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Substitution Character::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Research Gap:NOTE:Under-studied.::",
  64. 154,"Improper Neutralization of Variable Name Delimiters",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.","As data is parsed, an injected delimiter may cause the process to take unexpected actions that result in an attack. Example: $ for an environment variable.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that variable name delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2005-0129:DESCRIPTION:% variable is expanded by wildcard function into disallowed commands.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0129REFERENCE:CVE-2002-0770:DESCRIPTION:Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0770","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Variable Name Delimiter::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::15::","TYPE:Research Gap:NOTE:Under-studied.::",
  65. 155,"Improper Neutralization of Wildcards or Matching Symbols",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.","As data is parsed, an injected element may cause the process to take unexpected actions.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that wildcard or matching elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0433:DESCRIPTION:Bypass file restrictions using wildcard character.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433REFERENCE:CVE-2002-1010:DESCRIPTION:Bypass file restrictions using wildcard character.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1010REFERENCE:CVE-2001-0334:DESCRIPTION:Wildcards generate long string on expansion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0334REFERENCE:CVE-2004-1962:DESCRIPTION:SQL injection involving /**/ sequences.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1962","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Wildcard or Matching Element::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Research Gap:NOTE:Under-studied.::",
  66. 156,"Improper Neutralization of Whitespace",Variant,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.","This can include space, tab, etc.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:White space:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that whitespace will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0637:DESCRIPTION:MIE. virus protection bypass with RFC violations involving extra whitespace, or missing whitespace.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0637REFERENCE:CVE-2004-0942:DESCRIPTION:CPU consumption with MIME headers containing lines with many space characters, probably due to algorithmic complexity (RESOURCE.AMP.ALG).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0942REFERENCE:CVE-2003-1015:DESCRIPTION:MIE. whitespace interpreted differently by mail clients.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1015","","","TAXONOMY NAME:PLOVER:ENTRY ID:SPEC.WHITESPACE:ENTRY NAME:Whitespace::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Relationship:NOTE:Can overlap other separator characters or delimiters.::",
  67. 157,"Failure to Sanitize Paired Delimiters",Variant,Draft,"The software does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.","Paired delimiters might include: < and > angle brackets ( and ) parentheses { and } braces [ and ] square brackets double quotes ' ' single quotes","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that grouping elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2004-0956:DESCRIPTION:Crash via missing paired delimiter (open double-quote but no closing double-quote).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0956REFERENCE:CVE-2000-1165:DESCRIPTION:Crash via message without closing >.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1165REFERENCE:CVE-2005-2933:DESCRIPTION:Buffer overflow via mailbox name with an opening double quote but missing a closing double quote, causing a larger copy than expected.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2933","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Grouping Element / Paired Delimiter::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::15::","TYPE:Research Gap:NOTE:Under-studied.::",
  68. 158,"Improper Neutralization of Null Byte or NUL Character",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.","As data is parsed, an injected NUL character or null byte may cause the software to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2005-2008:DESCRIPTION:Source code disclosure using trailing null.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2008REFERENCE:CVE-2005-3293:DESCRIPTION:Source code disclosure using trailing null.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3293REFERENCE:CVE-2005-2061:DESCRIPTION:Trailing null allows file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2061REFERENCE:CVE-2002-1774:DESCRIPTION:Null character in MIME header allows detection bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1774REFERENCE:CVE-2000-0149:DESCRIPTION:Web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0149REFERENCE:CVE-2000-0671:DESCRIPTION:Web server earlier allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) in the URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0671REFERENCE:CVE-2001-0738:DESCRIPTION:Logging system allows an attacker to cause a denial of service (hang) by causing null bytes to be placed in log messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0738REFERENCE:CVE-2001-1140:DESCRIPTION:Web server allows source code for executable programs to be read via a null character (%00) at the end of a request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1140REFERENCE:CVE-2002-1031:DESCRIPTION:Protection mechanism for limiting file access can be bypassed using a null character (%00) at the end of the directory name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1031REFERENCE:CVE-2002-1025:DESCRIPTION:Application server allows remote attackers to read JSP source code via an encoded null byte in an HTTP GET request, which causes the server to send the .JSP file unparsed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1025REFERENCE:CVE-2003-0768:DESCRIPTION:XSS protection mechanism only checks for sequences with an alphabetical character following a (<), so a non-alphabetical or null character (%00) following a < may be processed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0768REFERENCE:CVE-2004-0189:DESCRIPTION:Decoding function in proxy allows regular expression bypass in ACLs via URLs with null characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0189REFERENCE:CVE-2005-3153:DESCRIPTION:Null byte bypasses PHP regexp check (interaction error).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3153REFERENCE:CVE-2005-4155:DESCRIPTION:Null byte bypasses PHP regexp check (interaction error).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4155","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Null Character / Null Byte::::TAXONOMY NAME:WASC:ENTRY ID:28:ENTRY NAME:Null Byte Injection::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::52::53::","TYPE:Relationship:NOTE:This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.::",
  69. 159,"Failure to Sanitize Special Element",Class,Draft,"Weaknesses in this attack-focused category do not properly filter and interpret special elements in user-controlled input which could cause adverse effect on the software behavior and integrity.","","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Common Special Element Manipulations::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Maintenance:NOTE:The list of children for this entry is far from complete.::::TYPE:Terminology:NOTE:Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation.::::TYPE:Research Gap:NOTE:Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations.::",
  70. 160,"Improper Neutralization of Leading Special Elements",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.","As data is parsed, improperly handled leading special elements may cause the process to take unexpected actions that result in an attack.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that leading special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Leading Special Element::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  71. 161,"Improper Neutralization of Multiple Leading Special Elements",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.","As data is parsed, improperly handled multiple leading special elements may cause the process to take unexpected actions that result in an attack.","::NATURE:ChildOf:CWE ID:160:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:160:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that multiple leading special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Multiple Leading Special Elements::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  72. 162,"Improper Neutralization of Trailing Special Elements",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.","As data is parsed, improperly handled trailing special elements may cause the process to take unexpected actions that result in an attack.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that trailing special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Trailing Special Element::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  73. 163,"Improper Neutralization of Multiple Trailing Special Elements",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.","As data is parsed, improperly handled multiple trailing special elements may cause the process to take unexpected actions that result in an attack.","::NATURE:ChildOf:CWE ID:162:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:162:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that multiple trailing special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Multiple Trailing Special Elements::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  74. 164,"Improper Neutralization of Internal Special Elements",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.","As data is parsed, improperly handled internal special elements may cause the process to take unexpected actions that result in an attack.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that internal special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Internal Special Element::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  75. 165,"Improper Neutralization of Multiple Internal Special Elements",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.","As data is parsed, improperly handled multiple internal special elements may cause the process to take unexpected actions that result in an attack.","::NATURE:ChildOf:CWE ID:164:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:164:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that multiple internal special elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Multiple Internal Special Element::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  76. 166,"Improper Handling of Missing Special Element",Base,Draft,"The software receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.","","::NATURE:ChildOf:CWE ID:159:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:159:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:703:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that special elements will be removed in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-1362:DESCRIPTION:Crash via message type without separator character:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1362REFERENCE:CVE-2002-0729:DESCRIPTION:Missing special character (separator) causes crash:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0729REFERENCE:CVE-2002-1532:DESCRIPTION:HTTP GET without rnrn CRLF sequences causes product to wait indefinitely and prevents other users from accessing it:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1532","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Special Element::","","",
  77. 167,"Improper Handling of Additional Special Element",Base,Draft,"The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is missing.","","::NATURE:ChildOf:CWE ID:159:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:159:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:703:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that extra special elements will be injected in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2000-0116:DESCRIPTION:Extra < in front of SCRIPT tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0116REFERENCE:CVE-2001-1157:DESCRIPTION:Extra < in front of SCRIPT tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1157REFERENCE:CVE-2002-2086:DESCRIPTION:<script - probably a cleansing error:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2086","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Extra Special Element::","","",
  78. 168,"Improper Handling of Inconsistent Special Elements",Base,Draft,"The software does not handle when an inconsistency exists between two or more special characters or reserved words.","An example of this problem would be if paired characters appear in the wrong order, or if the special characters are not properly nested.","::NATURE:ChildOf:CWE ID:159:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:159:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:703:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Access Control:SCOPE:Non-Repudiation:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Bypass Protection Mechanism Hide Activities::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Developers should anticipate that inconsistent special elements will be injected/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Inconsistent Special Elements::","","",
  79. 170,"Improper Null Termination",Base,Incomplete,"The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.","Null termination errors frequently occur in two different ways. An off-by-one error could cause a null to be written out of bounds, leading to an overflow. Or, a program could use a strncpy() function call incorrectly, which prevents a null terminator from being added at all. Other scenarios are possible.","::NATURE:ChildOf:CWE ID:707:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:120:VIEW ID:1000::NATURE:CanPrecede:CWE ID:126:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:147:VIEW ID:1000::NATURE:PeerOf:CWE ID:464:VIEW ID:1000::NATURE:PeerOf:CWE ID:463:VIEW ID:1000::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Read Memory Execute Unauthorized Code or Commands:NOTE:Confidentiality Integrity Availability Read Memory Execute Unauthorized Code or Commands The case of an omitted null character is the most dangerous of the possible issues. This will almost certainly result in information disclosure, and possibly a buffer overflow condition, which may be exploited to execute arbitrary code.::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Read Memory DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Confidentiality Integrity Availability DoS: Crash, Exit, or Restart Read Memory DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) If a null character is omitted from a string, then most string-copying functions will read data until they locate a null character, even outside of the intended boundaries of the string. This could: cause a crash due to a segmentation fault cause sensitive adjacent memory to be copied and sent to an outsider trigger a buffer overflow when the copy is being written to a fixed-size buffer::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Modify Memory DoS: Crash, Exit, or Restart:NOTE:Integrity Availability Modify Memory DoS: Crash, Exit, or Restart Misplaced null characters may result in any number of security problems. The biggest issue is a subset of buffer overflow, and write-what-where conditions, where data corruption occurs from the writing of a null character over valid data, or even instructions. A randomly placed null character may put the system into an undefined state, and therefore make it prone to crashing. A misplaced null character may corrupt other data in memory.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Access Control Other Alter Execution Logic Execute Unauthorized Code or Commands Should the null character corrupt the process flow, or affect a flag controlling access, it may lead to logical errors which allow for the execution of arbitrary code.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a language that is not susceptible to these issues. However, be careful of null byte interaction errors (CWE-626) with lower-level constructs that may be written in a language that is susceptible.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that all string functions used are understood fully as to how they append null characters. Also, be wary of off-by-one errors when appending nulls to the end of strings.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If performance constraints permit, special code can be added that validates null-termination of string buffers, this is a rather naive and error-prone solution.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Switch to bounded string manipulation functions. Inspect buffer lengths involved in the buffer overrun trace reported with the defect.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Add code that fills buffers with nulls (however, the length of buffers still needs to be inspected, to ensure that the non null-terminated string is not written at the physical end of the buffer).::","::REFERENCE:CVE-2000-0312:DESCRIPTION:Attacker does not null-terminate argv[] when invoking another program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0312REFERENCE:CVE-2003-0777:DESCRIPTION:Interrupted step causes resultant lack of null termination.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0777REFERENCE:CVE-2004-1072:DESCRIPTION:Fault causes resultant lack of null termination, leading to buffer expansion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1072REFERENCE:CVE-2001-1389:DESCRIPTION:Multiple vulnerabilities related to improper null termination.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1389REFERENCE:CVE-2003-0143:DESCRIPTION:Product does not null terminate a message buffer after snprintf-like call, leading to overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0143REFERENCE:CVE-2009-2523:DESCRIPTION:Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2523","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Improper Null Termination::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:String Termination Error::::TAXONOMY NAME:CLASP:ENTRY NAME:Miscalculated null termination::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS30-C:ENTRY NAME:Use the readlink() function properly:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR03-C:ENTRY NAME:Do not inadvertently truncate a null-terminated byte string::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR32-C:ENTRY NAME:Do not pass a non-null-terminated character sequence to a library function that expects a string:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP11:ENTRY NAME:Improper Null Termination::","","TYPE:Relationship:NOTE:Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data.::::TYPE:Relationship:NOTE:Overlaps missing input terminator.::::TYPE:Applicable Platform:NOTE:Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem.::::TYPE:Maintenance:NOTE:As currently described, this entry is more like a category than a weakness.::",
  80. 172,"Encoding Error",Class,Draft,"The software does not properly encode or decode the data, resulting in unexpected values.","","::NATURE:ChildOf:CWE ID:707:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:707:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:22:VIEW ID:1000::NATURE:CanPrecede:CWE ID:41:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Encoding Error::","::267::3::52::53::64::71::72::78::80::","TYPE:Relationship:NOTE:Partially overlaps path traversal and equivalence weaknesses.::::TYPE:Maintenance:NOTE:This is more like a category than a weakness.::::TYPE:Maintenance:NOTE:Many other types of encodings should be listed in this category.::",
  81. 173,"Improper Handling of Alternate Encoding",Variant,Draft,"The software does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.","","::NATURE:ChildOf:CWE ID:172:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:172:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:289:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Alternate Encoding::","::267::3::52::53::64::71::72::78::79::80::","",
  82. 174,"Double Decoding of the Same Data",Variant,Draft,"The software decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.","","::NATURE:ChildOf:CWE ID:172:VIEW ID:1000::NATURE:ChildOf:CWE ID:172:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:675:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Execute Unauthorized Code or Commands Varies by Context::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2004-1315:DESCRIPTION:Forum software improperly URL decodes the highlight parameter when extracting text to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1315REFERENCE:CVE-2004-1939:DESCRIPTION:XSS protection mechanism attempts to remove / that could be used to close tags, but it can be bypassed using double encoded slashes (%252F):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1939REFERENCE:CVE-2001-0333:DESCRIPTION:Directory traversal using double encoding.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333REFERENCE:CVE-2004-1938:DESCRIPTION:%2527 (double-encoded single quote) used in SQL injection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1938REFERENCE:CVE-2005-1945:DESCRIPTION:Double hex-encoded data.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1945REFERENCE:CVE-2005-0054:DESCRIPTION:Browser executes HTML at higher privileges via URL with hostnames that are double hex encoded, which are decoded twice to generate a malicious hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0054","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Double Encoding::","","TYPE:Research Gap:NOTE:Probably under-studied.::",
  83. 175,"Improper Handling of Mixed Encoding",Variant,Draft,"The software does not properly handle when the same input uses several different (mixed) encodings.","","::NATURE:ChildOf:CWE ID:172:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:172:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Mixed Encoding::","","",
  84. 176,"Improper Handling of Unicode Encoding",Variant,Draft,"The software does not properly handle when an input contains Unicode encoding.","","::NATURE:ChildOf:CWE ID:172:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:172:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2000-0884:DESCRIPTION:Server allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain Unicode encoded characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884REFERENCE:CVE-2001-0709:DESCRIPTION:Server allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0709REFERENCE:CVE-2001-0669:DESCRIPTION:Overlaps interaction error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0669","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unicode Encoding::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC10-C:ENTRY NAME:Character Encoding - UTF8 Related Issues::","::71::","",
  85. 177,"Improper Handling of URL Encoding (Hex Encoding)",Variant,Draft,"The software does not properly handle when all or part of an input has been URL encoded.","","::NATURE:ChildOf:CWE ID:172:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:172:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2000-0900:DESCRIPTION:Hex-encoded path traversal variants - %2e%2e, %2e%2e%2f, %5c%2e%2e:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0900REFERENCE:CVE-2005-2256:DESCRIPTION:Hex-encoded path traversal variants - %2e%2e, %2e%2e%2f, %5c%2e%2e:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2256REFERENCE:CVE-2004-2121:DESCRIPTION:Hex-encoded path traversal variants - %2e%2e, %2e%2e%2f, %5c%2e%2e:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2121REFERENCE:CVE-2004-0280:DESCRIPTION:%20 (encoded space):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0280REFERENCE:CVE-2003-0424:DESCRIPTION:%20 (encoded space):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0424REFERENCE:CVE-2001-0693:DESCRIPTION:%20 (encoded space):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0693REFERENCE:CVE-2001-0778:DESCRIPTION:%20 (encoded space):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0778REFERENCE:CVE-2002-1831:DESCRIPTION:Crash via hex-encoded space %20.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1831REFERENCE:CVE-2000-0671:DESCRIPTION:%00 (encoded null):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0671REFERENCE:CVE-2004-0189:DESCRIPTION:%00 (encoded null):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0189REFERENCE:CVE-2002-1291:DESCRIPTION:%00 (encoded null):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1291REFERENCE:CVE-2002-1031:DESCRIPTION:%00 (encoded null):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1031REFERENCE:CVE-2001-1140:DESCRIPTION:%00 (encoded null):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1140REFERENCE:CVE-2004-0760:DESCRIPTION:%00 (encoded null):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0760REFERENCE:CVE-2002-1025:DESCRIPTION:%00 (encoded null):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1025REFERENCE:CVE-2002-1213:DESCRIPTION:%2f (encoded slash):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1213REFERENCE:CVE-2004-0072:DESCRIPTION:%5c (encoded backslash) and %2e (encoded dot) sequences:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0072REFERENCE:CVE-2004-0847:DESCRIPTION:%5c (encoded backslash):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0847REFERENCE:CVE-2002-1575:DESCRIPTION:%0a (overlaps CRLF):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1575","","","TAXONOMY NAME:PLOVER:ENTRY NAME:URL Encoding (Hex Encoding)::","::468::64::72::","",
  86. 178,"Improper Handling of Case Sensitivity",Base,Incomplete,"The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.","Improperly handled case sensitive data can lead to several possible consequences, including: case-insensitive passwords reducing the size of the key space, making brute force attacks easier bypassing filters or access controls using alternate names multiple interpretation errors using alternate names.","::NATURE:ChildOf:CWE ID:706:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:433:VIEW ID:1000::NATURE:CanPrecede:CWE ID:289:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2000-0499:DESCRIPTION:Application server allows attackers to bypass execution of a jsp page and read the source code using an upper case JSP extension in the request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0499REFERENCE:CVE-2000-0497:DESCRIPTION:The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype text.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0497REFERENCE:CVE-2000-0498:DESCRIPTION:The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype text.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0498REFERENCE:CVE-2001-0766:DESCRIPTION:A URL that contains some characters whose case is not matched by the server's filters may bypass access restrictions because the case-insensitive file system will then handle the request after it bypasses the case sensitive filter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0766REFERENCE:CVE-2001-0795:DESCRIPTION:Server allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0795REFERENCE:CVE-2001-1238:DESCRIPTION:Task Manager does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1238REFERENCE:CVE-2003-0411:DESCRIPTION:chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype text.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0411REFERENCE:CVE-2002-0485:DESCRIPTION:Leads to interpretation error:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0485REFERENCE:CVE-1999-0239:DESCRIPTION:Directories may be listed because lower case web requests are not properly handled by the server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0239REFERENCE:CVE-2005-0269:DESCRIPTION:File extension check in forum software only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0269REFERENCE:CVE-2004-1083:DESCRIPTION:Web server restricts access to files in a case sensitive manner, but the filesystem accesses files in a case insensitive manner, which allows remote attackers to read privileged files using alternate capitalization.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1083REFERENCE:CVE-2002-2119:DESCRIPTION:Case insensitive passwords lead to search space reduction.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2119REFERENCE:CVE-2004-2214:DESCRIPTION:HTTP server allows bypass of access restrictions using URIs with mixed case.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2214REFERENCE:CVE-2004-2154:DESCRIPTION:Mixed upper/lowercase allows bypass of ACLs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2154REFERENCE:CVE-2005-4509:DESCRIPTION:Bypass malicious script detection by using tokens that aren't case sensitive.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4509REFERENCE:CVE-2002-1820:DESCRIPTION:Mixed case problem allows admin to have Admin rights (alternate name property).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1820REFERENCE:CVE-2007-3365:DESCRIPTION:Chain: uppercase file extensions causes web server to return script source code instead of executing the script.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3365","::File Processing","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Case Sensitivity (lowercase, uppercase, mixed case)::","","TYPE:Research Gap:NOTE:These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.::",
  87. 179,"Incorrect Behavior Order: Early Validation",Base,Incomplete,"The software validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.","Software needs to validate data at the proper time, after data has been canonicalized and cleansed. Early validation is susceptible to various manipulations that result in dangerous inputs that are produced by canonicalization and cleansing.","::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1000::NATURE:ChildOf:CWE ID:696:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Integrity:TECHNICAL IMPACT:Bypass Protection Mechanism Execute Unauthorized Code or Commands:NOTE:Access Control Integrity Bypass Protection Mechanism Execute Unauthorized Code or Commands An attacker could include dangerous input that bypasses validation protection mechanisms which can be used to launch various attacks including injection attacks, execute arbitrary code or cause other unintended behavior.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0433:DESCRIPTION:Product allows remote attackers to view restricted files via an HTTP request containing a * (wildcard or asterisk) character.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433REFERENCE:CVE-2003-0332:DESCRIPTION:Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0332REFERENCE:CVE-2002-0802:DESCRIPTION:Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0802REFERENCE:CVE-2000-0191:DESCRIPTION:Overlaps fakechild/../realchild:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0191REFERENCE:CVE-2004-2363:DESCRIPTION:Product checks URI for < and other literal characters, but does it before hex decoding the URI, so %3E and other sequences are allowed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2363REFERENCE:CVE-2002-0934:DESCRIPTION:Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a .. sequence.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0934REFERENCE:CVE-2003-0282:DESCRIPTION:Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a .. sequence.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0282","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Early Validation Errors::","::3::43::71::","TYPE:Research Gap:NOTE:These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.::",
  88. 180,"Incorrect Behavior Order: Validate Before Canonicalize",Base,Draft,"The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.","This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.","::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:179:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0433:DESCRIPTION:Product allows remote attackers to view restricted files via an HTTP request containing a * (wildcard or asterisk) character.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433REFERENCE:CVE-2003-0332:DESCRIPTION:Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0332REFERENCE:CVE-2002-0802:DESCRIPTION:Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0802REFERENCE:CVE-2000-0191:DESCRIPTION:Overlaps fakechild/../realchild:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0191REFERENCE:CVE-2004-2363:DESCRIPTION:Product checks URI for < and other literal characters, but does it before hex decoding the URI, so %3E and other sequences are allowed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2363","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Validate-Before-Canonicalize::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS01-J:ENTRY NAME:Normalize strings before validating them::","::267::3::4::71::78::79::80::","TYPE:Relationship:NOTE:This overlaps other categories.::",
  89. 181,"Incorrect Behavior Order: Validate Before Filter",Base,Draft,"The software validates data before it has been filtered, which prevents the software from detecting data that becomes invalid after the filtering step.","This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.","::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:179:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Validate-before-cleanse:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being filtered.::","::REFERENCE:CVE-2002-0934:DESCRIPTION:Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a .. sequence.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0934REFERENCE:CVE-2003-0282:DESCRIPTION:Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a .. sequence.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0282","::Protection Mechanism","","TAXONOMY NAME:PLOVER:ENTRY NAME:Validate-Before-Filter::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::","::267::3::43::78::79::80::","TYPE:Research Gap:NOTE:This category is probably under-studied.::",
  90. 182,"Collapse of Data into Unsafe Value",Base,Draft,"The software filters data in a way that causes it to be reduced or collapsed into an unsafe value that violates an expected security property.","","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:33:VIEW ID:1000::NATURE:CanPrecede:CWE ID:34:VIEW ID:1000::NATURE:CanPrecede:CWE ID:35:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function).::","::REFERENCE:CVE-2004-0815:DESCRIPTION:/.//// in pathname collapses to absolute path.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0815REFERENCE:CVE-2005-3123:DESCRIPTION:/.//..//////././ is collapsed into /.././ after .. and // sequences are removed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3123REFERENCE:CVE-2002-0325:DESCRIPTION:.../...// collapsed to ... due to removal of ./ in web server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0325REFERENCE:CVE-2002-0784:DESCRIPTION:chain: HTTP server protects against .. but allows . variants such as ////./../.../. If the server removes /.. sequences, the result would collapse into an unsafe value ////../ (CWE-182).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0784REFERENCE:CVE-2005-2169:DESCRIPTION:MFV. Regular expression intended to protect against directory traversal reduces .../...// to ../.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2169REFERENCE:CVE-2001-1157:DESCRIPTION:XSS protection mechanism strips a <script> sequence that is nested in another <script> sequence.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1157","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Collapse of Data into Unsafe Value::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS11-J:ENTRY NAME:Eliminate noncharacter code points before validation::","","TYPE:Relationship:NOTE:Overlaps regular expressions, although an implementation might not necessarily use regexp's.::",
  91. 183,"Permissive Whitelist",Base,Draft,"An application uses a whitelist of acceptable values, but the whitelist includes at least one unsafe value, leading to resultant weaknesses.","","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:697:VIEW ID:1000::NATURE:CanPrecede:CWE ID:434:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Permissive Whitelist::","::3::43::71::","",
  92. 184,"Incomplete Blacklist",Base,Draft,"An application uses a blacklist of prohibited values, but the blacklist is incomplete.","If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:1023:VIEW ID:1000::NATURE:ChildOf:CWE ID:693:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:79:VIEW ID:1000:CHAIN ID:692::NATURE:CanPrecede:CWE ID:78:VIEW ID:1000::NATURE:CanPrecede:CWE ID:434:VIEW ID:1000::NATURE:CanPrecede:CWE ID:98:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed.::","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Combine use of blacklist with appropriate use of whitelists.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.::","::REFERENCE:CVE-2005-2782:DESCRIPTION:PHP remote file inclusion in web application that filters http and https URLs, but not ftp.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2782REFERENCE:CVE-2004-0542:DESCRIPTION:Programming language does not filter certain shell metacharacters in Windows environment.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0542REFERENCE:CVE-2004-0595:DESCRIPTION:XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0595REFERENCE:CVE-2005-3287:DESCRIPTION:Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3287REFERENCE:CVE-2004-2351:DESCRIPTION:Resultant XSS from incomplete blacklist (only <script> and <style> are checked).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2351REFERENCE:CVE-2005-2959:DESCRIPTION:Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2959REFERENCE:CVE-2005-1824:DESCRIPTION:SQL injection protection scheme does not quote the special character.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1824REFERENCE:CVE-2005-2184:DESCRIPTION:Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2184REFERENCE:CVE-2007-1343:DESCRIPTION:product doesn't protect one dangerous variable against external modification:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1343REFERENCE:CVE-2007-5727:DESCRIPTION:Chain: incomplete blacklist (CWE-184) only removes SCRIPT tags, enabling XSS (CWE-79):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5727REFERENCE:CVE-2006-4308:DESCRIPTION:Chain: incomplete blacklist (CWE-184) only checks javascript: tag, allowing XSS (CWE-79) using other tags:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4308REFERENCE:CVE-2007-3572:DESCRIPTION:Chain: incomplete blacklist for OS command injection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3572REFERENCE:CVE-2002-0661:DESCRIPTION:not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0661","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Incomplete Blacklist::","::15::174::182::3::43::6::71::73::85::","TYPE:Relationship:NOTE:An incomplete blacklist frequently produces resultant weaknesses. Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others.::",
  93. 185,"Incorrect Regular Expression",Class,Draft,"The software specifies a regular expression in a way that causes data to be improperly matched or compared.","When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data.","::NATURE:ChildOf:CWE ID:697:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:187:VIEW ID:1000::NATURE:CanPrecede:CWE ID:182:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Unexpected State Varies by Context:NOTE:Other Unexpected State Varies by Context When the regular expression is not correctly specified, data might have a different format or type than the rest of the program expects, producing resultant weaknesses or errors.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism In PHP, regular expression checks can sometimes be bypassed with a null byte, leading to any number of weaknesses.::","","::PHASE:Architecture and Design:STRATEGY:Refactoring:EFFECTIVENESS::DESCRIPTION:Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression.::","::REFERENCE:CVE-2002-2109:DESCRIPTION:Regexp isn't anchored to the beginning or end, which allows spoofed values that have trusted values as substrings.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2109REFERENCE:CVE-2005-1949:DESCRIPTION:Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1949REFERENCE:CVE-2001-1072:DESCRIPTION:Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1072REFERENCE:CVE-2000-0115:DESCRIPTION:Local user DoS via invalid regular expressions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0115REFERENCE:CVE-2002-1527:DESCRIPTION:chain: Malformed input generates a regular expression error that leads to information exposure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1527REFERENCE:CVE-2005-1061:DESCRIPTION:Certain strings are later used in a regexp, leading to a resultant crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1061REFERENCE:CVE-2005-2169:DESCRIPTION:MFV. Regular expression intended to protect against directory traversal reduces .../...// to ../.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2169REFERENCE:CVE-2005-0603:DESCRIPTION:Malformed regexp syntax leads to information exposure in error message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0603REFERENCE:CVE-2005-1820:DESCRIPTION:Code injection due to improper quoting of regular expression.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1820REFERENCE:CVE-2005-3153:DESCRIPTION:Null byte bypasses PHP regexp check.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3153REFERENCE:CVE-2005-4155:DESCRIPTION:Null byte bypasses PHP regexp check.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4155","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Regular Expression Error::","::15::174::6::79::","TYPE:Relationship:NOTE:While there is some overlap with whitelist/blacklist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as a whitelist or blacklist. In addition, whitelists and blacklists can be implemented using other mechanisms besides regular expressions.::::TYPE:Research Gap:NOTE:Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.::",
  94. 186,"Overly Restrictive Regular Expression",Base,Draft,"A regular expression is overly restrictive, which prevents dangerous values from being detected.","","::NATURE:ChildOf:CWE ID:185:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:185:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:184:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:183:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor your regular expression.::","::REFERENCE:CVE-2005-1604:DESCRIPTION:MIE. .php.ns bypasses .php$ regexp but is still parsed as PHP by Apache. (manipulates an equivalence property under Apache):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1604","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Overly Restrictive Regular Expression::","","TYPE:Relationship:NOTE:Can overlap whitelist/blacklist errors.::",
  95. 187,"Partial String Comparison",Variant,Incomplete,"The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.","For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.","::NATURE:ChildOf:CWE ID:1023:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Access Control:TECHNICAL IMPACT:Alter Execution Logic Bypass Protection Mechanism::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.::","::REFERENCE:CVE-2014-6394:DESCRIPTION:Product does not prevent access to restricted directories due to partial string comparison with a public directory:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6394REFERENCE:CVE-2004-1012:DESCRIPTION:Argument parser of an IMAP server treats a partial command body[p as if it is body.peek, leading to index error and out-of-bounds corruption.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1012REFERENCE:CVE-2004-0765:DESCRIPTION:Web browser only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0765REFERENCE:CVE-2002-1374:DESCRIPTION:One-character password by attacker checks only against first character of real password.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1374REFERENCE:CVE-2000-0979:DESCRIPTION:One-character password by attacker checks only against first character of real password.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0979","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Partial Comparison::","","TYPE:Relationship:NOTE:This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.::",
  96. 188,"Reliance on Data/Memory Layout",Base,Draft,"The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.","When changing platforms or protocol versions, data may move in unintended ways. For example, some architectures may place local variables A and B right next to each other with A on top; some may place them next to each other with B on top; and others may add some padding to each. The padding size may vary to ensure that each variable is aligned to a proper word size. In protocol implementations, it is common to calculate an offset relative to another field to pick out a specific piece of data. Exceptional conditions, often involving new protocol versions, may add corner cases that change the data layout in an unusual way. The result can be that an implementation accesses an unintended field in the packet, treating data of one type as data of another type.","::NATURE:ChildOf:CWE ID:758:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:435:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Memory Read Memory:NOTE:Integrity Confidentiality Modify Memory Read Memory Can result in unintended modifications or exposure of sensitive memory.::","","::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:In flat address space situations, never allow computing memory addresses as offsets from another memory address.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Fully specify protocol layout unambiguously, providing a structured grammar (e.g., a compilable yacc grammar).::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Testing: Test that the implementation properly handles each case in the protocol grammar.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Reliance on data layout::","","",
  97. 190,"Integer Overflow or Wraparound",Base,Incomplete,"The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.","An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:1003:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:119:VIEW ID:1000:CHAIN ID:680::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Instability:NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Instability This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.::SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism:NOTE:Confidentiality Availability Access Control Execute Unauthorized Code or Commands Bypass Protection Mechanism This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:EFFECTIVENESS:Moderate:DESCRIPTION:Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Use libraries or frameworks that make it easier to handle numbers without unexpected consequences. Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. Use unsigned integers where possible. This makes it easier to perform sanity checks for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, not-a-number calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7] Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Implementation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS::DESCRIPTION:Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.::","::REFERENCE:CVE-2010-2753:DESCRIPTION:chain: integer overflow leads to use-after-free:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2753REFERENCE:CVE-2002-0391:DESCRIPTION:Integer overflow via a large number of arguments.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0391REFERENCE:CVE-2002-0639:DESCRIPTION:Integer overflow in OpenSSH as listed in the demonstrative examples.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0639REFERENCE:CVE-2005-1141:DESCRIPTION:Image with large width and height leads to integer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1141REFERENCE:CVE-2005-0102:DESCRIPTION:Length value of -1 leads to allocation of 0 bytes and resultant heap overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0102REFERENCE:CVE-2004-2013:DESCRIPTION:Length value of -1 leads to allocation of 0 bytes and resultant heap overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2013REFERENCE:CVE-2017-1000121:DESCRIPTION:chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000121","::Number ProcessingMemory ManagementCounters","","TAXONOMY NAME:PLOVER:ENTRY NAME:Integer overflow (wrap or wraparound)::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Integer Overflow::::TAXONOMY NAME:CLASP:ENTRY NAME:Integer overflow::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT18-C:ENTRY NAME:Evaluate integer expressions in a larger size before comparing or assigning to that size:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT30-C:ENTRY NAME:Ensure that unsigned integer operations do not wrap:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT32-C:ENTRY NAME:Ensure that operations on signed integers do not result in overflow:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT35-C:ENTRY NAME:Evaluate integer expressions in a larger size before comparing or assigning to that size::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM07-C:ENTRY NAME:Ensure that the arguments to calloc(), when multiplied, do not wrap:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM35-C:ENTRY NAME:Allocate sufficient memory for an object::::TAXONOMY NAME:WASC:ENTRY ID:3:ENTRY NAME:Integer Overflows::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","::92::","TYPE:Relationship:NOTE:Integer overflows can be primary to buffer overflows.::::TYPE:Terminology:NOTE:Integer overflow is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains.::",
  98. 191,"Integer Underflow (Wrap or Wraparound)",Base,Draft,"The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.","This can happen in signed and unsigned cases.","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:1003:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Integer underflow:DESCRIPTION:Integer underflow is sometimes used to identify signedness errors in which an originally positive number becomes negative as a result of subtraction. However, there are cases of bad subtraction in which unsigned integers are involved, so it's not always a signedness issue. Integer underflow is occasionally used to describe array index errors in which the index is negative.::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Instability:NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Instability This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.::SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism:NOTE:Confidentiality Availability Access Control Execute Unauthorized Code or Commands Bypass Protection Mechanism This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.::","","","::REFERENCE:CVE-2004-0816:DESCRIPTION:Integer underflow in firewall via malformed packet.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0816REFERENCE:CVE-2004-1002:DESCRIPTION:Integer underflow by packet with invalid length.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1002REFERENCE:CVE-2005-0199:DESCRIPTION:Long input causes incorrect length calculation.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0199REFERENCE:CVE-2005-1891:DESCRIPTION:Malformed icon causes integer underflow in loop counter variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1891","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Integer underflow (wrap or wraparound)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT30-C:ENTRY NAME:Ensure that unsigned integer operations do not wrap:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT32-C:ENTRY NAME:Ensure that operations on signed integers do not result in overflow:MAPPING FIT:Imprecise::","","TYPE:Research Gap:NOTE:Under-studied.::",
  99. 192,"Integer Coercion Error",Class,Incomplete,"Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.","Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions.","::NATURE:ChildOf:CWE ID:681:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Crash, Exit, or Restart Integer coercion often leads to undefined states of execution resulting in infinite loops or crashes.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands In some cases, integer coercion errors can lead to exploitable buffer overflow conditions, resulting in the execution of arbitrary code.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other Integer coercion errors result in an incorrect value being stored for the variable in question.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:A language which throws exceptions on ambiguous data casts might be chosen.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Design objects and program flow such that multiple or complex casts are unnecessary::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that any data type casting that you must used is entirely understood in order to reduce the plausibility of error in use.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Integer coercion error::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT02-C:ENTRY NAME:Understand integer conversion rules::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT05-C:ENTRY NAME:Do not use input functions to convert character data if they cannot handle all possible inputs::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT31-C:ENTRY NAME:Ensure that integer conversions do not result in lost or misinterpreted data:MAPPING FIT:Exact::","","TYPE:Maintenance:NOTE:Within C, it might be that coercion is semantically different than casting, possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this node and others, such as CWE-681, and whether there is enough of a difference for these nodes to be split.::",
  100. 193,"Off-by-one Error",Base,Draft,"A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.","","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:617:VIEW ID:1000::NATURE:CanPrecede:CWE ID:170:VIEW ID:1000::NATURE:CanPrecede:CWE ID:119:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:off-by-five:DESCRIPTION:An off-by-five error was reported for sudo in 2002 (CVE-2002-0184), but that is more like a length calculation error.::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Instability:NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Instability This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.::SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism:NOTE:Confidentiality Availability Access Control Execute Unauthorized Code or Commands Bypass Protection Mechanism This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().::","::REFERENCE:CVE-2003-0252:DESCRIPTION:Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0252REFERENCE:CVE-2001-1391:DESCRIPTION:Off-by-one vulnerability in driver allows users to modify kernel memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1391REFERENCE:CVE-2002-0083:DESCRIPTION:Off-by-one error allows local users or remote malicious servers to gain privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0083REFERENCE:CVE-2002-0653:DESCRIPTION:Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0653REFERENCE:CVE-2002-0844:DESCRIPTION:Off-by-one buffer overflow in version control system allows local users to execute arbitrary code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0844REFERENCE:CVE-1999-1568:DESCRIPTION:Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1568REFERENCE:CVE-2004-0346:DESCRIPTION:Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0346REFERENCE:CVE-2004-0005:DESCRIPTION:Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0005REFERENCE:CVE-2003-0356:DESCRIPTION:Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0356REFERENCE:CVE-2001-1496:DESCRIPTION:Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1496REFERENCE:CVE-2004-0342:DESCRIPTION:This is an interesting example that might not be an off-by-one.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0342REFERENCE:CVE-2001-0609:DESCRIPTION:An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0609REFERENCE:CVE-2002-1745:DESCRIPTION:Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1745REFERENCE:CVE-2002-1816:DESCRIPTION:Off-by-one buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1816REFERENCE:CVE-2002-1721:DESCRIPTION:Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1721REFERENCE:CVE-2003-0466:DESCRIPTION:Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0466REFERENCE:CVE-2003-0625:DESCRIPTION:Off-by-one error allows read of sensitive memory via a malformed request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0625REFERENCE:CVE-2006-4574:DESCRIPTION:Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4574","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Off-by-one Error::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR31-C:ENTRY NAME:Guarantee that storage for strings has sufficient space for character data and the null terminator::","","TYPE:Relationship:NOTE:This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.::::TYPE:Research Gap:NOTE:Under-studied. It requires careful code analysis or black box testing, where inputs of excessive length might not cause an error. Off-by-ones are likely triggered by extensive fuzzing, with the attendant diagnostic problems.::",
  101. 194,"Unexpected Sign Extension",Base,Incomplete,"The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.","","::NATURE:ChildOf:CWE ID:681:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:681:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Read Memory Modify Memory Other:NOTE:Integrity Confidentiality Availability Other Read Memory Modify Memory Other When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application's allowable range.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform sanity checks after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.::","::REFERENCE:CVE-1999-0234:DESCRIPTION:Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0234REFERENCE:CVE-2003-0161:DESCRIPTION:Product uses char type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0161REFERENCE:CVE-2007-4988:DESCRIPTION:chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988REFERENCE:CVE-2006-1834:DESCRIPTION:chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1834REFERENCE:CVE-2005-2753:DESCRIPTION:Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2753","","","TAXONOMY NAME:CLASP:ENTRY NAME:Sign extension error::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT31-C:ENTRY NAME:Ensure that integer conversions do not result in lost or misinterpreted data:MAPPING FIT:CWE More Specific::","","TYPE:Relationship:NOTE:Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.::::TYPE:Maintenance:NOTE:This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.::",
  102. 195,"Signed to Unsigned Conversion Error",Variant,Draft,"The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.","It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate assumptions made by the program. Often, functions will return negative values to indicate a failure. When the result of a function is to be used as a size parameter, using these negative return values can have unexpected results. For example, if negative size values are passed to the standard memory copy or allocation functions they will be implicitly cast to a large unsigned value. This may lead to an exploitable buffer overflow or underflow condition.","::NATURE:ChildOf:CWE ID:681:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:681:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:119:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State:NOTE:Integrity Unexpected State Conversion between signed and unsigned values can lead to a variety of errors, but from a security standpoint is most commonly associated with integer overflow and buffer overflow vulnerabilities.::","","","::REFERENCE:CVE-2007-4268:DESCRIPTION:Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268","","","TAXONOMY NAME:CLASP:ENTRY NAME:Signed to unsigned conversion error::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT31-C:ENTRY NAME:Ensure that integer conversions do not result in lost or misinterpreted data:MAPPING FIT:CWE More Specific::","","",
  103. 196,"Unsigned to Signed Conversion Error",Variant,Draft,"The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.","Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic.","::NATURE:ChildOf:CWE ID:681:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:681:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:124:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:120:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart Incorrect sign conversions generally lead to undefined behavior, and therefore crashes.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory If a poor cast lead to a buffer overflow or similar condition, data integrity may be affected.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism:NOTE:Integrity Confidentiality Availability Access Control Execute Unauthorized Code or Commands Bypass Protection Mechanism Improper signed-to-unsigned conversions without proper checking can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Choose a language which is not subject to these casting flaws.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Design object accessor functions to implicitly check values for valid sizes. Ensure that all functions which will be used as a size are checked previous to use as a size. If the language permits, throw exceptions rather than using in-band errors.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Error check the return values of all functions. Be aware of implicit casts made, and use unsigned variables for sizes if at all possible.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Unsigned to signed conversion error::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","::92::","",
  104. 197,"Numeric Truncation Error",Base,Incomplete,"Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.","When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.","::NATURE:ChildOf:CWE ID:681:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:681:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:195:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:196:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:192:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:194:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory The true value of the data is lost and corrupted data is used.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive.::","::REFERENCE:CVE-2009-0231:DESCRIPTION:Integer truncation of length value leads to heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0231REFERENCE:CVE-2008-3282:DESCRIPTION:Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Numeric truncation error::::TAXONOMY NAME:CLASP:ENTRY NAME:Truncation error::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO34-C:ENTRY NAME:Distinguish between characters read from a file and EOF or WEOF:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FLP34-C:ENTRY NAME:Ensure that floating point conversions are within range of the new type:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT02-C:ENTRY NAME:Understand integer conversion rules::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT05-C:ENTRY NAME:Do not use input functions to convert character data if they cannot handle all possible inputs::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT31-C:ENTRY NAME:Ensure that integer conversions do not result in lost or misinterpreted data:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:NUM12-J:ENTRY NAME:Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","TYPE:Research Gap:NOTE:This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009.::",
  105. 198,"Use of Incorrect Byte Ordering",Base,Draft,"The software receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.","","::NATURE:ChildOf:CWE ID:188:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods.::","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Numeric Byte Ordering Error::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO12-J:ENTRY NAME:Provide methods to read and write little-endian data::","","TYPE:Research Gap:NOTE:Under-reported.::",
  106. 20,"Improper Input Validation",Class,Usable,"The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.","When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:22:VIEW ID:1000::NATURE:CanPrecede:CWE ID:41:VIEW ID:1000::NATURE:CanPrecede:CWE ID:74:VIEW ID:1000::NATURE:CanPrecede:CWE ID:119:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) An attacker could provide unexpected values and cause a program crash or excessive consumption of resources, such as memory and CPU.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory Read Files or Directories:NOTE:Confidentiality Read Memory Read Files or Directories An attacker could read confidential data if they are able to control resource references.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Modify Memory Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Modify Memory Execute Unauthorized Code or Commands An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.::","::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::METHOD:Manual Static Analysis:EFFECTIVENESS::DESCRIPTION:When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.::METHOD:Fuzzing:EFFECTIVENESS::DESCRIPTION:Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Host Application Interface Scanner Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling::","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Use an input validation framework such as Struts or the OWASP ESAPI Validation API. If you use Struts, be mindful of weaknesses covered by the CWE-101 category.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use an input validation framework such as Struts or the OWASP ESAPI Validation API. If you use Struts, be mindful of weaknesses covered by the CWE-101 category.::PHASE:Architecture and Design Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control. Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::","::REFERENCE:CVE-2008-5305:DESCRIPTION:Eval injection in Perl program using an ID that should only contain hyphens and numbers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5305REFERENCE:CVE-2008-2223:DESCRIPTION:SQL injection through an ID that was supposed to be numeric.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2223REFERENCE:CVE-2008-3477:DESCRIPTION:lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3477REFERENCE:CVE-2008-3843:DESCRIPTION:insufficient validation enables XSS:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3843REFERENCE:CVE-2008-3174:DESCRIPTION:driver in security product allows code execution due to insufficient validation:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3174REFERENCE:CVE-2007-3409:DESCRIPTION:infinite loop from DNS packet with a label that points to itself:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3409REFERENCE:CVE-2006-6870:DESCRIPTION:infinite loop from DNS packet with a label that points to itself:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6870REFERENCE:CVE-2008-1303:DESCRIPTION:missing parameter leads to crash:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1303REFERENCE:CVE-2007-5893:DESCRIPTION:HTTP request with missing protocol version number leads to crash:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5893REFERENCE:CVE-2006-6658:DESCRIPTION:request with missing parameters leads to information exposure:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6658REFERENCE:CVE-2008-4114:DESCRIPTION:system crash with offset value that is inconsistent with packet size:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4114REFERENCE:CVE-2006-3790:DESCRIPTION:size field that is inconsistent with packet size leads to buffer over-read:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3790REFERENCE:CVE-2008-2309:DESCRIPTION:product uses a blacklist to identify potentially dangerous content, allowing attacker to bypass a warning:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2309REFERENCE:CVE-2008-3494:DESCRIPTION:security bypass via an extra header:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3494REFERENCE:CVE-2006-5462:DESCRIPTION:use of extra data in a signature allows certificate signature forging:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5462REFERENCE:CVE-2008-3571:DESCRIPTION:empty packet triggers reboot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3571REFERENCE:CVE-2006-5525:DESCRIPTION:incomplete blacklist allows SQL injection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5525REFERENCE:CVE-2008-1284:DESCRIPTION:NUL byte in theme name cause directory traversal impact to be worse:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1284REFERENCE:CVE-2008-0600:DESCRIPTION:kernel does not validate an incoming pointer before dereferencing it:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0600REFERENCE:CVE-2008-1738:DESCRIPTION:anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1738REFERENCE:CVE-2008-1737:DESCRIPTION:anti-virus product allows DoS via zero-length field:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1737REFERENCE:CVE-2008-3464:DESCRIPTION:driver does not validate input from userland to the kernel:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3464REFERENCE:CVE-2008-2252:DESCRIPTION:kernel does not validate parameters sent in from userland, allowing code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2252REFERENCE:CVE-2008-2374:DESCRIPTION:lack of validation of string length fields allows memory consumption or buffer over-read:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2374REFERENCE:CVE-2008-1440:DESCRIPTION:lack of validation of length field leads to infinite loop:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1440REFERENCE:CVE-2008-1625:DESCRIPTION:lack of validation of input to an IOCTL allows code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1625REFERENCE:CVE-2008-3177:DESCRIPTION:zero-length attachment causes crash:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3177REFERENCE:CVE-2007-2442:DESCRIPTION:zero-length input causes free of uninitialized pointer:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442REFERENCE:CVE-2008-5563:DESCRIPTION:crash via a malformed frame structure:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5563REFERENCE:CVE-2008-5285:DESCRIPTION:infinite loop from a long SMTP request:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5285REFERENCE:CVE-2008-3812:DESCRIPTION:router crashes with a malformed packet:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3812REFERENCE:CVE-2008-3680:DESCRIPTION:packet with invalid version number leads to NULL pointer dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3680REFERENCE:CVE-2008-3660:DESCRIPTION:crash via multiple . characters in file extension:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Input validation and representation::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR07-C:ENTRY NAME:Prefer functions that support error checking over equivalent functions that don't::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO30-C:ENTRY NAME:Exclude user input from format strings:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM10-C:ENTRY NAME:Define and use a pointer validation function::::TAXONOMY NAME:WASC:ENTRY ID:20:ENTRY NAME:Improper Input Handling::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP25:ENTRY NAME:Tainted input to variable::","::10::101::104::108::109::110::13::135::136::14::182::209::22::230::231::24::250::267::28::3::31::42::43::45::46::47::473::484::52::53::588::591::592::63::64::66::67::7::71::72::73::78::79::8::80::81::83::85::88::9::99::","TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::::TYPE:Applicable Platform:NOTE:Input validation can be a problem in any system that receives data from an external source.::::TYPE:Maintenance:NOTE:Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed.::::TYPE:Terminology:NOTE:The input validation term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. Some people use input validation as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean checking if an input conforms to expectations without changing it.::::TYPE:Research Gap:NOTE:There is not much research into the classification of input validation techniques and their application. Many publicly-disclosed vulnerabilities simply characterize a problem as input validation without providing more specific details that might contribute to a deeper understanding of validation techniques and the weaknesses they can prevent or reduce. Validation is over-emphasized in contrast to other neutralization techniques such as filtering and enforcement by conversion. See the vulnerability theory paper.::",
  107. 200,"Information Exposure",Class,Incomplete,"An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.","The information either is regarded as sensitive within the product's own functionality, such as a private message; or provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible. Many information exposures are resultant (e.g. PHP script error revealing the full path of the program), but they can also be primary (e.g. timing discrepancies in cryptography). There are many different types of problems that involve information exposures. Their severity can range widely depending on the type of information that is revealed.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1003:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","::TERM:Information Leak:DESCRIPTION:This is a frequently used term, however the leak term has multiple uses within security. In some cases it deals with exposure of information, but in other cases (such as memory leak) this deals with improper tracking of resources which can lead to exhaustion. As a result, CWE is actively avoiding usage of the leak term.::TERM:Information Disclosure:DESCRIPTION:This term is frequently used in vulnerability databases and other sources, however disclosure does not always have security implications. The phrase information disclosure is also used frequently in policies and legal documents, but do not refer to disclosure of security-relevant information.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Information Leak (information disclosure)::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A6:ENTRY NAME:Information Leakage and Improper Error Handling:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:13:ENTRY NAME:Information Leakage::","::116::117::13::169::22::224::472::59::60::616::79::","",
  108. 201,"Information Exposure Through Sent Data",Variant,Draft,"The accidental exposure of sensitive information through sent data refers to the transmission of data which are either sensitive in and of itself or useful in the further exploitation of the system through standard data channels.","","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:209:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:202:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories Read Memory Read Application Data:NOTE:Confidentiality Read Files or Directories Read Memory Read Application Data Sensitive data may be exposed to attackers.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Setup default error messages so that unexpected errors do not disclose sensitive information.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Accidental leaking of sensitive information through sent data::","::12::217::612::613::618::619::621::622::623::","",
  109. 202,"Exposure of Sensitive Data Through Data Queries",Variant,Draft,"When trying to keep information confidential, an attacker can often infer some of the information by using statistics.","In situations where data should not be tied to individual users, but a large number of users should be able to make queries that scrub the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.","::NATURE:ChildOf:CWE ID:359:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories Read Application Data:NOTE:Confidentiality Read Files or Directories Read Application Data Sensitive information may possibly be leaked through data queries accidentally.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:This is a complex topic. See the book Translucent Databases for a good discussion of best practices.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Accidental leaking of sensitive information through data queries::","","",
  110. 203,"Information Exposure Through Discrepancy",Class,Incomplete,"The product behaves differently or sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.","","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Bypass Protection Mechanism:NOTE:Confidentiality Access Control Read Application Data Bypass Protection Mechanism An attacker can gain access to sensitive information about the system, including authentication information that may allow an attacker to gain access to the system.::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to strike the balance between being too cryptic and not being cryptic enough. They should not necessarily reveal the methods that were used to determine the error. Such detailed information can be used to refine the original attack to increase the chances of success. If errors must be tracked in some detail, capture them in log messages - but consider what could occur if the log messages can be viewed by attackers. Avoid recording highly sensitive information such as passwords in any form. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.::","::REFERENCE:CVE-2002-2094:DESCRIPTION:This, and others, use .. attacks and monitor error responses, so there is overlap with directory traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2094REFERENCE:CVE-2001-1483:DESCRIPTION:Enumeration of valid usernames based on inconsistent responses:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1483REFERENCE:CVE-2001-1528:DESCRIPTION:Account number enumeration via inconsistent responses.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1528REFERENCE:CVE-2004-2150:DESCRIPTION:User enumeration via discrepancies in error messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2150REFERENCE:CVE-2005-1650:DESCRIPTION:User enumeration via discrepancies in error messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1650REFERENCE:CVE-2004-0294:DESCRIPTION:Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0294REFERENCE:CVE-2004-0243:DESCRIPTION:Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0243REFERENCE:CVE-2002-0514:DESCRIPTION:Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0514REFERENCE:CVE-2002-0515:DESCRIPTION:Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0515REFERENCE:CVE-2001-1387:DESCRIPTION:Product may generate different responses than specified by the administrator, possibly leading to an information leak.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1387REFERENCE:CVE-2004-0778:DESCRIPTION:Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0778REFERENCE:CVE-2004-1428:DESCRIPTION:FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1428REFERENCE:CVE-2003-0078:DESCRIPTION:SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the Vaudenay timing attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0078REFERENCE:CVE-2000-1117:DESCRIPTION:Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1117REFERENCE:CVE-2003-0637:DESCRIPTION:Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0637REFERENCE:CVE-2003-0190:DESCRIPTION:Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190REFERENCE:CVE-2004-1602:DESCRIPTION:FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1602REFERENCE:CVE-2005-0918:DESCRIPTION:Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0918","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Discrepancy Information Leaks::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A6:ENTRY NAME:Information Leakage and Improper Error Handling:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A7:ENTRY NAME:Improper Error Handling:MAPPING FIT:CWE More Specific::","","",
  111. 204,"Response Discrepancy Information Exposure",Base,Incomplete,"The software provides different responses to incoming requests in a way that allows an actor to determine system state information that is outside of that actor's control sphere.","This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).","::NATURE:ChildOf:CWE ID:203:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:203:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to strike the balance between being too cryptic and not being cryptic enough. They should not necessarily reveal the methods that were used to determine the error. Such detailed information can be used to refine the original attack to increase the chances of success. If errors must be tracked in some detail, capture them in log messages - but consider what could occur if the log messages can be viewed by attackers. Avoid recording highly sensitive information such as passwords in any form. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.::","::REFERENCE:CVE-2002-2094:DESCRIPTION:This, and others, use .. attacks and monitor error responses, so there is overlap with directory traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2094REFERENCE:CVE-2001-1483:DESCRIPTION:Enumeration of valid usernames based on inconsistent responses:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1483REFERENCE:CVE-2001-1528:DESCRIPTION:Account number enumeration via inconsistent responses.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1528REFERENCE:CVE-2004-2150:DESCRIPTION:User enumeration via discrepancies in error messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2150REFERENCE:CVE-2005-1650:DESCRIPTION:User enumeration via discrepancies in error messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1650REFERENCE:CVE-2004-0294:DESCRIPTION:Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0294REFERENCE:CVE-2004-0243:DESCRIPTION:Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0243REFERENCE:CVE-2002-0514:DESCRIPTION:Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0514REFERENCE:CVE-2002-0515:DESCRIPTION:Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0515REFERENCE:CVE-2001-1387:DESCRIPTION:Product may generate different responses than specified by the administrator, possibly leading to an information leak.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1387REFERENCE:CVE-2004-0778:DESCRIPTION:Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0778REFERENCE:CVE-2004-1428:DESCRIPTION:FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1428","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Response discrepancy infoleak::","","TYPE:Relationship:NOTE:can overlap errors related to escalated privileges::",
  112. 205,"Information Exposure Through Behavioral Discrepancy",Base,Incomplete,"The product's actions indicate important differences based on (1) the internal state of the product or (2) differences from other products in the same class.","For example, attacks such as OS fingerprinting rely heavily on both behavioral and response discrepancies.","::NATURE:ChildOf:CWE ID:203:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:203:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Bypass Protection Mechanism::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Behavioral Discrepancy Infoleak::::TAXONOMY NAME:WASC:ENTRY ID:45:ENTRY NAME:Fingerprinting::","","",
  113. 206,"Information Exposure of Internal State Through Behavioral Inconsistency",Variant,Incomplete,"Two separate operations in a product cause the product to behave differently in a way that is observable to an attacker and reveals security-relevant information about the internal state of the product, such as whether a particular operation was successful or not.","","::NATURE:ChildOf:CWE ID:205:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:205:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Bypass Protection Mechanism::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Setup generic response pages for error condition. The error page should not disclose information about the success or failure of a sensitive operation. For instance, the login page should not confirm that the login is correct and the password incorrect. The attacker who tries random account name may be able to guess some of them. Confirming that the account exists would make the login page more susceptible to brute force attack.::","::REFERENCE:CVE-2002-2031:DESCRIPTION:File existence via infoleak monitoring whether onerror handler fires or not.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2031REFERENCE:CVE-2005-2025:DESCRIPTION:Valid groupname enumeration via behavioral infoleak (sends response if valid, doesn't respond if not).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2025REFERENCE:CVE-2001-1497:DESCRIPTION:Behavioral infoleak in GUI allows attackers to distinguish between alphanumeric and non-alphanumeric characters in a password, thus reducing the search space.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1497REFERENCE:CVE-2003-0190:DESCRIPTION:Product immediately sends an error message when user does not exist instead of waiting until the password is provided, allowing username enumeration.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Internal behavioral inconsistency infoleak::","","",
  114. 207,"Information Exposure Through an External Behavioral Inconsistency",Variant,Draft,"The product behaves differently than other products like it, in a way that is observable to an attacker and exposes security-relevant information about which product is being used.","","::NATURE:ChildOf:CWE ID:205:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:205:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Bypass Protection Mechanism::","","","::REFERENCE:CVE-2002-0208:DESCRIPTION:Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0208REFERENCE:CVE-2004-2252:DESCRIPTION:Behavioral infoleak by responding to SYN-FIN packets.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2252REFERENCE:CVE-2000-1142:DESCRIPTION:Honeypot generates an error with a pwd command in a particular directory, allowing attacker to know they are in a honeypot system.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1142","","","TAXONOMY NAME:PLOVER:ENTRY NAME:External behavioral inconsistency infoleak::","","",
  115. 208,"Information Exposure Through Timing Discrepancy",Base,Incomplete,"Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.","","::NATURE:ChildOf:CWE ID:203:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:203:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:327:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Bypass Protection Mechanism::","","","::REFERENCE:CVE-2003-0078:DESCRIPTION:SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the Vaudenay timing attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0078REFERENCE:CVE-2000-1117:DESCRIPTION:Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1117REFERENCE:CVE-2003-0637:DESCRIPTION:Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0637REFERENCE:CVE-2003-0190:DESCRIPTION:Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190REFERENCE:CVE-2004-1602:DESCRIPTION:FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1602REFERENCE:CVE-2005-0918:DESCRIPTION:Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0918","::CryptographyAuthentication","","TAXONOMY NAME:PLOVER:ENTRY NAME:Timing discrepancy infoleak::","::462::","TYPE:Relationship:NOTE:Often primary in cryptographic applications and algorithms.::",
  116. 209,"Information Exposure Through an Error Message",Base,Draft,"The software generates an error message that includes sensitive information about its environment, users, or associated data.","The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of .. sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:755:VIEW ID:1000::","","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:System Configuration:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server.::","::METHOD:Manual Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.::METHOD:Automated Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.::METHOD:Manual Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to strike the balance between being too cryptic and not being cryptic enough. They should not necessarily reveal the methods that were used to determine the error. Such detailed information can be used to refine the original attack to increase the chances of success. If errors must be tracked in some detail, capture them in log messages - but consider what could occur if the log messages can be viewed by attackers. Avoid recording highly sensitive information such as passwords in any form. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Handle exceptions internally and do not display errors containing potentially sensitive information to a user.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.::PHASE:Implementation Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS::DESCRIPTION:Debugging information should not make its way into a production release.::PHASE:Implementation Build and Compilation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Debugging information should not make its way into a production release.::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Create default error pages or messages that do not leak any information.::","::REFERENCE:CVE-2008-2049:DESCRIPTION:POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2049REFERENCE:CVE-2007-5172:DESCRIPTION:Program reveals password in error message if attacker can trigger certain database errors.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5172REFERENCE:CVE-2008-4638:DESCRIPTION:Composite: application running with high privileges allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4638REFERENCE:CVE-2008-1579:DESCRIPTION:Existence of user names can be determined by requesting a nonexistent blog and reading the error message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1579REFERENCE:CVE-2007-1409:DESCRIPTION:Direct request to library file in web application triggers pathname leak in error message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1409REFERENCE:CVE-2008-3060:DESCRIPTION:Malformed input to login page causes leak of full path when IMAP call fails.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3060REFERENCE:CVE-2005-0603:DESCRIPTION:Malformed regexp syntax leads to information exposure in error message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0603","","","TAXONOMY NAME:CLASP:ENTRY NAME:Accidental leaking of sensitive information through error messages::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A6:ENTRY NAME:Information Leakage and Improper Error Handling:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A7:ENTRY NAME:Improper Error Handling:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A10:ENTRY NAME:Insecure Configuration Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR01-J:ENTRY NAME:Do not allow exceptions to expose sensitive information::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::214::215::463::54::7::","",
  117. 210,"Information Exposure Through Self-generated Error Message",Base,Draft,"The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.","","::NATURE:ChildOf:CWE ID:209:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:209:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Implementation Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS::DESCRIPTION:Debugging information should not make its way into a production release.::PHASE:Implementation Build and Compilation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Debugging information should not make its way into a production release.::","::REFERENCE:CVE-2005-1745:DESCRIPTION:Infoleak of sensitive information in error message (physical access required).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1745","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Product-Generated Error Message Infoleak::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  118. 211,"Information Exposure Through Externally-Generated Error Message",Base,Incomplete,"The software performs an operation that triggers an external diagnostic or error message that is not directly generated by the software, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information.","","::NATURE:ChildOf:CWE ID:209:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:209:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Configure the application's environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.::PHASE:Implementation Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS::DESCRIPTION:Debugging information should not make its way into a production release.::PHASE:Implementation Build and Compilation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Debugging information should not make its way into a production release.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.::","::REFERENCE:CVE-2004-1581:DESCRIPTION:chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1581REFERENCE:CVE-2004-1579:DESCRIPTION:Single ' inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1579REFERENCE:CVE-2005-0459:DESCRIPTION:chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0459REFERENCE:CVE-2005-0443:DESCRIPTION:invalid parameter triggers a failure to find an include file, leading to infoleak in error message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0443REFERENCE:CVE-2005-0433:DESCRIPTION:Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0433REFERENCE:CVE-2004-1101:DESCRIPTION:Improper handling of filename request with trailing / causes multiple consequences, including information leak in Visual Basic error message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1101","::Error Handling","","TAXONOMY NAME:PLOVER:ENTRY NAME:Product-External Error Message Infoleak::","","TYPE:Relationship:NOTE:This is inherently a resultant vulnerability from a weakness within the product or an interaction error.::",
  119. 212,"Improper Cross-boundary Removal of Sensitive Data",Base,Incomplete,"The software uses a resource that contains sensitive data, but it does not properly remove that data before it stores, transfers, or shares the resource with actors in another control sphere.","Resources that may contain sensitive data include documents, packets, messages, databases, etc. While this data may be useful to an individual user or small set of users who share the resource, it may need to be removed before the resource can be shared outside of the trusted group. The process of removal is sometimes called cleansing or scrubbing. For example, software that is used for editing documents might not remove sensitive data such as reviewer comments or the local pathname where the document is stored. Or, a proxy might not remove an internal IP address from headers before making an outgoing request to an Internet site.","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:669:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories Read Application Data:NOTE:Confidentiality Read Files or Directories Read Application Data Sensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences which will depend on what data is exposed. One possibility is the exposure of system data allowing an attacker to craft a specific, more effective attack.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.::","::REFERENCE:CVE-2005-0406:DESCRIPTION:Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0406REFERENCE:CVE-2002-0704:DESCRIPTION:NAT feature in firewall leaks internal IP addresses in ICMP error messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0704","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Cross-Boundary Cleansing Infoleak::","::168::","TYPE:Relationship:NOTE:This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked.::::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::::TYPE:Terminology:NOTE:The terms cleansing and scrubbing have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications.::",
  120. 213,"Intentional Information Exposure",Base,Draft,"A product's design or configuration explicitly requires the publication of information that could be regarded as sensitive by an administrator.","","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","::REFERENCE:CVE-2002-1725:DESCRIPTION:Script calls phpinfo():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1725REFERENCE:CVE-2004-0033:DESCRIPTION:Script calls phpinfo():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0033REFERENCE:CVE-2003-1181:DESCRIPTION:Script calls phpinfo():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1181REFERENCE:CVE-2004-1422:DESCRIPTION:Script calls phpinfo():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1422REFERENCE:CVE-2004-1590:DESCRIPTION:Script calls phpinfo():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1590REFERENCE:CVE-2003-1038:DESCRIPTION:Product lists DLLs and full pathnames.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1038REFERENCE:CVE-2005-1205:DESCRIPTION:Telnet protocol allows servers to obtain sensitive environment information from clients.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1205REFERENCE:CVE-2005-0488:DESCRIPTION:Telnet protocol allows servers to obtain sensitive environment information from clients.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0488","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Intended information leak::","","TYPE:Relationship:NOTE:This overlaps other categories because some functionality might be intended by the developer, but is considered a weakness by the user or system administrator. In most cases, it is distinct from CWE-209: Information Exposure Through an Error Message because CWE-209 is often unintended.::::TYPE:Other:NOTE:It's not always clear whether an information exposure is intentional or not. For example, CVE-2005-3261 identifies a PHP script that lists file versions, but it could be that the developer did not intend for this information to be public, but introduced a direct request issue instead.::::TYPE:Theoretical:NOTE:In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.::",
  121. 214,"Information Exposure Through Process Environment",Variant,Incomplete,"A process is invoked with sensitive arguments, environment variables, or other elements that can be seen by other processes on the operating system.","Many operating systems allow a user to list information about processes that are owned by other users. This information could include command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","::REFERENCE:CVE-2005-1387:DESCRIPTION:password passed on command line:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1387REFERENCE:CVE-2005-2291:DESCRIPTION:password passed on command line:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2291REFERENCE:CVE-2001-1565:DESCRIPTION:username/password on command line allows local users to view via ps or other process listing programs:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1565REFERENCE:CVE-2004-1948:DESCRIPTION:Username/password on command line allows local users to view via ps or other process listing programs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1948REFERENCE:CVE-1999-1270:DESCRIPTION:PGP passphrase provided as command line argument.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1270REFERENCE:CVE-2004-1058:DESCRIPTION:Kernel race condition allows reading of environment variables of a process that is still spawning.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1058","","System Process::","TAXONOMY NAME:PLOVER:ENTRY NAME:Process information infoleak to other processes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","TYPE:Research Gap:NOTE:Under-studied, especially environment variables.::",
  122. 215,"Information Exposure Through Debug Information",Variant,Draft,"The application contains debugging code that can expose sensitive information to untrusted parties.","","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not leave debug statements that could be executed in the source code. Assure that all debug information is eradicated before releasing the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","::REFERENCE:CVE-2004-2268:DESCRIPTION:Password exposed in debug information.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2268REFERENCE:CVE-2002-0918:DESCRIPTION:CGI script includes sensitive information in debug messages when an error is triggered.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0918REFERENCE:CVE-2003-1078:DESCRIPTION:FTP client with debug option enabled shows password to the screen.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1078","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Infoleak Using Debug Information::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A6:ENTRY NAME:Information Leakage and Improper Error Handling:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A10:ENTRY NAME:Insecure Configuration Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","TYPE:Relationship:NOTE:This overlaps other categories.::",
  123. 216,"Containment Errors (Container Errors)",Class,Incomplete,"This tries to cover various problems in which improper data are included within a container.","","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Containment errors (container errors)::","::474::","TYPE:Maintenance:NOTE:This entry is closely associated with others related to encapsulation and permissions, and might ultimately prove to be a duplicate.::",
  124. 219,"Sensitive Data Under Web Root",Variant,Draft,"The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.","","::NATURE:ChildOf:CWE ID:216:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:216:VIEW ID:1000::NATURE:ChildOf:CWE ID:285:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:668:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Operation:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Implementation System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid storing information under the web root directory.::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory.::","::REFERENCE:CVE-2005-1835:DESCRIPTION:Data file under web root.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1835REFERENCE:CVE-2005-2217:DESCRIPTION:Data file under web root.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2217REFERENCE:CVE-2002-1449:DESCRIPTION:Username/password in data file under web root.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1449REFERENCE:CVE-2002-0943:DESCRIPTION:Database file under web root.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0943REFERENCE:CVE-2005-1645:DESCRIPTION:database file under web root.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1645","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Sensitive Data Under Web Root::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A10:ENTRY NAME:Insecure Configuration Management:MAPPING FIT:CWE More Specific::","","",
  125. 22,"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",Class,Draft,"The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.","Many file operations are intended to take place within a restricted directory. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as /usr/local/bin, which may also be useful in accessing unexpected files. This is referred to as absolute path traversal. In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the software may add .txt to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction.","::NATURE:ChildOf:CWE ID:706:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Directory traversal:DESCRIPTION:::TERM:Path traversal:DESCRIPTION:Path traversal is preferred over directory traversal, but both terms are attack-focused.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Files or Directories:NOTE:Integrity Modify Files or Directories The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories:NOTE:Confidentiality Read Files or Directories The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:High:DESCRIPTION:Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the software's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.::METHOD:Manual Static Analysis:EFFECTIVENESS:High:DESCRIPTION:Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked. Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes .. sequences and symbolic links (CWE-23, CWE-59). This includes: realpath() in C getCanonicalPath() in Java GetFullPath() in ASP.NET realpath() or abs_path() in Perl realpath() in PHP::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.::PHASE:Operation:STRATEGY:Firewall:EFFECTIVENESS:Moderate:DESCRIPTION:Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Architecture and Design:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to inbox.txt and ID 2 could map to profile.txt. Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::PHASE:Architecture and Design Operation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to strike the balance between being too cryptic and not being cryptic enough. They should not necessarily reveal the methods that were used to determine the error. Such detailed information can be used to refine the original attack to increase the chances of success. If errors must be tracked in some detail, capture them in log messages - but consider what could occur if the log messages can be viewed by attackers. Avoid recording highly sensitive information such as passwords in any form. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not. In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy.::PHASE:Operation Implementation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.::","::REFERENCE:CVE-2010-0467:DESCRIPTION:Newsletter module allows reading arbitrary files using ../ sequences.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0467REFERENCE:CVE-2009-4194:DESCRIPTION:FTP server allows deletion of arbitrary files using .. in the DELE command.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4194REFERENCE:CVE-2009-4053:DESCRIPTION:FTP server allows creation of arbitrary directories using .. in the MKD command.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4053REFERENCE:CVE-2009-0244:DESCRIPTION:OBEX FTP service for a Bluetooth device allows listing of directories, and creation or reading of files using .. sequences.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0244REFERENCE:CVE-2009-4013:DESCRIPTION:Software package maintenance program allows overwriting arbitrary files using ../ sequences.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4013REFERENCE:CVE-2009-4449:DESCRIPTION:Bulletin board allows attackers to determine the existence of files using the avatar.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4449REFERENCE:CVE-2009-4581:DESCRIPTION:PHP program allows arbitrary code execution using .. in filenames that are fed to the include() function.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4581REFERENCE:CVE-2010-0012:DESCRIPTION:Overwrite of files using a .. in a Torrent file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0012REFERENCE:CVE-2010-0013:DESCRIPTION:Chat program allows overwriting files using a custom smiley request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013REFERENCE:CVE-2008-5748:DESCRIPTION:Chain: external control of values for user's desired language and theme enables path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5748REFERENCE:CVE-2009-1936:DESCRIPTION:Chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1936","::File Processing","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Path Traversal::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A4:ENTRY NAME:Insecure Direct Object Reference:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A2:ENTRY NAME:Broken Access Control:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO02-C:ENTRY NAME:Canonicalize path names originating from untrusted sources::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:IDS00-PL:ENTRY NAME:Canonicalize path names before validating them:MAPPING FIT:Exact::::TAXONOMY NAME:WASC:ENTRY ID:33:ENTRY NAME:Path Traversal::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","::126::213::23::64::76::78::79::","TYPE:Relationship:NOTE:Pathname equivalence can be regarded as a type of canonicalization error.::::TYPE:Relationship:NOTE:Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing / on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).::::TYPE:Terminology:NOTE:Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use directory traversal only to refer to the injection of .. and equivalent sequences whose specific meaning is to traverse directories. Other variants like absolute pathname and drive letter have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve .. or equivalent.::::TYPE:Research Gap:NOTE:Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.::::TYPE:Research Gap:NOTE:Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that .. is vulnerable, but not test ../ which may also be vulnerable. Any combination of directory separators (/, , etc.) and numbers of . (e.g. ....) can produce unique variants; for example, the //../ variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.::",
  126. 220,"Sensitive Data Under FTP Root",Variant,Draft,"The application stores sensitive data under the FTP document root with insufficient access control, which might make it accessible to untrusted parties.","","::NATURE:ChildOf:CWE ID:216:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::Various Unix FTP servers require a password file that is under the FTP root, due to use of chroot.::","",":::PHASE:Operation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Implementation System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid storing information under the FTP root directory.::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the FTP directory.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Sensitive Data Under FTP Root::","","",
  127. 221,"Information Loss or Omission",Class,Incomplete,"The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.","This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Information loss or omission::","::81::","",
  128. 222,"Truncation of Security-relevant Information",Base,Draft,"The application truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.","","::NATURE:ChildOf:CWE ID:221:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:221:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice.::","","","::REFERENCE:CVE-2005-0585:DESCRIPTION:Web browser truncates long sub-domains or paths, facilitating phishing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0585REFERENCE:CVE-2004-2032:DESCRIPTION:Bypass URL filter via a long URL with a large number of trailing hex-encoded space characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2032REFERENCE:CVE-2003-0412:DESCRIPTION:Does not log complete URI of a long request (truncation).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0412","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Truncation of Security-relevant Information::","","",
  129. 223,"Omission of Security-relevant Information",Base,Draft,"The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.","","::NATURE:ChildOf:CWE ID:221:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:221:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice.::","","","::REFERENCE:CVE-1999-1029:DESCRIPTION:Login attempts not recorded if user disconnects before maximum number of tries.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1029REFERENCE:CVE-2002-1839:DESCRIPTION:Sender's IP address not recorded in outgoing e-mail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1839REFERENCE:CVE-2000-0542:DESCRIPTION:Failed authentication attempt not recorded if later attempt succeeds.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0542","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Omission of Security-relevant Information::","","",
  130. 224,"Obscured Security-relevant Information by Alternate Name",Base,Incomplete,"The software records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.","","::NATURE:ChildOf:CWE ID:221:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:221:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:SCOPE:Access Control:TECHNICAL IMPACT:Hide Activities Gain Privileges or Assume Identity::","","","::REFERENCE:CVE-2002-0725:DESCRIPTION:Attacker performs malicious actions on a hard link to a file, obscuring the real target file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0725","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Obscured Security-relevant Information by Alternate Name::","","",
  131. 226,"Sensitive Information Uncleared Before Release",Base,Draft,"The software does not fully clear previously used information in a data structure, file, or other resource, before making that resource available to a party in another control sphere.","This typically results from new data that is not as long as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, it may allow unintended actors to read the data when the memory is reallocated.","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:459:VIEW ID:1000:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:212:VIEW ID:1000::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","::REFERENCE:CVE-2003-0001:DESCRIPTION:Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0001REFERENCE:CVE-2003-0291:DESCRIPTION:router does not clear information from DHCP packets that have been previously used:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0291REFERENCE:CVE-2005-1406:DESCRIPTION:Products do not fully clear memory buffers when less data is stored into the buffer than previous.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1406REFERENCE:CVE-2005-1858:DESCRIPTION:Products do not fully clear memory buffers when less data is stored into the buffer than previous.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1858REFERENCE:CVE-2005-3180:DESCRIPTION:Products do not fully clear memory buffers when less data is stored into the buffer than previous.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3180REFERENCE:CVE-2005-3276:DESCRIPTION:Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3276REFERENCE:CVE-2002-2077:DESCRIPTION:Memory not properly cleared before reuse.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2077","::Memory ManagementNetworking","Memory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Sensitive Information Uncleared Before Use::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM03-C:ENTRY NAME:Clear sensitive information stored in reusable resources returned for reuse::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::::TYPE:Maintenance:NOTE:This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective - the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.::::TYPE:Research Gap:NOTE:Currently frequently found for network packets, but it can also exist in local memory allocation, files, etc.::",
  132. 228,"Improper Handling of Syntactically Invalid Structure",Class,Incomplete,"The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.","","::NATURE:ChildOf:CWE ID:703:VIEW ID:1000::NATURE:ChildOf:CWE ID:707:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Unexpected State DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU):NOTE:Integrity Availability Unexpected State DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) If an input is syntactically invalid, then processing the input could place the system in an unexpected state that could lead to a crash, consume available system resources or other unintended behaviors.::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Structure and Validity Problems::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A7:ENTRY NAME:Improper Error Handling:MAPPING FIT:CWE More Specific::","","TYPE:Maintenance:NOTE:This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.::::TYPE:Maintenance:NOTE:The validity of input could be roughly classified along syntactic, semantic, and lexical dimensions. If the specification requires that an input value should be delimited with the [ and ] square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters aaa are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.::",
  133. 229,"Improper Handling of Values",Base,Incomplete,"The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.","","::NATURE:ChildOf:CWE ID:228:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:228:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","","","",
  134. 23,"Relative Path Traversal",Base,Draft,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.","::NATURE:ChildOf:CWE ID:22:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:22:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Files or Directories:NOTE:Integrity Modify Files or Directories The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories:NOTE:Confidentiality Read Files or Directories The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked. Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes .. sequences and symbolic links (CWE-23, CWE-59). This includes: realpath() in C getCanonicalPath() in Java GetFullPath() in ASP.NET realpath() or abs_path() in Perl realpath() in PHP::","::REFERENCE:CVE-2002-0298:DESCRIPTION:Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several /../ sequences, or several ../ in a URI.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0298REFERENCE:CVE-2002-0661:DESCRIPTION:not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0661REFERENCE:CVE-2002-0946:DESCRIPTION:Arbitrary files may be read files via .. (dot dot) sequences in an HTTP request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0946REFERENCE:CVE-2002-1042:DESCRIPTION:Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via .. sequences in queries.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1042REFERENCE:CVE-2002-1209:DESCRIPTION:Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via .. sequences in a GET request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1209REFERENCE:CVE-2002-1178:DESCRIPTION:Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via .. sequences in an HTTP request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1178REFERENCE:CVE-2002-1987:DESCRIPTION:Protection mechanism checks for /.. but doesn't account for Windows-specific .. allowing read of arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1987REFERENCE:CVE-2005-2142:DESCRIPTION:Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a .. sequence in an LS command.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2142REFERENCE:CVE-2002-0160:DESCRIPTION:The administration function in Access Control Server allows remote attackers to read HTML, Java class, and image files outside the web root via a .... sequence in the URL to port 2002.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0160REFERENCE:CVE-2001-0467:DESCRIPTION:... in web server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0467REFERENCE:CVE-2001-0963:DESCRIPTION:... in cd command in FTP server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0963REFERENCE:CVE-2001-1193:DESCRIPTION:... in cd command in FTP server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1193REFERENCE:CVE-2001-1131:DESCRIPTION:... in cd command in FTP server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1131REFERENCE:CVE-2001-0480:DESCRIPTION:read of arbitrary files and directories using GET or CD with ... in Windows-based FTP server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0480REFERENCE:CVE-2002-0288:DESCRIPTION:read files using . and Unicode-encoded / or characters in the URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0288REFERENCE:CVE-2003-0313:DESCRIPTION:Directory listing of web server using ...:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0313REFERENCE:CVE-2005-1658:DESCRIPTION:Triple dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1658REFERENCE:CVE-2000-0240:DESCRIPTION:read files via /........../ in URL:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0240REFERENCE:CVE-2000-0773:DESCRIPTION:read files via .... in web server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0773REFERENCE:CVE-1999-1082:DESCRIPTION:read files via ...... in web server (doubled triple dot?):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1082REFERENCE:CVE-2004-2121:DESCRIPTION:read files via ...... in web server (doubled triple dot?):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2121REFERENCE:CVE-2001-0491:DESCRIPTION:multiple attacks using .., ..., and .... in different commands:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0491REFERENCE:CVE-2001-0615:DESCRIPTION:... or .... in chat server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0615REFERENCE:CVE-2005-2169:DESCRIPTION:chain: .../...// bypasses protection mechanism using regexp's that remove ../ resulting in collapse into an unsafe value ../ (CWE-182) and resultant path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2169REFERENCE:CVE-2005-0202:DESCRIPTION:.../..../// bypasses regexp's that remove ./ and ../:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0202REFERENCE:CVE-2004-1670:DESCRIPTION:Mail server allows remote attackers to create arbitrary directories via a .. or rename arbitrary files via a ....// in user supplied parameters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1670","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Relative Path Traversal::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","::139::23::76::","",
  135. 230,"Improper Handling of Missing Values",Variant,Draft,"The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.","","::NATURE:ChildOf:CWE ID:229:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:229:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","::REFERENCE:CVE-2002-0422:DESCRIPTION:Blank Host header triggers resultant infoleak.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0422REFERENCE:CVE-2000-1006:DESCRIPTION:Blank charset attribute in MIME header triggers crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1006REFERENCE:CVE-2004-1504:DESCRIPTION:Blank parameter causes external error infoleak.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1504REFERENCE:CVE-2005-2053:DESCRIPTION:Blank parameter causes external error infoleak.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2053","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Value Error::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR08-J:ENTRY NAME:Do not catch NullPointerException or any of its ancestors::","","TYPE:Research Gap:NOTE:Some crash by port scan bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.::",
  136. 231,"Improper Handling of Extra Values",Variant,Draft,"The software does not handle or incorrectly handles when more values are provided than expected.","","::NATURE:ChildOf:CWE ID:229:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:229:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:120:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Extra Value Error::","","TYPE:Relationship:NOTE:This can overlap buffer overflows.::",
  137. 232,"Improper Handling of Undefined Values",Variant,Draft,"The software does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.","","::NATURE:ChildOf:CWE ID:229:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:229:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","::REFERENCE:CVE-2000-1003:DESCRIPTION:Client crash when server returns unknown driver type.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1003","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Undefined Value Error::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR08-J:ENTRY NAME:Do not catch NullPointerException or any of its ancestors::","","",
  138. 233,"Improper Handling of Parameters",Base,Incomplete,"The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.","","::NATURE:ChildOf:CWE ID:228:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:228:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Parameter Problems::","::39::","",
  139. 234,"Failure to Handle Missing Parameter",Variant,Incomplete,"If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.","","::NATURE:ChildOf:CWE ID:233:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:233:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Gain Privileges or Assume Identity:NOTE:Integrity Confidentiality Availability Access Control Execute Unauthorized Code or Commands Gain Privileges or Assume Identity There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart Potentially a program could fail if it needs more arguments then are available.::","","::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:This issue can be simply combated with the use of proper build process.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.::","::REFERENCE:CVE-2004-0276:DESCRIPTION:Server earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of % characters and a missing Host field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0276REFERENCE:CVE-2002-1488:DESCRIPTION:Chat client allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the user is not in.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1488REFERENCE:CVE-2002-1169:DESCRIPTION:Proxy allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version numbers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1169REFERENCE:CVE-2000-0521:DESCRIPTION:Web server allows disclosure of CGI source code via an HTTP request without the version number.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0521REFERENCE:CVE-2001-0590:DESCRIPTION:Application server allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590REFERENCE:CVE-2003-0239:DESCRIPTION:Chat software allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0239REFERENCE:CVE-2002-1023:DESCRIPTION:Server allows remote attackers to cause a denial of service (crash) via an HTTP GET request without a URI.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1023REFERENCE:CVE-2002-1236:DESCRIPTION:CGI crashes when called without any arguments.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1236REFERENCE:CVE-2003-0422:DESCRIPTION:CGI crashes when called without any arguments.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0422REFERENCE:CVE-2002-1531:DESCRIPTION:Crash in HTTP request without a Content-Length field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1531REFERENCE:CVE-2002-1077:DESCRIPTION:Crash in HTTP request without a Content-Length field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1077REFERENCE:CVE-2002-1358:DESCRIPTION:Empty elements/strings in protocol test suite affect many SSH2 servers/clients.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1358REFERENCE:CVE-2003-0477:DESCRIPTION:FTP server crashes in PORT command without an argument.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0477REFERENCE:CVE-2002-0107:DESCRIPTION:Resultant infoleak in web server via GET requests without HTTP/1.0 version string.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0107REFERENCE:CVE-2002-0596:DESCRIPTION:GET request with empty parameter leads to error message infoleak (path disclosure).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0596","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Parameter Error::::TAXONOMY NAME:CLASP:ENTRY NAME:Missing parameter::","","TYPE:Maintenance:NOTE:This entry will be deprecated in a future version of CWE. The term missing parameter was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.::",
  140. 235,"Improper Handling of Extra Parameters",Variant,Draft,"The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.","","::NATURE:ChildOf:CWE ID:233:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:233:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","::REFERENCE:CVE-2003-1014:DESCRIPTION:MIE. multiple gateway/security products allow restriction bypass using multiple MIME fields with the same name, which are interpreted differently by clients.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1014","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Extra Parameter Error::","::460::","TYPE:Relationship:NOTE:This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.::",
  141. 236,"Improper Handling of Undefined Parameters",Variant,Draft,"The software does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.","","::NATURE:ChildOf:CWE ID:233:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:233:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","::REFERENCE:CVE-2002-1488:DESCRIPTION:Crash in IRC client via PART message from a channel the user is not in.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1488REFERENCE:CVE-2001-0650:DESCRIPTION:Router crash or bad route modification using BGP updates with invalid transitive attribute.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0650","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Undefined Parameter Error::","","",
  142. 237,"Improper Handling of Structural Elements",Base,Incomplete,"The software does not handle or incorrectly handles inputs that are related to complex structures.","","::NATURE:ChildOf:CWE ID:228:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:228:VIEW ID:699:ORDINAL:Primary::","","","","","","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Element Problems::","","",
  143. 238,"Improper Handling of Incomplete Structural Elements",Variant,Draft,"The software does not handle or incorrectly handles when a particular structural element is not completely specified.","","::NATURE:ChildOf:CWE ID:237:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:237:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Element Error::","","TYPE:Relationship:NOTE:Can be primary to other problems.::",
  144. 239,"Failure to Handle Incomplete Element",Variant,Draft,"The software does not properly handle when a particular element is not completely specified.","","::NATURE:ChildOf:CWE ID:237:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:237:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:404:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Varies by Context Unexpected State::","","","::REFERENCE:CVE-2002-1532:DESCRIPTION:HTTP GET without rnrn CRLF sequences causes product to wait indefinitely and prevents other users from accessing it.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1532REFERENCE:CVE-2003-0195:DESCRIPTION:Partial request is not timed out.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0195REFERENCE:CVE-2005-2526:DESCRIPTION:MFV. CPU exhaustion in printer via partial printing request then early termination of connection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2526REFERENCE:CVE-2002-1906:DESCRIPTION:CPU consumption by sending incomplete HTTP requests and leaving the connections open.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1906","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Incomplete Element::","","",
  145. 24,"Path Traversal: '../filedir'",Variant,Incomplete,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The ../ manipulation is the canonical manipulation for operating systems that use / as directory separators, such as UNIX- and Linux-based systems. In some cases, it is useful for bypassing protection schemes in environments for which / is supported but not the primary separator, such as Windows, which uses but can also accept /.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'../filedir::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  146. 240,"Improper Handling of Inconsistent Structural Elements",Base,Draft,"The software does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.","","::NATURE:ChildOf:CWE ID:237:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:237:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:707:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Varies by Context Unexpected State::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Inconsistent Elements::","","",
  147. 241,"Improper Handling of Unexpected Data Type",Base,Draft,"The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).","","::NATURE:ChildOf:CWE ID:228:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:228:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Varies by Context Unexpected State::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-1999-1156:DESCRIPTION:FTP server crash via PORT command with non-numeric character.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1156REFERENCE:CVE-2004-0270:DESCRIPTION:Anti-virus product has assert error when line length is non-numeric.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0270","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Wrong Data Type::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO37-C:ENTRY NAME:Do not assume that fgets() or fgetws() returns a nonempty string when successful:MAPPING FIT:CWE More Abstract::","::48::","TYPE:Research Gap:NOTE:Probably under-studied.::",
  148. 242,"Use of Inherently Dangerous Function",Base,Draft,"The program calls a function that can never be guaranteed to work safely.","Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:120:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Implementation Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ban the use of dangerous functions. Use their safe equivalent.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use grep or static analysis tools to spot usage of dangerous functions.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Dangerous Functions::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS33-C:ENTRY NAME:Do not use vfork():MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  149. 243,"Creation of chroot Jail Without Changing Working Directory",Variant,Draft,"The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.","Improper use of chroot() may allow attackers to escape from the chroot jail. The chroot() function call does not change the process's current working directory, so relative paths may still refer to file system resources outside of the chroot jail after chroot() has been called.","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000::NATURE:ChildOf:CWE ID:669:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Unix:OPERATING SYSTEM PREVALENCE:Undetermined::","::The chroot() system call allows a process to change its perception of the root directory of the file system. After properly invoking chroot(), a process cannot access any files outside the directory tree defined by the new root directory. Such an environment is called a chroot jail and is commonly used to prevent the possibility that a processes could be subverted and used to access unauthorized files. For instance, many FTP servers run in chroot jails to prevent an attacker who discovers a new vulnerability in the server from being able to download the password file or other sensitive files on the system.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories::","","","","","File or Directory::","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Directory Restriction::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP17:ENTRY NAME:Failed chroot jail::","","",
  150. 244,"Improper Clearing of Heap Memory Before Release ('Heap Inspection')",Variant,Draft,"Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.","When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a heap inspection attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed.","::NATURE:ChildOf:CWE ID:226:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:226:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:669:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Read Memory Other:NOTE:Confidentiality Other Read Memory Other Be careful using vfork() and fork() in security sensitive code. The process state will not be cleaned up and will contain traces of data from past use.::","","","","","Memory::","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Heap Inspection::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM03-C:ENTRY NAME:Clear sensitive information stored in reusable resources returned for reuse::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  151. 245,"J2EE Bad Practices: Direct Management of Connections",Variant,Draft,"The J2EE application directly manages connections, instead of using the container's connection management facilities.","The J2EE standard forbids the direct management of connections. It requires that applications use the container's resource management facilities to obtain connections to resources. Every major web application container provides pooled database connection management as part of its resource management framework. Duplicating this functionality in an application is difficult and error prone, which is part of the reason it is forbidden under the J2EE standard.","::NATURE:ChildOf:CWE ID:695:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:695:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Bad Practices: getConnection()::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  152. 246,"J2EE Bad Practices: Direct Use of Sockets",Variant,Draft,"The J2EE application directly uses sockets instead of using framework method calls.","The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues. Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.","::NATURE:ChildOf:CWE ID:695:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:695:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use framework method calls instead of using sockets directly.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Bad Practices: Sockets::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  153. 248,"Uncaught Exception",Base,Draft,"An exception is thrown from a function, but it is not caught.","When an exception is not caught, it may cause the program to crash or expose sensitive information.","::NATURE:ChildOf:CWE ID:705:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:703:VIEW ID:1000::","","::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Read Application Data:NOTE:Availability Confidentiality DoS: Crash, Exit, or Restart Read Application Data An uncaught exception could cause the system to be placed in a state that could lead to a crash, exposure of sensitive information or other unintended behaviors.::","","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Often Misused: Exception Handling::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR05-J:ENTRY NAME:Do not let checked exceptions escape from a finally block::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR06-J:ENTRY NAME:Do not throw undeclared checked exceptions::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP31-PL:ENTRY NAME:Do not suppress or ignore exceptions:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","::54::","",
  154. 25,"Path Traversal: '/../filedir'",Variant,Incomplete,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. Sometimes a program checks for ../ at the beginning of the input, so a /../ can bypass that check.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'/../filedir::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  155. 250,"Execution with Unnecessary Privileges",Class,Draft,"The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.","New weaknesses can be exposed because running with extra privileges, such as root or Administrator, can disable the normal security checks being performed by the operating system or surrounding environment. Other pre-existing weaknesses can turn into security vulnerabilities if they occur while operating at raised privileges. Privilege management functions can behave in some less-than-obvious ways, and they have different quirks on different platforms. These inconsistencies are particularly pronounced if you are transitioning from one non-root user to another. Signal handlers and spawned processes run at the privilege of the owning process, so if a process is running as root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges.","::NATURE:ChildOf:CWE ID:657:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:657:VIEW ID:699::NATURE:ChildOf:CWE ID:269:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Installation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Execute Unauthorized Code or Commands Read Application Data DoS: Crash, Exit, or Restart:NOTE:Confidentiality Integrity Availability Access Control Gain Privileges or Assume Identity Execute Unauthorized Code or Commands Read Application Data DoS: Crash, Exit, or Restart An attacker will be able to gain access to any resources that are allowed by the extra privileges. Common results include executing code, disabling services, and reading restricted data.::","::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Compare binary / bytecode to application permission manifest Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners – Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker Permission Manifest Analysis::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling::","::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.::PHASE:Architecture and Design:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.::PHASE:Operation System Configuration:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Ensure that the software runs properly under the Federal Desktop Core Configuration (FDCC) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.::","::REFERENCE:CVE-2007-4217:DESCRIPTION:FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4217REFERENCE:CVE-2008-1877:DESCRIPTION:Program runs with privileges and calls another program with the same privileges, which allows read of arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1877REFERENCE:CVE-2007-5159:DESCRIPTION:OS incorrectly installs a program with setuid privileges, allowing users to gain privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5159REFERENCE:CVE-2008-4638:DESCRIPTION:Composite: application running with high privileges allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4638REFERENCE:CVE-2008-0162:DESCRIPTION:Program does not drop privileges before calling another program, allowing code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0162REFERENCE:CVE-2008-0368:DESCRIPTION:setuid root program allows creation of arbitrary files through command line argument.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0368REFERENCE:CVE-2007-3931:DESCRIPTION:Installation script installs some programs as setuid when they shouldn't be.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3931","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Often Misused: Privilege Management::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER09-J:ENTRY NAME:Minimize privileges before deserializing from a privilege context::","::104::470::69::","TYPE:Relationship:NOTE:There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.::::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The least privilege phrase has multiple interpretations.::",
  156. 252,"Unchecked Return Value",Base,Draft,"The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.","Two common programmer assumptions are this function call can never fail and it doesn't matter if this function call fails. If an attacker can force the function to fail or otherwise return a value that is not expected, then the subsequent program logic could lead to a vulnerability, because the software is not in a state that the programmer assumes. For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges.","::NATURE:ChildOf:CWE ID:754:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:476:VIEW ID:1000:CHAIN ID:690::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::Many functions will return some value about the success of their actions. This will alert the program whether or not to handle any errors caused by that function.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State DoS: Crash, Exit, or Restart:NOTE:Availability Integrity Unexpected State DoS: Crash, Exit, or Restart An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Check the results of all functions that return a value and verify that the value is expected.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that you account for all possible return values from the function.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When designing a function, make sure you return a value or throw an exception in case of an error.::","::REFERENCE:CVE-2007-3798:DESCRIPTION:Unchecked return value leads to resultant integer overflow and code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798REFERENCE:CVE-2006-4447:DESCRIPTION:Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4447REFERENCE:CVE-2006-2916:DESCRIPTION:Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916REFERENCE:CVE-2008-5183:DESCRIPTION:chain: unchecked return value can lead to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183REFERENCE:CVE-2010-0211:DESCRIPTION:chain: unchecked return value (CWE-252) leads to free of invalid, uninitialized pointer (CWE-824).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0211","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Unchecked Return Value::::TAXONOMY NAME:CLASP:ENTRY NAME:Ignored function return value::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A7:ENTRY NAME:Improper Error Handling:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR33-C:ENTRY NAME:Detect and handle standard library errors:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS54-C:ENTRY NAME:Detect and handle POSIX library errors:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:EXP00-J:ENTRY NAME:Do not ignore values returned by methods::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP32-PL:ENTRY NAME:Do not ignore function return values:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","","",
  157. 253,"Incorrect Check of Function Return Value",Base,Incomplete,"The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions.","Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:754:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State DoS: Crash, Exit, or Restart:NOTE:Availability Integrity Unexpected State DoS: Crash, Exit, or Restart An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors.::","","::PHASE:Architecture and Design:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language or compiler that uses exceptions and requires the catching of those exceptions.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Properly check all functions which return a value.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When designing any function make sure you return a value or throw an exception in case of an error.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Misinterpreted function return value::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR33-C:ENTRY NAME:Detect and handle standard library errors:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS54-C:ENTRY NAME:Detect and handle POSIX library errors:MAPPING FIT:Imprecise::","","",
  158. 256,"Unprotected Storage of Credentials",Variant,Incomplete,"Storing a password in plaintext may result in a system compromise.","Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource.","::NATURE:ChildOf:CWE ID:522:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:522:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:319:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:319:VIEW ID:699::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid storing passwords in easily accessible locations.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.::PHASE::STRATEGY::EFFECTIVENESS:None:DESCRIPTION:A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Password Management::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  159. 257,"Storing Passwords in a Recoverable Format",Base,Incomplete,"The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.","","::NATURE:ChildOf:CWE ID:522:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:522:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:259:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Confidentiality Access Control Gain Privileges or Assume Identity User's passwords may be revealed.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Revealed passwords may be reused elsewhere to impersonate the users in question.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use strong, non-reversible encryption to protect stored passwords.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Storing passwords in a recoverable format::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::49::","TYPE:Maintenance:NOTE:The meaning of this node needs to be investigated more closely, especially with respect to what is meant by recoverable.::",
  160. 258,"Empty Password in Configuration File",Variant,Incomplete,"Using an empty string as a password is insecure.","","::NATURE:ChildOf:CWE ID:260:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:260:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:521:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use similar-looking punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Password Management: Empty Password in Configuration File::","","",
  161. 259,"Use of Hard-coded Password",Base,Draft,"The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.","A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely. There are two main variations: Inbound: the software contains an authentication mechanism that checks for a hard-coded password. Outbound: the software connects to another system or component, and it contains hard-coded password for connecting to that component. In the Inbound variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the software. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. Finally, since all installations of the software will have the same password, even across different organizations, this enables massive attacks such as worms to take place. The Outbound variant applies to front-end systems that authenticate with a back-end service. The back-end service may require a fixed password which can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end software. Any user of that program may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple.","::NATURE:ChildOf:CWE ID:798:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:798:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:321:VIEW ID:1000::NATURE:PeerOf:CWE ID:257:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity If hard-coded passwords are used, it is almost certain that malicious users will gain access through the account in question.::","::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value.::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a first login mode that requires the user to enter a unique strong password.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved. Use randomly assigned salts for each separate hash that you generate. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For front-end to back-end connections: Three solutions are possible, although none are complete. The first suggestion involves the use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Next, the passwords used should be limited at the back end to only performing actions valid for the front end, as opposed to having full access. Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay style attacks.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Password Management: Hard-Coded Password::::TAXONOMY NAME:CLASP:ENTRY NAME:Use of hard-coded password::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A3:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC03-J:ENTRY NAME:Never hard code sensitive information::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP33:ENTRY NAME:Hardcoded sensitive data::","::190::191::","TYPE:Maintenance:NOTE:This entry should probably be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. See extended description.::",
  162. 26,"Path Traversal: '/dir/../filename'",Variant,Draft,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /dir/../filename sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The '/dir/../filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only checks for ../ at the beginning of the input, so a /../ can bypass that check.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Often::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'/directory/../filename::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  163. 260,"Password in Configuration File",Variant,Incomplete,"The software stores a password in a configuration file that might be accessible to actors who do not know the password.","This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.","::NATURE:ChildOf:CWE ID:522:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:522:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid storing passwords in easily accessible locations.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.::","","","File or Directory::","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Password Management: Password in Configuration File::","","",
  164. 261,"Weak Cryptography for Passwords",Variant,Incomplete,"Obscuring a password with a trivial encoding does not protect the password.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:326:VIEW ID:1000::NATURE:ChildOf:CWE ID:326:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Password Management: Weak Cryptography::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A8:ENTRY NAME:Insecure Storage:MAPPING FIT:CWE More Specific::","::55::","TYPE:Other:NOTE:Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password. The crypt family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.::",
  165. 262,"Not Using Password Aging",Variant,Draft,"If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:404:VIEW ID:1000::NATURE:PeerOf:CWE ID:309:VIEW ID:1000::NATURE:PeerOf:CWE ID:263:VIEW ID:1000::NATURE:PeerOf:CWE ID:324:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity As passwords age, the probability that they are compromised grows.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:The recommendation that users change their passwords regularly and do not reuse passwords is universal among security experts. In order to enforce this, it is useful to have a password aging mechanism that notifies users when passwords are considered old and that requests that they replace them with new, strong passwords. In order for this functionality to be useful, however, it must be accompanied with documentation which stresses how important this practice is and which makes the entire process as simple as possible for the user.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Not allowing password aging::","::16::49::55::70::","",
  166. 263,"Password Aging with Long Expiration",Base,Draft,"Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.","Just as neglecting to include functionality for the management of password aging is dangerous, so is allowing password aging to continue unchecked. Passwords must be given a maximum life span, after which a user is required to update with a new and different password.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:404:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity As passwords age, the probability that they are compromised grows.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that password aging is limited so that there is a defined maximum age for passwords and so that the user is notified several times leading up to the password expiration.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Allowing password aging::","::16::49::55::70::","",
  167. 266,"Incorrect Privilege Assignment",Base,Draft,"A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.","","::NATURE:ChildOf:CWE ID:269:VIEW ID:1000:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:286:VIEW ID:1000::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::","::REFERENCE:CVE-1999-1193:DESCRIPTION:untrusted user placed in unix wheel group:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1193REFERENCE:CVE-2005-2741:DESCRIPTION:Product allows users to grant themselves certain rights that can be used to escalate privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2741REFERENCE:CVE-2005-2496:DESCRIPTION:Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2496REFERENCE:CVE-2004-0274:DESCRIPTION:Product mistakenly assigns a particular status to an entity, leading to increased privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0274","","System Process::","TAXONOMY NAME:PLOVER:ENTRY NAME:Incorrect Privilege Assignment::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC00-J:ENTRY NAME:Do not allow privileged blocks to leak sensitive information across a trust boundary::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC01-J:ENTRY NAME:Do not allow tainted variables in privileged blocks::","","",
  168. 267,"Privilege Defined With Unsafe Actions",Base,Incomplete,"A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.","","::NATURE:ChildOf:CWE ID:269:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::","::REFERENCE:CVE-2002-1981:DESCRIPTION:Roles have access to dangerous procedures (Accessible entities).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1981REFERENCE:CVE-2002-1671:DESCRIPTION:Untrusted object/method gets access to clipboard (Accessible entities).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1671REFERENCE:CVE-2004-2204:DESCRIPTION:Gain privileges using functions/tags that should be restricted (Accessible entities).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2204REFERENCE:CVE-2000-0315:DESCRIPTION:Traceroute program allows unprivileged users to modify source address of packet (Accessible entities).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0315REFERENCE:CVE-2004-0380:DESCRIPTION:Bypass domain restrictions using a particular file that references unsafe URI schemes (Accessible entities).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0380REFERENCE:CVE-2002-1154:DESCRIPTION:Script does not restrict access to an update command, leading to resultant disk consumption and filled error logs (Accessible entities).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1154REFERENCE:CVE-2002-1145:DESCRIPTION:public database user can use stored procedure to modify data controlled by the database owner (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1145REFERENCE:CVE-2000-0506:DESCRIPTION:User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0506REFERENCE:CVE-2002-2042:DESCRIPTION:Allows attachment to and modification of privileged processes (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2042REFERENCE:CVE-2000-1212:DESCRIPTION:User with privilege can edit raw underlying object using unprotected method (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1212REFERENCE:CVE-2005-1742:DESCRIPTION:Inappropriate actions allowed by a particular role(Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1742REFERENCE:CVE-2001-1480:DESCRIPTION:Untrusted entity allowed to access the system clipboard (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1480REFERENCE:CVE-2001-1551:DESCRIPTION:Extra Linux capability allows bypass of system-specified restriction (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1551REFERENCE:CVE-2001-1166:DESCRIPTION:User with debugging rights can read entire process (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1166REFERENCE:CVE-2005-1816:DESCRIPTION:Non-root admins can add themselves or others to the root admin group (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1816REFERENCE:CVE-2005-2173:DESCRIPTION:Users can change certain properties of objects to perform otherwise unauthorized actions (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2173REFERENCE:CVE-2005-2027:DESCRIPTION:Certain debugging commands not restricted to just the administrator, allowing registry modification and infoleak (Unsafe privileged actions).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2027","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unsafe Privilege::","::58::","TYPE:Maintenance:NOTE:This overlaps authorization and access control problems.::::TYPE:Maintenance:NOTE:Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege::",
  169. 268,"Privilege Chaining",Base,Draft,"Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.","","::NATURE:ChildOf:CWE ID:269:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity A user can be given or gain access rights of another user. This can give the user unauthorized access to sensitive information including the access information of another user.::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::","::REFERENCE:CVE-2005-1736:DESCRIPTION:Chaining of user rights.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1736REFERENCE:CVE-2002-1772:DESCRIPTION:Gain certain rights via privilege chaining in alternate channel.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1772REFERENCE:CVE-2005-1973:DESCRIPTION:Application is allowed to assign extra permissions to itself.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1973REFERENCE:CVE-2003-0640:DESCRIPTION:operator user can overwrite usernames and passwords to gain admin privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0640","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Privilege Chaining::","","TYPE:Relationship:NOTE:There is some conceptual overlap with Unsafe Privilege.::::TYPE:Research Gap:NOTE:It is difficult to find good examples for this weakness.::",
  170. 269,"Improper Privilege Management",Class,Incomplete,"The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.","","::NATURE:ChildOf:CWE ID:284:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Follow the principle of least privilege when assigning access rights to entities in a software system.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.::","::REFERENCE:CVE-2001-1555:DESCRIPTION:Terminal privileges are not reset when a user logs out.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1555REFERENCE:CVE-2001-1514:DESCRIPTION:Does not properly pass security context to child processes in certain cases, allows privilege escalation.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1514REFERENCE:CVE-2001-0128:DESCRIPTION:Does not properly compute roles.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0128","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Privilege Management Error::","::58::","TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-396).::",
  171. 27,"Path Traversal: 'dir/../../filename'",Variant,Draft,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The 'directory/../../filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only removes one ../ sequence, so multiple ../ can bypass that check. Alternately, this manipulation could be used to bypass a check for ../ at the beginning of the pathname, moving up more than one directory level.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0298:DESCRIPTION:Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several /../ sequences, or several ../ in a URI.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0298","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'directory/../../filename::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  172. 270,"Privilege Context Switching Error",Base,Draft,"The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.","","::NATURE:ChildOf:CWE ID:269:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:269:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity A user can assume the identity of another user with separate privileges in another context. This will give the user unauthorized access that may allow them to acquire the access information of other users.::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.::","::REFERENCE:CVE-2002-1688:DESCRIPTION:Web browser cross domain problem when user hits back button.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1688REFERENCE:CVE-2003-1026:DESCRIPTION:Web browser cross domain problem when user hits back button.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1026REFERENCE:CVE-2002-1770:DESCRIPTION:Cross-domain issue - third party product passes code to web browser, which executes it in unsafe zone.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1770REFERENCE:CVE-2005-2263:DESCRIPTION:Run callback in different security context after it has been changed from untrusted to trusted. * note that context switch before actions are completed is one type of problem that happens frequently, espec. in browsers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2263","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Privilege Context Switching Error::","::17::236::30::35::","TYPE:Research Gap:NOTE:This concept needs more study.::",
  173. 271,"Privilege Dropping / Lowering Errors",Class,Incomplete,"The software does not drop privileges before passing control of a resource to an actor that does not have those privileges.","In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker.","::NATURE:ChildOf:CWE ID:269:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.::SCOPE:Access Control:SCOPE:Non-Repudiation:TECHNICAL IMPACT:Gain Privileges or Assume Identity Hide Activities:NOTE:Access Control Non-Repudiation Gain Privileges or Assume Identity Hide Activities If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.::","::REFERENCE:CVE-2000-1213:DESCRIPTION:Program does not drop privileges after acquiring the raw socket.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1213REFERENCE:CVE-2001-0559:DESCRIPTION:Setuid program does not drop privileges after a parsing error occurs, then calls another program to handle the error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559REFERENCE:CVE-2001-0787:DESCRIPTION:Does not drop privileges in related groups when lowering privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0787REFERENCE:CVE-2002-0080:DESCRIPTION:Does not drop privileges in related groups when lowering privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0080REFERENCE:CVE-2001-1029:DESCRIPTION:Does not drop privileges before determining access to certain files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1029REFERENCE:CVE-1999-0813:DESCRIPTION:Finger daemon does not drop privileges when executing programs on behalf of the user being fingered.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0813REFERENCE:CVE-1999-1326:DESCRIPTION:FTP server does not drop privileges if a connection is aborted during file transfer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1326REFERENCE:CVE-2000-0172:DESCRIPTION:Program only uses seteuid to drop privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0172REFERENCE:CVE-2004-2504:DESCRIPTION:Windows program running as SYSTEM does not drop privileges before executing other programs (many others like this, especially involving the Help facility).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2504REFERENCE:CVE-2004-0213:DESCRIPTION:Utility Manager launches winhlp32.exe while running with raised privileges, which allows local users to gain system privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0213REFERENCE:CVE-2004-0806:DESCRIPTION:Setuid program does not drop privileges before executing program specified in an environment variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0806REFERENCE:CVE-2004-0828:DESCRIPTION:Setuid program does not drop privileges before processing file specified on command line.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0828REFERENCE:CVE-2004-2070:DESCRIPTION:Service on Windows does not drop privileges before using view file option, allowing code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2070","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Privilege Dropping / Lowering Errors::","","TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::",
  174. 272,"Least Privilege Violation",Base,Incomplete,"The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.","","::NATURE:ChildOf:CWE ID:271:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:271:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Confidentiality:TECHNICAL IMPACT:Gain Privileges or Assume Identity Read Application Data Read Files or Directories:NOTE:Access Control Confidentiality Gain Privileges or Assume Identity Read Application Data Read Files or Directories An attacker may be able to access resources with the elevated privilege that could not be accessed with the attacker's original privileges. This is particularly likely in conjunction with another flaw, such as a buffer overflow.::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners – Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling::","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Follow the principle of least privilege when assigning access rights to entities in a software system.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Least Privilege Violation::::TAXONOMY NAME:CLASP:ENTRY NAME:Failure to drop privileges when reasonable::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS02-C:ENTRY NAME:Follow the principle of least privilege::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC00-J:ENTRY NAME:Do not allow privileged blocks to leak sensitive information across a trust boundary::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC01-J:ENTRY NAME:Do not allow tainted variables in privileged blocks::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP36:ENTRY NAME:Privilege::","::17::35::76::","TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::::TYPE:Other:NOTE:If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user.::",
  175. 273,"Improper Check for Dropped Privileges",Base,Incomplete,"The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.","If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users.","::NATURE:ChildOf:CWE ID:754:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:271:VIEW ID:1000::NATURE:ChildOf:CWE ID:271:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:252:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::In Windows based environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security -- although in different threads it may have much higher privileges.::","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.::SCOPE:Access Control:SCOPE:Non-Repudiation:TECHNICAL IMPACT:Gain Privileges or Assume Identity Hide Activities:NOTE:Access Control Non-Repudiation Gain Privileges or Assume Identity Hide Activities If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::PHASE:Implementation:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Check the results of all functions that return a value and verify that the value is expected.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:In Windows, make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). Code that relies on impersonation for security must ensure that the impersonation succeeded, i.e., that a proper privilege demotion happened.::","::REFERENCE:CVE-2006-4447:DESCRIPTION:Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4447REFERENCE:CVE-2006-2916:DESCRIPTION:Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916","","System Process::","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to check whether privileges were dropped successfully::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS37-C:ENTRY NAME:Ensure that privilege relinquishment is successful:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","","",
  176. 274,"Improper Handling of Insufficient Privileges",Base,Draft,"The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.","","::NATURE:ChildOf:CWE ID:703:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:269:VIEW ID:1000::NATURE:PeerOf:CWE ID:271:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:280:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other Alter Execution Logic::","","","::REFERENCE:CVE-2001-1564:DESCRIPTION:System limits are not properly enforced after privileges are dropped.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1564REFERENCE:CVE-2005-3286:DESCRIPTION:Firewall crashes when it can't read a critical memory block that was protected by a malicious process.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3286REFERENCE:CVE-2005-1641:DESCRIPTION:Does not give admin sufficient privileges to overcome otherwise legitimate user actions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1641","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insufficient privileges::","","TYPE:Relationship:NOTE:Overlaps dropped privileges, insufficient permissions.::::TYPE:Relationship:NOTE:This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.::::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::",
  177. 276,"Incorrect Default Permissions",Variant,Draft,"The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.","","::NATURE:ChildOf:CWE ID:732:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Installation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners – Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","::REFERENCE:CVE-2005-1941:DESCRIPTION:Executables installed world-writable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1941REFERENCE:CVE-2002-1713:DESCRIPTION:Home directories installed world-readable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1713REFERENCE:CVE-2001-1550:DESCRIPTION:World-writable log files allow information loss; world-readable file has cleartext passwords.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1550REFERENCE:CVE-2002-1711:DESCRIPTION:World-readable directory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1711REFERENCE:CVE-2002-1844:DESCRIPTION:Windows product uses insecure permissions when installing on Solaris (genesis: port error).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1844REFERENCE:CVE-2001-0497:DESCRIPTION:Insecure permissions for a shared secret key file. Overlaps cryptographic problem.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0497REFERENCE:CVE-1999-0426:DESCRIPTION:Default permissions of a device allow IP spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0426","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insecure Default Permissions::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO06-C:ENTRY NAME:Create files with appropriate access permissions::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO01-J:ENTRY NAME:Create files with appropriate access permission::","::1::127::81::","",
  178. 277,"Insecure Inherited Permissions",Variant,Draft,"A product defines a set of insecure permissions that are inherited by objects that are created by the program.","","::NATURE:ChildOf:CWE ID:732:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","::REFERENCE:CVE-2005-1841:DESCRIPTION:User's umask is used when creating temp files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1841REFERENCE:CVE-2002-1786:DESCRIPTION:Insecure umask for core dumps [is the umask preserved or assigned?].:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1786","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insecure inherited permissions::","","",
  179. 278,"Insecure Preserved Inherited Permissions",Variant,Incomplete,"A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.","","::NATURE:ChildOf:CWE ID:732:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","::REFERENCE:CVE-2005-1724:DESCRIPTION:Does not obey specified permissions when exporting.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1724","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insecure preserved inherited permissions::","","",
  180. 279,"Incorrect Execution-Assigned Permissions",Variant,Draft,"While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.","","::NATURE:ChildOf:CWE ID:732:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","::REFERENCE:CVE-2002-0265:DESCRIPTION:Log files opened read/write.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0265REFERENCE:CVE-2003-0876:DESCRIPTION:Log files opened read/write.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0876REFERENCE:CVE-2002-1694:DESCRIPTION:Log files opened read/write.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1694","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insecure execution-assigned permissions::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO06-C:ENTRY NAME:Create files with appropriate access permissions::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO01-J:ENTRY NAME:Create files with appropriate access permission::","::81::","",
  181. 28,"Path Traversal: '..filedir'",Variant,Incomplete,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize .. sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The '..' manipulation is the canonical manipulation for operating systems that use as directory separators, such as Windows. However, it is also useful for bypassing path traversal protection schemes that only assume that the / separator is valid.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0661:DESCRIPTION:not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0661REFERENCE:CVE-2002-0946:DESCRIPTION:Arbitrary files may be read files via .. (dot dot) sequences in an HTTP request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0946REFERENCE:CVE-2002-1042:DESCRIPTION:Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via .. sequences in queries.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1042REFERENCE:CVE-2002-1209:DESCRIPTION:Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via .. sequences in a GET request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1209REFERENCE:CVE-2002-1178:DESCRIPTION:Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via .. sequences in an HTTP request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1178","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'..\filename' ('dot dot backslash')::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  182. 280,"Improper Handling of Insufficient Permissions or Privileges ",Base,Draft,"The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state.","","::NATURE:ChildOf:CWE ID:703:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other Alter Execution Logic::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.::","::REFERENCE:CVE-2003-0501:DESCRIPTION:Special file system allows attackers to prevent ownership/permission change of certain entries by opening the entries before calling a setuid program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0501REFERENCE:CVE-2004-0148:DESCRIPTION:FTP server places a user in the root directory when the user's permissions prevent access to the their own home directory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0148","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Fails poorly due to insufficient permissions::::TAXONOMY NAME:WASC:ENTRY ID:17:ENTRY NAME:Improper Filesystem Permissions::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","","TYPE:Relationship:NOTE:This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).::::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar.::::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::::TYPE:Research Gap:NOTE:This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure.::",
  183. 281,"Improper Preservation of Permissions",Base,Draft,"The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.","","::NATURE:ChildOf:CWE ID:732:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:This is resultant from errors that prevent the permissions from being preserved.::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","","::REFERENCE:CVE-2002-2323:DESCRIPTION:Incorrect ACLs used when restoring backups from directories that use symbolic links.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2323REFERENCE:CVE-2001-1515:DESCRIPTION:Automatic modification of permissions inherited from another file system.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1515REFERENCE:CVE-2005-1920:DESCRIPTION:Permissions on backup file are created with defaults, possibly less secure than original file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1920REFERENCE:CVE-2001-0195:DESCRIPTION:File is made world-readable when being cloned.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0195","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Permission preservation failure::","","",
  184. 282,"Improper Ownership Management",Class,Draft,"The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.","","::NATURE:ChildOf:CWE ID:284:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::","::REFERENCE:CVE-1999-1125:DESCRIPTION:Program runs setuid root but relies on a configuration file owned by a non-root user.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1125","","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Ownership errors::","::17::35::","TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-396).::",
  185. 283,"Unverified Ownership",Base,Draft,"The software does not properly verify that a critical resource is owned by the proper entity.","","::NATURE:ChildOf:CWE ID:282:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:282:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:264:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:345:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity An attacker could gain unauthorized access to system resources::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.::","::REFERENCE:CVE-2001-0178:DESCRIPTION:Program does not verify the owner of a UNIX socket that is used for sending a password.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0178REFERENCE:CVE-2004-2012:DESCRIPTION:Owner of special device not checked, allowing root.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2012","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unverified Ownership::","","TYPE:Relationship:NOTE:This overlaps insufficient comparison, verification errors, permissions, and privileges.::",
  186. 284,"Improper Access Control",Class,Incomplete,"The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.","Access control involves the use of several protection mechanisms such as: Authentication (proving the identity of an actor) Authorization (ensuring that a given actor can access a resource), and Accountability (tracking of activities that were performed) When any mechanism is not applied or otherwise fails, attackers can compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator. Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies.","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:664:VIEW ID:1000::","","","","::TERM:Authorization:DESCRIPTION:The terms access control and authorization are often used interchangeably, although many people have distinct definitions. The CWE usage of access control is intended as a general term for the various mechanisms that restrict which users can access which resources, and authorization is more narrowly defined. It is unlikely that there will be community consensus on the use of these terms.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::","::REFERENCE:CVE-2010-4624:DESCRIPTION:Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.:LINK:https://nvd.nist.gov/vuln/detail/CVE-2010-4624","","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Access Control List (ACL) errors::::TAXONOMY NAME:WASC:ENTRY ID:2:ENTRY NAME:Insufficient Authorization::","::19::474::","TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: * Trusted group includes undesired entities (partially covered by CWE-286) * Group can perform undesired actions * ACL parse error does not fail closed::",
  187. 285,"Improper Authorization",Class,Draft,"The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.","Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.","::NATURE:ChildOf:CWE ID:284:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Often::TECHNOLOGY NAME:Database Server:TECHNOLOGY PREVALENCE:Often::","::An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: No access, Read access, Change access, and Full control. Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.::","::TERM:AuthZ:DESCRIPTION:AuthZ is typically used as an abbreviation of authorization within the web application security community. It is also distinct from AuthC, which is an abbreviation of authentication. The use of Auth as an abbreviation is discouraged, since it could be used for either authentication or authorization.::",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Files or Directories:NOTE:Confidentiality Read Application Data Read Files or Directories An attacker could read sensitive data, either by reading the data directly from a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data Modify Files or Directories:NOTE:Integrity Modify Application Data Modify Files or Directories An attacker could modify sensitive data, either by writing the data directly to a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity An attacker could gain privileges by modifying or reading critical data directly, or by accessing insufficiently-protected, privileged functionality.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:Limited:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic::METHOD:Manual Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.::PHASE:System Configuration Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a default deny policy when defining these ACLs.::","::REFERENCE:CVE-2009-3168:DESCRIPTION:Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3168REFERENCE:CVE-2009-2960:DESCRIPTION:Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2960REFERENCE:CVE-2009-3597:DESCRIPTION:Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3597REFERENCE:CVE-2009-2282:DESCRIPTION:Terminal server does not check authorization for guest access.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2282REFERENCE:CVE-2009-3230:DESCRIPTION:Database server does not use appropriate privileges for certain sensitive operations.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230REFERENCE:CVE-2009-2213:DESCRIPTION:Gateway uses default Allow configuration for its authorization settings.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2213REFERENCE:CVE-2009-0034:DESCRIPTION:Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034REFERENCE:CVE-2008-6123:DESCRIPTION:Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123REFERENCE:CVE-2008-5027:DESCRIPTION:System monitoring software allows users to bypass authorization by creating custom forms.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027REFERENCE:CVE-2008-7109:DESCRIPTION:Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7109REFERENCE:CVE-2008-3424:DESCRIPTION:Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3424REFERENCE:CVE-2009-3781:DESCRIPTION:Content management system does not check access permissions for private files, allowing others to view those files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3781REFERENCE:CVE-2008-4577:DESCRIPTION:ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577REFERENCE:CVE-2008-6548:DESCRIPTION:Product does not check the ACL of a page accessed using an include directive, allowing attackers to read unauthorized files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6548REFERENCE:CVE-2007-2925:DESCRIPTION:Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925REFERENCE:CVE-2006-6679:DESCRIPTION:Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6679REFERENCE:CVE-2005-3623:DESCRIPTION:OS kernel does not check for a certain privilege before setting ACLs for files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3623REFERENCE:CVE-2005-2801:DESCRIPTION:Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801REFERENCE:CVE-2001-1155:DESCRIPTION:Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Missing Access Control::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A10:ENTRY NAME:Failure to Restrict URL Access:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A2:ENTRY NAME:Broken Access Control:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP35:ENTRY NAME:Insecure resource access::","::1::104::127::13::17::39::45::51::59::60::76::77::87::","",
  188. 286,"Incorrect User Management",Class,Incomplete,"The software does not properly manage a user within its environment.","Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects.","::NATURE:ChildOf:CWE ID:284:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:User management errors::","","TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::::TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or configuration. It also might be better expressed as a category than a weakness.::",
  189. 287,"Improper Authentication",Class,Draft,"When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.","","::NATURE:ChildOf:CWE ID:284:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:authentification:DESCRIPTION:An alternate term is authentification, which appears to be most commonly used by people from non-English-speaking countries.::TERM:AuthC:DESCRIPTION:AuthC is typically used as an abbreviation of authentication within the web application security community. It is also distinct from AuthZ, which is an abbreviation of authorization. The use of Auth as an abbreviation is discouraged, since it could be used for either authentication or authorization.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Gain Privileges or Assume Identity Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Access Control Read Application Data Gain Privileges or Assume Identity Execute Unauthorized Code or Commands This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:Limited:DESCRIPTION:Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.::METHOD:Manual Static Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction::","::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use an authentication framework or library such as the OWASP ESAPI Authentication feature.::","::REFERENCE:CVE-2009-3421:DESCRIPTION:login script for guestbook allows bypassing authentication by setting a login_ok parameter to 1.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3421REFERENCE:CVE-2009-2382:DESCRIPTION:admin script allows authentication bypass by setting a cookie value to LOGGEDIN.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2382REFERENCE:CVE-2009-1048:DESCRIPTION:VOIP product allows authentication bypass using 127.0.0.1 in the Host header.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1048REFERENCE:CVE-2009-2213:DESCRIPTION:product uses default Allow action, instead of default deny, leading to authentication bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2213REFERENCE:CVE-2009-2168:DESCRIPTION:chain: redirect without exit (CWE-698) leads to resultant authentication bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2168REFERENCE:CVE-2009-3107:DESCRIPTION:product does not restrict access to a listening port for a critical service, allowing authentication to be bypassed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3107REFERENCE:CVE-2009-1596:DESCRIPTION:product does not properly implement a security-related configuration setting, allowing authentication bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1596REFERENCE:CVE-2009-2422:DESCRIPTION:authentication routine returns nil instead of false in some situations, allowing authentication bypass using an invalid username.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422REFERENCE:CVE-2009-3232:DESCRIPTION:authentication update script does not properly handle when admin does not select any authentication modules, allowing authentication bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3232REFERENCE:CVE-2009-3231:DESCRIPTION:use of LDAP authentication with anonymous binds causes empty password to result in successful authentication:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231REFERENCE:CVE-2005-3435:DESCRIPTION:product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435REFERENCE:CVE-2005-0408:DESCRIPTION:chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0408","::Authentication","","TAXONOMY NAME:PLOVER:ENTRY NAME:Authentication Error::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A7:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A3:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:1:ENTRY NAME:Insufficient Authentication::","::114::151::22::57::593::94::","TYPE:Relationship:NOTE:This can be resultant from SQL injection vulnerabilities and other issues.::",
  190. 288,"Authentication Bypass Using an Alternate Path or Channel",Base,Incomplete,"A product requires authentication, but the product has an alternate path or channel that does not require authentication.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:420:VIEW ID:1000::NATURE:PeerOf:CWE ID:425:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.::","::REFERENCE:CVE-2000-1179:DESCRIPTION:Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1179REFERENCE:CVE-1999-1454:DESCRIPTION:Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1454REFERENCE:CVE-1999-1077:DESCRIPTION:OS allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1077REFERENCE:CVE-2003-0304:DESCRIPTION:Direct request of installation file allows attacker to create administrator accounts.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0304REFERENCE:CVE-2002-0870:DESCRIPTION:Attackers may gain additional privileges by directly requesting the web management URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0870REFERENCE:CVE-2002-0066:DESCRIPTION:Bypass authentication via direct request to named pipe.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0066REFERENCE:CVE-2003-1035:DESCRIPTION:User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1035","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Authentication Bypass by Alternate Path/Channel::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A10:ENTRY NAME:Failure to Restrict URL Access:MAPPING FIT:CWE More Specific::","::127::","TYPE:Relationship:NOTE:overlaps Unprotected Alternate Channel::",
  191. 289,"Authentication Bypass by Alternate Name",Variant,Incomplete,"The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2003-0317:DESCRIPTION:Protection mechanism that restricts URL access can be bypassed using URL encoding.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0317REFERENCE:CVE-2004-0847:DESCRIPTION:Bypass of authentication for files using (backslash) or %5C (encoded backslash).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0847","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Authentication bypass by alternate name::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS01-J:ENTRY NAME:Normalize strings before validating them::","","TYPE:Relationship:NOTE:Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues.::::TYPE:Theoretical:NOTE:Alternate names are useful in data driven manipulation attacks, not just for authentication.::",
  192. 29,"Path Traversal: '..filename'",Variant,Incomplete,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. This is similar to CWE-25, except using instead of /. Sometimes a program checks for .. at the beginning of the input, so a .. can bypass that check. It is also useful for bypassing path traversal protection schemes that only assume that the / separator is valid.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-1987:DESCRIPTION:Protection mechanism checks for /.. but doesn't account for Windows-specific .. allowing read of arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1987REFERENCE:CVE-2005-2142:DESCRIPTION:Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a .. sequence in an LS command.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2142","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'\..\filename' ('leading dot dot backslash')::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  193. 290,"Authentication Bypass by Spoofing",Base,Incomplete,"This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.::","","","::REFERENCE:CVE-2009-1048:DESCRIPTION:VOIP product allows authentication bypass using 127.0.0.1 in the Host header.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1048","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Authentication bypass by spoofing::","::21::22::459::461::473::59::60::94::","TYPE:Relationship:NOTE:This can be resultant from insufficient verification.::",
  194. 291,"Reliance on IP Address for Authentication",Variant,Incomplete,"The software uses an IP address for authentication.","IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.","::NATURE:ChildOf:CWE ID:290:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:290:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:923:VIEW ID:1000::NATURE:ChildOf:CWE ID:471:VIEW ID:1000::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities Gain Privileges or Assume Identity:NOTE:Access Control Non-Repudiation Hide Activities Gain Privileges or Assume Identity Malicious users can fake authentication information, impersonating any IP address.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Trusting self-reported IP address::","::4::","",
  195. 293,"Using Referer Field for Authentication",Variant,Draft,"The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.","","::NATURE:ChildOf:CWE ID:290:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:290:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::The referer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question.::","::TERM:referrer:DESCRIPTION:While the proper spelling might be regarded as referrer, the HTTP RFCs and their implementations use referer, so this is regarded as the correct spelling.::",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Using referrer field for authentication::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP29:ENTRY NAME:Faulty endpoint authentication::","","",
  196. 294,"Authentication Bypass by Capture-replay",Base,Incomplete,"A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).","Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Messages sent with a capture-relay attack allow access to resources which are not otherwise accessible without proper authentication.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content.::","::REFERENCE:CVE-2005-3435:DESCRIPTION:product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435REFERENCE:CVE-2007-4961:DESCRIPTION:Chain: cleartext transmission of the MD5 hash of password (CWE-319) enables attacks against a server that is susceptible to replay (CWE-294).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4961","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Authentication bypass by replay::::TAXONOMY NAME:CLASP:ENTRY NAME:Capture-replay::","::102::60::94::","",
  197. 295,"Improper Certificate Validation",Base,Incomplete,"The software does not validate, or incorrectly validates, a certificate.","When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:322:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","::A certificate is a token that associates an identity (principal) to a cryptographic key. Certificates can be used to check if a public key belongs to the assumed owner.::","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Authentication:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.::","::REFERENCE:CVE-2014-1266:DESCRIPTION:chain: incorrect goto in Apple SSL product bypasses certificate validation, allowing man-in-the-middle attack (Apple goto fail bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint ('Man-in-the-Middle')).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266REFERENCE:CVE-2008-4989:DESCRIPTION:Verification function trusts certificate chains in which the last certificate is self-signed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989REFERENCE:CVE-2012-5821:DESCRIPTION:Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5821REFERENCE:CVE-2009-3046:DESCRIPTION:Web browser does not check if any intermediate certificates are revoked.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3046REFERENCE:CVE-2011-0199:DESCRIPTION:Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0199REFERENCE:CVE-2012-5810:DESCRIPTION:Mobile banking application does not verify hostname, leading to financial loss.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5810REFERENCE:CVE-2012-3446:DESCRIPTION:Cloud-support library written in Python uses incorrect regular expression when matching hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3446REFERENCE:CVE-2009-2408:DESCRIPTION:Web browser does not correctly handle '0' character (NUL) in Common Name, allowing spoofing of https sites.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408REFERENCE:CVE-2012-2993:DESCRIPTION:Smartphone device does not verify hostname, allowing spoofing of mail services.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2993REFERENCE:CVE-2012-5822:DESCRIPTION:Application uses third-party library that does not validate hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5822REFERENCE:CVE-2012-5819:DESCRIPTION:Cloud storage management application does not validate hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5819REFERENCE:CVE-2012-5817:DESCRIPTION:Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5817REFERENCE:CVE-2010-1378:DESCRIPTION:chain: incorrect calculation allows attackers to bypass certificate checks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1378REFERENCE:CVE-2005-3170:DESCRIPTION:LDAP client accepts certificates even if they are not from a trusted CA.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3170REFERENCE:CVE-2009-0265:DESCRIPTION:chain: DNS server does not correctly check return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0265REFERENCE:CVE-2003-1229:DESCRIPTION:chain: product checks if client is trusted when it intended to check if the server is trusted, allowing validation of signed code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1229REFERENCE:CVE-2002-0862:DESCRIPTION:Cryptographic API, as used in web browsers, mail clients, and other software, does not properly validate Basic Constraints.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0862REFERENCE:CVE-2009-1358:DESCRIPTION:chain: OS package manager does not check properly check the return value, allowing bypass using a revoked certificate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1358","","","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A10:ENTRY NAME:Insecure Configuration Management:MAPPING FIT:CWE More Specific::","::459::","",
  198. 296,"Improper Following of a Certificate's Chain of Trust",Base,Draft,"The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.","If a system does not follow the chain of trust of a certificate to a root server, the certificate loses all usefulness as a metric of trust. Essentially, the trust gained from a certificate is derived from a chain of trust -- with a reputable trusted entity at the end of that list. The end user must trust that reputable source, and this reputable source must vouch for the resource in question through the medium of the certificate. In some cases, this trust traverses several entities who vouch for one another. The entity trusted by the end user is at one end of this trust chain, while the certificate-wielding resource is at the other end of the chain. If the user receives a certificate at the end of one of these trust chains and then proceeds to check only that the first link in the chain, no real trust has been derived, since the entire chain must be traversed back to a trusted source to verify the certificate. There are several ways in which the chain of trust might be broken, including but not limited to: Any certificate in the chain is self-signed, unless it the root. Not every intermediate certificate is checked, starting from the original certificate all the way up to the root certificate. An intermediate, CA-signed certificate does not have the expected Basic Constraints or other important extensions. The root certificate has been compromised or authorized to the wrong party.","::NATURE:ChildOf:CWE ID:295:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:295:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities Exploitation of this flaw can lead to the trust of data that may have originated with a spoofed source.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Access Control Gain Privileges or Assume Identity Execute Unauthorized Code or Commands Data, requests, or actions taken by the attacking entity can be carried out as a spoofed benign entity.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that proper certificate checking is included in the system design.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Understand, and properly implement all checks necessary to ensure the integrity of certificate trust integrity.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the full chain of trust.::","::REFERENCE:CVE-2016-2402:DESCRIPTION:Server allows bypass of certificate pinning by sending a chain of trust that includes a trusted CA that is not pinned.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2402REFERENCE:CVE-2008-4989:DESCRIPTION:Verification function trusts certificate chains in which the last certificate is self-signed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989REFERENCE:CVE-2012-5821:DESCRIPTION:Chain: Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5821REFERENCE:CVE-2009-3046:DESCRIPTION:Web browser does not check if any intermediate certificates are revoked.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3046REFERENCE:CVE-2009-0265:DESCRIPTION:chain: DNS server does not correctly check return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0265REFERENCE:CVE-2009-0124:DESCRIPTION:chain: incorrect check of return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0124REFERENCE:CVE-2002-0970:DESCRIPTION:File-transfer software does not validate Basic Constraints of an intermediate CA-signed certificate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0970REFERENCE:CVE-2002-0862:DESCRIPTION:Cryptographic API, as used in web browsers, mail clients, and other software, does not properly validate Basic Constraints.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0862","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to follow chain of trust in certificate validation::","","",
  199. 297,"Improper Validation of Certificate with Host Mismatch",Variant,Incomplete,"The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.","Even if a certificate is well-formed, signed, and follows the chain of trust, it may simply be a valid certificate for a different site than the site that the software is interacting with. If the certificate's host-specific data is not properly checked - such as the Common Name (CN) in the Subject or the Subject Alternative Name (SAN) extension of an X.509 certificate - it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data, impersonating a trusted host. In order to ensure data integrity, the certificate must be valid and it must pertain to the site that is being accessed. Even if the software attempts to check the hostname, it is still possible to incorrectly check the hostname. For example, attackers could create a certificate with a name that begins with a trusted name followed by a NUL byte, which could cause some string-based comparisons to only examine the portion that contains the trusted name. This weakness can occur even when the software uses Certificate Pinning, if the software does not verify the hostname at the time a certificate is pinned.","::NATURE:ChildOf:CWE ID:295:VIEW ID:1000::NATURE:ChildOf:CWE ID:295:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:295:VIEW ID:1003:ORDINAL:Primary::NATURE:ChildOf:CWE ID:923:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity The data read from the system vouched for by the certificate may not be from the expected system.::SCOPE:Authentication:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Authentication Other Other Trust afforded to the system in question - based on the malicious certificate - may allow for spoofing or redirection attacks.::","::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS::DESCRIPTION:Set up an untrusted endpoint (e.g. a server) with which the software will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the software performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.::","::REFERENCE:CVE-2012-5810:DESCRIPTION:Mobile banking application does not verify hostname, leading to financial loss.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5810REFERENCE:CVE-2012-5811:DESCRIPTION:Mobile application for printing documents does not verify hostname, allowing attackers to read sensitive documents.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5811REFERENCE:CVE-2012-5807:DESCRIPTION:Software for electronic checking does not verify hostname, leading to financial loss.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5807REFERENCE:CVE-2012-3446:DESCRIPTION:Cloud-support library written in Python uses incorrect regular expression when matching hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3446REFERENCE:CVE-2009-2408:DESCRIPTION:Web browser does not correctly handle '0' character (NUL) in Common Name, allowing spoofing of https sites.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408REFERENCE:CVE-2012-0867:DESCRIPTION:Database program truncates the Common Name during hostname verification, allowing spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867REFERENCE:CVE-2010-2074:DESCRIPTION:Incorrect handling of '0' character (NUL) in hostname verification allows spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2074REFERENCE:CVE-2009-4565:DESCRIPTION:Mail server's incorrect handling of '0' character (NUL) in hostname verification allows spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565REFERENCE:CVE-2009-3767:DESCRIPTION:LDAP server's incorrect handling of '0' character (NUL) in hostname verification allows spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767REFERENCE:CVE-2012-5806:DESCRIPTION:Payment processing module does not verify hostname when connecting to PayPal using PHP fsockopen function.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5806REFERENCE:CVE-2012-2993:DESCRIPTION:Smartphone device does not verify hostname, allowing spoofing of mail services.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2993REFERENCE:CVE-2012-5804:DESCRIPTION:E-commerce module does not verify hostname when connecting to payment site.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5804REFERENCE:CVE-2012-5824:DESCRIPTION:Chat application does not validate hostname, leading to loss of privacy.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5824REFERENCE:CVE-2012-5822:DESCRIPTION:Application uses third-party library that does not validate hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5822REFERENCE:CVE-2012-5819:DESCRIPTION:Cloud storage management application does not validate hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5819REFERENCE:CVE-2012-5817:DESCRIPTION:Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5817REFERENCE:CVE-2012-5784:DESCRIPTION:SOAP platform does not verify the hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784REFERENCE:CVE-2012-5782:DESCRIPTION:PHP library for payments does not verify the hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5782REFERENCE:CVE-2012-5780:DESCRIPTION:Merchant SDK for payments does not verify the hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5780REFERENCE:CVE-2003-0355:DESCRIPTION:Web browser does not validate Common Name, allowing spoofing of https sites.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0355","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to validate host-specific certificate data::","","",
  200. 298,"Improper Validation of Certificate Expiration",Variant,Draft,"A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.","When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.","::NATURE:ChildOf:CWE ID:295:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:295:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:672:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.::SCOPE:Authentication:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Authentication Other Other Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to validate certificate expiration::","","",
  201. 299,"Improper Check for Certificate Revocation",Base,Draft,"The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.","An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.","::NATURE:ChildOf:CWE ID:295:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:295:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:404:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Trust may be assigned to an entity who is not who it claims to be.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other Data from an untrusted (and possibly malicious) source may be integrated.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that certificates are checked for revoked status.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status.::","::REFERENCE:CVE-2011-2014:DESCRIPTION:LDAP-over-SSL implementation does not check Certificate Revocation List (CRL), allowing spoofing using a revoked certificate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2014REFERENCE:CVE-2011-0199:DESCRIPTION:Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0199REFERENCE:CVE-2010-5185:DESCRIPTION:Antivirus product does not check whether certificates from signed executables have been revoked.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5185REFERENCE:CVE-2009-3046:DESCRIPTION:Web browser does not check if any intermediate certificates are revoked.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3046REFERENCE:CVE-2009-0161:DESCRIPTION:chain: Ruby module for OCSP misinterprets a response, preventing detection of a revoked certificate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0161REFERENCE:CVE-2011-2701:DESCRIPTION:chain: incorrect parsing of replies from OCSP responders allows bypass using a revoked certificate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2701REFERENCE:CVE-2011-0935:DESCRIPTION:Router can permanently cache certain public keys, which would allow bypass if the certificate is later revoked.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0935REFERENCE:CVE-2009-1358:DESCRIPTION:chain: OS package manager does not properly check the return value, allowing bypass using a revoked certificate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1358REFERENCE:CVE-2009-0642:DESCRIPTION:chain: language interpreter does not properly check the return value from an OSCP function, allowing bypass using a revoked certificate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0642REFERENCE:CVE-2008-4679:DESCRIPTION:chain: web service component does not call the expected method, which prevents a check for revoked certificates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4679REFERENCE:CVE-2006-4410:DESCRIPTION:Certificate revocation list not searched for certain certificates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4410REFERENCE:CVE-2006-4409:DESCRIPTION:Product cannot access certificate revocation list when an HTTP proxy is being used.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4409","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to check for certificate revocation::","","",
  202. 30,"Path Traversal: 'dir..filename'",Variant,Draft,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. This is similar to CWE-26, except using instead of /. The 'dir..filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only checks for .. at the beginning of the input, so a .. can bypass that check.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-1987:DESCRIPTION:Protection mechanism checks for /.. but doesn't account for Windows-specific .. allowing read of arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1987","","","TAXONOMY NAME:PLOVER:ENTRY NAME:7 - '\directory\..\filename::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  203. 300,"Channel Accessible by Non-Endpoint ('Man-in-the-Middle')",Class,Draft,"The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.","In order to establish secure communication between two parties, it is often important to adequately verify the identity of entities at each end of the communication channel. Inadequate or inconsistent verification may result in insufficient or incorrect identification of either communicating entity. This can have negative consequences such as misplaced trust in the entity at the other end of the channel. An attacker can leverage this by interposing between the communicating entities and masquerading as the original entity. In the absence of sufficient verification of identity, such an attacker can eavesdrop and potentially modify the communication between the original entities.","::NATURE:ChildOf:CWE ID:923:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:923:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Modify Application Data Gain Privileges or Assume Identity:NOTE:Confidentiality Integrity Access Control Read Application Data Modify Application Data Gain Privileges or Assume Identity An attacker could pose as one of the entities and read or possibly modify the communication.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always fully authenticate both ends of any communications channel.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Adhere to the principle of complete mediation.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:A certificate binds an identity to a cryptographic key to authenticate a communicating party. Often, the certificate takes the encrypted form of the hash of the identity of the subject, the public key, and information such as time of issue or expiration using the issuer's private key. The certificate can be validated by deciphering the certificate with the issuer's public key. See also X.509 certificate signature chains and the PGP certification structure.::","::REFERENCE:CVE-2014-1266:DESCRIPTION:chain: incorrect goto in Apple SSL product bypasses certificate validation, allowing man-in-the-middle attack (Apple goto fail bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint ('Man-in-the-Middle')).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Man-in-the-middle (MITM)::::TAXONOMY NAME:WASC:ENTRY ID:32:ENTRY NAME:Routing Detour::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC06-J:ENTRY NAME:Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar::","::466::57::94::","TYPE:Maintenance:NOTE:The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.::",
  204. 301,"Reflection Attack in an Authentication Protocol",Variant,Draft,"Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.","A mutual authentication protocol requires each party to respond to a random challenge by the other party by encrypting it with a pre-shared key. Often, however, such protocols employ the same pre-shared key for communication with a number of different entities. A malicious user or an attacker can easily compromise this protocol without possessing the correct key by employing a reflection attack on the protocol.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:327:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity The primary result of reflection attacks is successful authentication with a target machine -- as an impersonated user.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use different keys for the initiator and responder or of a different type of challenge for the initiator and responder.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Let the initiator prove its identity before proceeding.::","::REFERENCE:CVE-2005-3435:DESCRIPTION:product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435","","","TAXONOMY NAME:CLASP:ENTRY NAME:Reflection attack in an auth protocol::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A7:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::","::90::","TYPE:Maintenance:NOTE:The term reflection is used in multiple ways within CWE and the community, so its usage should be reviewed.::::TYPE:Other:NOTE:Reflection attacks capitalize on mutual authentication schemes in order to trick the target into revealing the secret shared between it and another valid user. In a basic mutual-authentication scheme, a secret is known to both the valid user and the server; this allows them to authenticate. In order that they may verify this shared secret without sending it plainly over the wire, they utilize a Diffie-Hellman-style scheme in which they each pick a value, then request the hash of that value as keyed by the shared secret. In a reflection attack, the attacker claims to be a valid user and requests the hash of a random value from the server. When the server returns this value and requests its own value to be hashed, the attacker opens another connection to the server. This time, the hash requested by the attacker is the value which the server requested in the first connection. When the server returns this hashed value, it is used in the first connection, authenticating the attacker successfully as the impersonated valid user.::",
  205. 302,"Authentication Bypass by Assumed-Immutable Data",Variant,Incomplete,"The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:807:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design Operation Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)::","::REFERENCE:CVE-2002-0367:DESCRIPTION:DebPloit:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0367REFERENCE:CVE-2004-0261:DESCRIPTION:Web auth:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0261REFERENCE:CVE-2002-1730:DESCRIPTION:Authentication bypass by setting certain cookies to true.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1730REFERENCE:CVE-2002-1734:DESCRIPTION:Authentication bypass by setting certain cookies to true.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1734REFERENCE:CVE-2002-2064:DESCRIPTION:Admin access by setting a cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2064REFERENCE:CVE-2002-2054:DESCRIPTION:Gain privileges by setting cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2054REFERENCE:CVE-2004-1611:DESCRIPTION:Product trusts authentication information in cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1611REFERENCE:CVE-2005-1708:DESCRIPTION:Authentication bypass by setting admin-testing variable to true.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1708REFERENCE:CVE-2005-1787:DESCRIPTION:Bypass auth and gain privileges by setting a variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1787","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Authentication Bypass via Assumed-Immutable Data::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC02-J:ENTRY NAME:Do not base security checks on untrusted sources::","::10::13::21::274::31::39::45::77::","",
  206. 303,"Incorrect Implementation of Authentication Algorithm",Base,Draft,"The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.","This incorrect implementation may allow authentication to be bypassed.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","","::REFERENCE:CVE-2003-0750:DESCRIPTION:Conditional should have been an 'or' not an 'and'.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0750","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Authentication Logic Error::","::90::","",
  207. 304,"Missing Critical Step in Authentication",Base,Draft,"The software implements an authentication technique, but it skips a step that weakens the technique.","Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.","::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity Read Application Data Execute Unauthorized Code or Commands:NOTE:Access Control Integrity Confidentiality Bypass Protection Mechanism Gain Privileges or Assume Identity Read Application Data Execute Unauthorized Code or Commands This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or allowing attackers to execute arbitrary code.::","","","::REFERENCE:CVE-2004-2163:DESCRIPTION:Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2163","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Critical Step in Authentication::","","",
  208. 305,"Authentication Bypass by Primary Weakness",Base,Draft,"The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","","::REFERENCE:CVE-2002-1374:DESCRIPTION:The provided password is only compared against the first character of the real password.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1374REFERENCE:CVE-2000-0979:DESCRIPTION:The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0979REFERENCE:CVE-2001-0088:DESCRIPTION:Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0088","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Authentication Bypass by Primary Weakness::","","TYPE:Relationship:NOTE:Most authentication bypass errors are resultant, not primary.::",
  209. 306,"Missing Authentication for Critical Function",Variant,Draft,"The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Gain Privileges or Assume Identity Other:NOTE:Access Control Other Gain Privileges or Assume Identity Other Exposing critical functionality essentially provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, access to administrative or other privileged functionality, or possibly even execution of arbitrary code.::","::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Automated Static Analysis:EFFECTIVENESS:Limited:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Where possible, avoid implementing custom authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These may make it easier to provide a clear separation between authentication tasks and authorization tasks. In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].::","::REFERENCE:CVE-2002-1810:DESCRIPTION:MFV. Access TFTP server without authentication and obtain configuration file with sensitive plaintext information.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1810REFERENCE:CVE-2008-6827:DESCRIPTION:Agent software running at privileges does not authenticate incoming requests over an unprotected channel, allowing a Shatter attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6827REFERENCE:CVE-2004-0213:DESCRIPTION:Product enforces restrictions through a GUI but not through privileged APIs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0213","","","TAXONOMY NAME:PLOVER:ENTRY NAME:No Authentication for Critical Function::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP31:ENTRY NAME:Missing authentication::","::225::12::36::40::62::","TYPE:Relationship:NOTE:This is separate from bypass issues in which authentication exists, but is faulty.::",
  210. 307,"Improper Restriction of Excessive Authentication Attempts",Base,Draft,"The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:799:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account.::","::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Cost effective for partial coverage: Host-based Vulnerability Scanners – Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Forced Path Execution::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Common protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]::","::REFERENCE:CVE-1999-1152:DESCRIPTION:Product does not disconnect or timeout after multiple failed logins.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1152REFERENCE:CVE-2001-1291:DESCRIPTION:Product does not disconnect or timeout after multiple failed logins.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1291REFERENCE:CVE-2001-0395:DESCRIPTION:Product does not disconnect or timeout after multiple failed logins.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0395REFERENCE:CVE-2001-1339:DESCRIPTION:Product does not disconnect or timeout after multiple failed logins.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1339REFERENCE:CVE-2002-0628:DESCRIPTION:Product does not disconnect or timeout after multiple failed logins.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0628REFERENCE:CVE-1999-1324:DESCRIPTION:User accounts not disabled when they exceed a threshold; possibly a resultant problem.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1324","","","TAXONOMY NAME:PLOVER:ENTRY ID:AUTHENT.MULTFAIL:ENTRY NAME:Multiple Failed Authentication Attempts not Prevented::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP34:ENTRY NAME:Unrestricted authentication::","","",
  211. 308,"Use of Single-factor Authentication",Base,Draft,"The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.","While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet. Without the added protection of multiple authentication schemes, a single mistake can result in the compromise of an account. For this reason, if multiple schemes are possible and also easy to use, they should be implemented and required.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:654:VIEW ID:1000::NATURE:PeerOf:CWE ID:309:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism If the secret in a single-factor authentication scheme gets compromised, full authentication is possible.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Using single-factor authentication::","","",
  212. 309,"Use of Password System for Primary Authentication",Base,Draft,"The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:654:VIEW ID:1000::NATURE:PeerOf:CWE ID:308:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most simple implementation is not practical.::","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity A password authentication mechanism error will almost always result in attackers being authorized as valid users.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:In order to protect password systems from compromise, the following should be noted: Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stored encrypted, in a non-reversible state, such that the original text password cannot be extracted from the stored value. Password aging should be strictly enforced to ensure that passwords do not remain unchanged for long periods of time. The longer a password remains in use, the higher the probability that it has been compromised. For this reason, passwords should require refreshing periodically, and users should be informed of the risk of passwords which remain in use for too long. Password strength should be enforced intelligently. Rather than restrict passwords to specific content, or specific length, users should be encouraged to use upper and lower case letters, numbers, and symbols in their passwords. The system should also ensure that no passwords are derived from dictionary words.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a zero-knowledge password protocol, such as SRP.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that passwords are stored safely and are not reversible.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement password aging functionality that requires passwords be changed after a certain point.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a mechanism for determining the strength of a password and notify the user of weak password use.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Using password systems::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A3:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::","","",
  213. 31,"Path Traversal: 'dir....filename'",Variant,Draft,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The 'dir....filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only removes one .. sequence, so multiple .. can bypass that check. Alternately, this manipulation could be used to bypass a check for .. at the beginning of the pathname, moving up more than one directory level.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0160:DESCRIPTION:The administration function in Access Control Server allows remote attackers to read HTML, Java class, and image files outside the web root via a .... sequence in the URL to port 2002.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0160","","","TAXONOMY NAME:PLOVER:ENTRY NAME:8 - 'directory\..\..\filename::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  214. 311,"Missing Encryption of Sensitive Data",Base,Draft,"The software does not encrypt sensitive or critical information before storage or transmission.","The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data If the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels. This access is usually somewhere near where the user is connected to the network (such as a colleague on the company network) but can be anywhere along the path from the user to the end server.::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Confidentiality Integrity Modify Application Data Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission allows for the injection of data into a stream of communication between two parties -- with no means for the victims to separate valid data from invalid. In this day of widespread network attacks and password collection sniffers, it is an unnecessary risk to omit encryption from the design of any system which might benefit from it.::","::METHOD:Manual Analysis:EFFECTIVENESS:High:DESCRIPTION:The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.::METHOD:Automated Analysis:EFFECTIVENESS::DESCRIPTION:Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Network Sniffer Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Man-in-the-middle attack tool::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling::","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that encryption is properly integrated into the system design, including but not necessarily limited to: Encryption that is needed to store or transmit private data of the users of the system Encryption that is needed to protect the system itself from unauthorized disclosure or tampering Identify the separate needs and contexts for encryption: One-way (i.e., only the user or recipient needs to have the key). This can be achieved using public key cryptography, or other techniques in which the encrypting party (i.e., the software) does not need to have access to a private key. Two-way (i.e., the encryption can be automatically performed on behalf of a user, but the key must be available so that the plaintext can be automatically recoverable by that user). This requires storage of the private key in a format that is recoverable only by the user (or perhaps by the operating system) in a way that cannot be recovered by others. Using threat modeling or other techniques, assume that data can be compromised through a separate vulnerability or weakness, and determine where encryption will be most effective. Ensure that data that should be private is not being inadvertently exposed using weaknesses such as insecure permissions (CWE-732). [REF-7]::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. For example, US government systems require FIPS 140-2 certification. Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267]::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Compartmentalize the system to have safe areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.::","::REFERENCE:CVE-2009-2272:DESCRIPTION:password and username stored in cleartext in a cookie:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2272REFERENCE:CVE-2009-1466:DESCRIPTION:password stored in cleartext in a file with insecure permissions:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1466REFERENCE:CVE-2009-0152:DESCRIPTION:chat program disables SSL in some circumstances even when the user says to use SSL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0152REFERENCE:CVE-2009-1603:DESCRIPTION:Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1603REFERENCE:CVE-2009-0964:DESCRIPTION:storage of unencrypted passwords in a database:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0964REFERENCE:CVE-2008-6157:DESCRIPTION:storage of unencrypted passwords in a database:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6157REFERENCE:CVE-2008-6828:DESCRIPTION:product stores a password in cleartext in memory:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6828REFERENCE:CVE-2008-1567:DESCRIPTION:storage of a secret key in cleartext in a temporary file:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1567REFERENCE:CVE-2008-0174:DESCRIPTION:SCADA product uses HTTP Basic Authentication, which is not encrypted:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0174REFERENCE:CVE-2007-5778:DESCRIPTION:login credentials stored unencrypted in a registry key:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5778REFERENCE:CVE-2002-1949:DESCRIPTION:Passwords transmitted in cleartext.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1949REFERENCE:CVE-2008-4122:DESCRIPTION:Chain: Use of HTTPS cookie without secure flag causes it to be transmitted across unencrypted HTTP.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4122REFERENCE:CVE-2008-3289:DESCRIPTION:Product sends password hash in cleartext in violation of intended policy.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3289REFERENCE:CVE-2008-4390:DESCRIPTION:Remote management feature sends sensitive information including passwords in cleartext.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4390REFERENCE:CVE-2007-5626:DESCRIPTION:Backup routine sends password in cleartext in email.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5626REFERENCE:CVE-2004-1852:DESCRIPTION:Product transmits Blowfish encryption key in cleartext.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1852REFERENCE:CVE-2008-0374:DESCRIPTION:Printer sends configuration information, including administrative password, in cleartext.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0374REFERENCE:CVE-2007-4961:DESCRIPTION:Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4961REFERENCE:CVE-2007-4786:DESCRIPTION:Product sends passwords in cleartext to a log server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4786REFERENCE:CVE-2005-3140:DESCRIPTION:Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3140","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to encrypt data::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A8:ENTRY NAME:Insecure Cryptographic Storage:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A9:ENTRY NAME:Insecure Communications:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A8:ENTRY NAME:Insecure Storage:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:4:ENTRY NAME:Insufficient Transport Layer Protection::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC00-J:ENTRY NAME:Use SSLSocket rather than Socket for secure data exchange::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::155::157::158::204::258::259::260::31::37::383::384::385::386::387::388::389::477::65::","TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::",
  215. 312,"Cleartext Storage of Sensitive Information",Variant,Draft,"The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.","Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.","::NATURE:ChildOf:CWE ID:311:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:311:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:922:VIEW ID:1000::NATURE:ChildOf:CWE ID:922:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data An attacker with access to the system could read sensitive information stored in cleartext.::","","","::REFERENCE:CVE-2009-2272:DESCRIPTION:password and username stored in cleartext in a cookie:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2272REFERENCE:CVE-2009-1466:DESCRIPTION:password stored in cleartext in a file with insecure permissions:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1466REFERENCE:CVE-2009-0152:DESCRIPTION:chat program disables SSL in some circumstances even when the user says to use SSL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0152REFERENCE:CVE-2009-1603:DESCRIPTION:Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1603REFERENCE:CVE-2009-0964:DESCRIPTION:storage of unencrypted passwords in a database:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0964REFERENCE:CVE-2008-6157:DESCRIPTION:storage of unencrypted passwords in a database:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6157REFERENCE:CVE-2008-6828:DESCRIPTION:product stores a password in cleartext in memory:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6828REFERENCE:CVE-2008-1567:DESCRIPTION:storage of a secret key in cleartext in a temporary file:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1567REFERENCE:CVE-2008-0174:DESCRIPTION:SCADA product uses HTTP Basic Authentication, which is not encrypted:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0174REFERENCE:CVE-2007-5778:DESCRIPTION:login credentials stored unencrypted in a registry key:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5778REFERENCE:CVE-2001-1481:DESCRIPTION:Plaintext credentials in world-readable file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1481REFERENCE:CVE-2005-1828:DESCRIPTION:Password in cleartext in config file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1828REFERENCE:CVE-2005-2209:DESCRIPTION:Password in cleartext in config file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2209REFERENCE:CVE-2002-1696:DESCRIPTION:Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1696REFERENCE:CVE-2004-2397:DESCRIPTION:Plaintext storage of private key and passphrase in log file when user imports the key.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2397REFERENCE:CVE-2002-1800:DESCRIPTION:Admin password in plaintext in a cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1800REFERENCE:CVE-2001-1537:DESCRIPTION:Default configuration has cleartext usernames/passwords in cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1537REFERENCE:CVE-2001-1536:DESCRIPTION:Usernames/passwords in cleartext in cookies.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1536REFERENCE:CVE-2005-2160:DESCRIPTION:Authentication information stored in cleartext in a cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2160","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Plaintext Storage of Sensitive Information::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::37::","TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",
  216. 313,"Cleartext Storage in a File or on Disk",Variant,Draft,"The application stores sensitive information in cleartext in a file, or on disk.","The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.","::NATURE:ChildOf:CWE ID:312:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:312:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","::REFERENCE:CVE-2001-1481:DESCRIPTION:Cleartext credentials in world-readable file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1481REFERENCE:CVE-2005-1828:DESCRIPTION:Password in cleartext in config file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1828REFERENCE:CVE-2005-2209:DESCRIPTION:Password in cleartext in config file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2209REFERENCE:CVE-2002-1696:DESCRIPTION:Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1696REFERENCE:CVE-2004-2397:DESCRIPTION:Cleartext storage of private key and passphrase in log file when user imports the key.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2397","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Plaintext Storage in File or on Disk::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",
  217. 314,"Cleartext Storage in the Registry",Variant,Draft,"The application stores sensitive information in cleartext in the registry.","Attackers can read the information by accessing the registry key. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.","::NATURE:ChildOf:CWE ID:312:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:312:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","::REFERENCE:CVE-2005-2227:DESCRIPTION:Cleartext passwords in registry key.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2227","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Plaintext Storage in Registry::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::37::","TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",
  218. 315,"Cleartext Storage of Sensitive Information in a Cookie",Variant,Draft,"The application stores sensitive information in cleartext in a cookie.","Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.","::NATURE:ChildOf:CWE ID:312:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:312:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","::REFERENCE:CVE-2002-1800:DESCRIPTION:Admin password in cleartext in a cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1800REFERENCE:CVE-2001-1537:DESCRIPTION:Default configuration has cleartext usernames/passwords in cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1537REFERENCE:CVE-2001-1536:DESCRIPTION:Usernames/passwords in cleartext in cookies.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1536REFERENCE:CVE-2005-2160:DESCRIPTION:Authentication information stored in cleartext in a cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2160","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Plaintext Storage in Cookie::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::31::37::39::74::","TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",
  219. 316,"Cleartext Storage of Sensitive Information in Memory",Variant,Draft,"The application stores sensitive information in cleartext in memory.","The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the application crashes, or if the programmer does not properly clear the memory before freeing it. It could be argued that such problems are usually only exploitable by those with administrator privileges. However, swapping could cause the memory to be written to disk and leave it accessible to physical attack afterwards. Core dump files might have insecure permissions or be stored in archive files that are accessible to untrusted people. Or, uncleared sensitive memory might be inadvertently exposed to attackers due to another weakness.","::NATURE:ChildOf:CWE ID:312:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:312:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory::","","","::REFERENCE:CVE-2001-1517:DESCRIPTION:Sensitive authentication information in cleartext in memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1517REFERENCE:BID:10155:DESCRIPTION:Sensitive authentication information in cleartext in memory.:LINK:http://www.securityfocus.com/bid/10155REFERENCE:CVE-2001-0984:DESCRIPTION:Password protector leaves passwords in memory when window is minimized, even when clear password when minimized is set.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0984REFERENCE:CVE-2003-0291:DESCRIPTION:SSH client does not clear credentials from memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0291","","Memory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Plaintext Storage in Memory::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","TYPE:Relationship:NOTE:This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.::::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",
  220. 317,"Cleartext Storage of Sensitive Information in GUI",Variant,Draft,"The application stores sensitive information in cleartext within the GUI.","An attacker can often obtain data from a GUI, even if hidden, by using an API to directly access GUI objects such as windows and menus. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.","::NATURE:ChildOf:CWE ID:312:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:312:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Sometimes::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory Read Application Data::","","","::REFERENCE:CVE-2002-1848:DESCRIPTION:Unencrypted passwords stored in GUI dialog may allow local users to access the passwords.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1848","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Plaintext Storage in GUI::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",
  221. 318,"Cleartext Storage of Sensitive Information in Executable",Variant,Draft,"The application stores sensitive information in cleartext in an executable.","Attackers can reverse engineer binary code to obtain secret data. This is especially easy when the cleartext is plain ASCII. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.","::NATURE:ChildOf:CWE ID:312:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:312:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","::REFERENCE:CVE-2005-1794:DESCRIPTION:Product stores RSA private key in a DLL and uses it to sign a certificate, allowing spoofing of servers and MITM attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1794REFERENCE:CVE-2001-1527:DESCRIPTION:administration passwords in cleartext in executable:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1527","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Plaintext Storage in Executable::","::37::65::","TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",
  222. 319,"Cleartext Transmission of Sensitive Information",Variant,Draft,"The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.","Many communication channels can be sniffed by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers.","::NATURE:ChildOf:CWE ID:311:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:311:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Operation:DESCRIPTION::::PHASE:System Configuration:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Modify Files or Directories:NOTE:Integrity Confidentiality Read Application Data Modify Files or Directories Anyone can read the information by gaining access to the channel being used for communication.::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Encrypt the data with a reliable encryption scheme before transmitting.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols.::","::REFERENCE:CVE-2002-1949:DESCRIPTION:Passwords transmitted in cleartext.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1949REFERENCE:CVE-2008-4122:DESCRIPTION:Chain: Use of HTTPS cookie without secure flag causes it to be transmitted across unencrypted HTTP.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4122REFERENCE:CVE-2008-3289:DESCRIPTION:Product sends password hash in cleartext in violation of intended policy.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3289REFERENCE:CVE-2008-4390:DESCRIPTION:Remote management feature sends sensitive information including passwords in cleartext.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4390REFERENCE:CVE-2007-5626:DESCRIPTION:Backup routine sends password in cleartext in email.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5626REFERENCE:CVE-2004-1852:DESCRIPTION:Product transmits Blowfish encryption key in cleartext.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1852REFERENCE:CVE-2008-0374:DESCRIPTION:Printer sends configuration information, including administrative password, in cleartext.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0374REFERENCE:CVE-2007-4961:DESCRIPTION:Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4961REFERENCE:CVE-2007-4786:DESCRIPTION:Product sends passwords in cleartext to a log server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4786REFERENCE:CVE-2005-3140:DESCRIPTION:Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3140","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Plaintext Transmission of Sensitive Information::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC06-J:ENTRY NAME:Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER02-J:ENTRY NAME:Sign then seal sensitive objects before sending them outside a trust boundary::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::102::383::477::65::","",
  223. 32,"Path Traversal: '...' (Triple Dot)",Variant,Incomplete,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The '...' manipulation is useful for bypassing some path traversal protection schemes. On some Windows systems, it is equivalent to .... and might bypass checks that assume only two dots are valid. Incomplete filtering, such as removal of ./ sequences, can ultimately produce valid .. sequences due to a collapse into unsafe value (CWE-182).","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2001-0467:DESCRIPTION:... in web server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0467REFERENCE:CVE-2001-0615:DESCRIPTION:... or .... in chat server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0615REFERENCE:CVE-2001-0963:DESCRIPTION:... in cd command in FTP server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0963REFERENCE:CVE-2001-1193:DESCRIPTION:... in cd command in FTP server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1193REFERENCE:CVE-2001-1131:DESCRIPTION:... in cd command in FTP server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1131REFERENCE:CVE-2001-0480:DESCRIPTION:read of arbitrary files and directories using GET or CD with ... in Windows-based FTP server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0480REFERENCE:CVE-2002-0288:DESCRIPTION:read files using . and Unicode-encoded / or characters in the URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0288REFERENCE:CVE-2003-0313:DESCRIPTION:Directory listing of web server using ...:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0313REFERENCE:CVE-2005-1658:DESCRIPTION:Triple dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1658","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'...' (triple dot)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","TYPE:Maintenance:NOTE:This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: it is equivalent to .... on Windows, or it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of ./ in a string (collapse of data into unsafe value, CWE-182).::",
  224. 321,"Use of Hard-coded Cryptographic Key",Base,Draft,"The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.","","::NATURE:ChildOf:CWE ID:798:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:798:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Prevention schemes mirror that of hard-coded password storage.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Use of hard-coded cryptographic key::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A8:ENTRY NAME:Insecure Cryptographic Storage:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A9:ENTRY NAME:Insecure Communications:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A8:ENTRY NAME:Insecure Storage:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP33:ENTRY NAME:Hardcoded sensitive data::","","TYPE:Other:NOTE:The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.::",
  225. 322,"Key Exchange without Entity Authentication",Base,Draft,"The software performs a key exchange with an actor without verifying the identity of that actor.","Performing a key exchange will preserve the integrity of the information sent between two entities, but this will not guarantee that the entities are who they claim they are. This may enable a set of man-in-the-middle attacks. Typically, this involves a victim client that contacts a malicious server that is impersonating a trusted server. If the client skips authentication or ignores an authentication failure, the malicious server may request authentication information from the user. The malicious server can then use this authentication information to log in to the trusted server using the victim's credentials, sniff traffic between the victim and trusted server, etc.","::NATURE:ChildOf:CWE ID:923:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:295:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism No authentication takes place in this process, bypassing an assumed protection of encryption.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The encrypted communication between a user and a trusted host may be subject to a man-in-the-middle sniffing attack.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that proper authentication is included in the system design.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Key exchange without entity authentication::","","",
  226. 323,"Reusing a Nonce, Key Pair in Encryption",Base,Incomplete,"Nonces should be used for the present occasion and only once.","","::NATURE:ChildOf:CWE ID:344:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::Nonces are often bundled with a key in a communication exchange to produce a new session key for each exchange.::","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity Potentially a replay attack, in which an attacker could send the same data twice, could be crafted if nonces are allowed to be reused. This could allow a user to send a message which masquerades as a valid message from a valid user.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Refuse to reuse nonce values.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Reusing a nonce, key pair in encryption::","","",
  227. 324,"Use of a Key Past its Expiration Date",Base,Draft,"The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.","While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.","::NATURE:ChildOf:CWE ID:672:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:298:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Using a key past its expiration date::","","",
  228. 325,"Missing Required Cryptographic Step",Base,Incomplete,"The software does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by that algorithm.","Cryptographic implementations should follow the algorithms that define them exactly, otherwise encryption can be weaker than expected.","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:358:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Requirements:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism If the cryptographic algorithm is used for authentication and authorization, then an attacker could gain unauthorized access to the system.::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data:NOTE:Confidentiality Integrity Read Application Data Modify Application Data Sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.::SCOPE:Accountability:SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Accountability Non-Repudiation Hide Activities If the cryptographic algorithm is used to ensure the identity of the source of the data (such as digital signatures), then a broken algorithm will compromise this scheme and the source of the data cannot be proven.::","","","::REFERENCE:CVE-2001-1585:DESCRIPTION:Missing challenge-response step allows authentication bypass using public key.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1585","::Cryptography","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Required Cryptographic Step::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A8:ENTRY NAME:Insecure Cryptographic Storage:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A9:ENTRY NAME:Insecure Communications:MAPPING FIT:CWE More Specific::","::68::","TYPE:Relationship:NOTE:Overlaps incomplete/missing security check.::::TYPE:Relationship:NOTE:Can be resultant.::",
  229. 326,"Inadequate Encryption Strength",Class,Draft,"The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.","A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Confidentiality:TECHNICAL IMPACT:Bypass Protection Mechanism Read Application Data:NOTE:Access Control Confidentiality Bypass Protection Mechanism Read Application Data An attacker may be able to decrypt the data using brute force attacks.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a cryptographic algorithm that is currently considered to be strong by experts in the field.::","::REFERENCE:CVE-2001-1546:DESCRIPTION:Weak encryption:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1546REFERENCE:CVE-2004-2172:DESCRIPTION:Weak encryption (chosen plaintext attack):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2172REFERENCE:CVE-2002-1682:DESCRIPTION:Weak encryption:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1682REFERENCE:CVE-2002-1697:DESCRIPTION:Weak encryption produces same ciphertext from the same plaintext blocks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1697REFERENCE:CVE-2002-1739:DESCRIPTION:Weak encryption:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1739REFERENCE:CVE-2005-2281:DESCRIPTION:Weak encryption scheme:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2281REFERENCE:CVE-2002-1872:DESCRIPTION:Weak encryption (XOR):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1872REFERENCE:CVE-2002-1910:DESCRIPTION:Weak encryption (reversible algorithm).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1910REFERENCE:CVE-2002-1946:DESCRIPTION:Weak encryption (one-to-one mapping).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1946REFERENCE:CVE-2002-1975:DESCRIPTION:Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1975","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Weak Encryption::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A8:ENTRY NAME:Insecure Cryptographic Storage:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A9:ENTRY NAME:Insecure Communications:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A8:ENTRY NAME:Insecure Storage:MAPPING FIT:CWE More Specific::","::112::20::","TYPE:Maintenance:NOTE:A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories.::::TYPE:Maintenance:NOTE:Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.::",
  230. 327,"Use of a Broken or Risky Cryptographic Algorithm",Base,Draft,"The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.","The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Well-known techniques may exist to break the algorithm.","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:311:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::Cryptographic algorithms are the methods by which data is scrambled. There are a small number of well-understood and heavily studied algorithms that should be used by most applications. It is quite difficult to produce a secure algorithm, and even high profile algorithms by accomplished cryptographic experts have been broken. Since the state of cryptography advances so rapidly, it is common for an algorithm to be considered unsafe even if it was once thought to be strong. This can happen when new attacks against the algorithm are discovered, or if computing power increases so much that the cryptographic algorithm no longer provides the amount of protection that was originally thought.::","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.::SCOPE:Accountability:SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Accountability Non-Repudiation Hide Activities If the cryptographic algorithm is used to ensure the identity of the source of the data (such as digital signatures), then a broken algorithm will compromise this scheme and the source of the data cannot be proven.::","::METHOD:Automated Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Binary / Bytecode simple extractor – strings, ELF readers, etc.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool Cost effective for partial coverage: Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. For example, US government systems require FIPS 140-2 certification. Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267]::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Design the software so that one cryptographic algorithm can be replaced with another. This will make it easier to upgrade to stronger algorithms.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Carefully manage and protect cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography itself is irrelevant.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Industry-standard implementations will save development time and may be more likely to avoid errors that can occur during implementation of cryptographic algorithms. Consider the ESAPI Encryption feature.::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.::","::REFERENCE:CVE-2008-3775:DESCRIPTION:Product uses ROT-25 to obfuscate the password in the registry.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3775REFERENCE:CVE-2007-4150:DESCRIPTION:product only uses XOR to obfuscate sensitive data:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4150REFERENCE:CVE-2007-5460:DESCRIPTION:product only uses XOR and a fixed key to obfuscate sensitive data:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5460REFERENCE:CVE-2005-4860:DESCRIPTION:Product substitutes characters with other characters in a fixed way, and also leaves certain input characters unchanged.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4860REFERENCE:CVE-2002-2058:DESCRIPTION:Attackers can infer private IP addresses by dividing each octet by the MD5 hash of '20'.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2058REFERENCE:CVE-2008-3188:DESCRIPTION:Product uses DES when MD5 has been specified in the configuration, resulting in weaker-than-expected password hashes.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3188REFERENCE:CVE-2005-2946:DESCRIPTION:Default configuration of product uses MD5 instead of stronger algorithms that are available, simplifying forgery of certificates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2946REFERENCE:CVE-2007-6013:DESCRIPTION:Product uses the hash of a hash for authentication, allowing attackers to gain privileges if they can obtain the original hash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013","","","TAXONOMY NAME:CLASP:ENTRY NAME:Using a broken or risky cryptographic algorithm::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A8:ENTRY NAME:Insecure Storage:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC30-C:ENTRY NAME:Do not use the rand() function for generating pseudorandom numbers:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC32-C:ENTRY NAME:Properly seed pseudorandom number generators:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC02-J:ENTRY NAME:Generate strong random numbers::","::20::459::473::608::614::97::","TYPE:Maintenance:NOTE:Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.::",
  231. 328,"Reversible One-Way Hash",Base,Draft,"The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.","This weakness is especially dangerous when the hash is used in security algorithms that require the one-way property to hold. For example, if an authentication system takes an incoming password and generates a hash, then compares the hash to another hash that it has stored in its authentication database, then the ability to create a collision could allow an attacker to provide an alternate password that produces the same target hash, bypassing authentication.","::NATURE:ChildOf:CWE ID:326:VIEW ID:1000::NATURE:ChildOf:CWE ID:327:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations (stretching) or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.::","::REFERENCE:CVE-2006-4068:DESCRIPTION:Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4068","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Reversible One-Way Hash::","::461::68::","",
  232. 329,"Not Using a Random IV with CBC Mode",Variant,Draft,"Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.","","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::CBC is the most commonly used mode of operation for a block cipher. It solves electronic code book's dictionary problems by XORing the ciphertext with plaintext. If it used to encrypt multiple data streams, dictionary attacks are possible, provided that the streams have a common beginning sequence.::","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Read Application Data Other:NOTE:Confidentiality Other Read Application Data Other If the CBC is not properly initialized, data that is encrypted can be compromised and therefore be read.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data If the CBC is not properly initialized, encrypted data could be tampered with in transfer.::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other Cryptographic based authentication systems could be defeated.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:It is important to properly initialize CBC operating block ciphers or their utility is lost.::","","::Cryptography","","TAXONOMY NAME:CLASP:ENTRY NAME:Not using a random IV with CBC mode::","","",
  233. 33,"Path Traversal: '....' (Multiple Dot)",Variant,Incomplete,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The '....' manipulation is useful for bypassing some path traversal protection schemes. On some Windows systems, it is equivalent to ...... and might bypass checks that assume only two dots are valid. Incomplete filtering, such as removal of ./ sequences, can ultimately produce valid .. sequences due to a collapse into unsafe value (CWE-182).","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2000-0240:DESCRIPTION:read files via /........../ in URL:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0240REFERENCE:CVE-2000-0773:DESCRIPTION:read files via .... in web server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0773REFERENCE:CVE-1999-1082:DESCRIPTION:read files via ...... in web server (doubled triple dot?):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1082REFERENCE:CVE-2004-2121:DESCRIPTION:read files via ...... in web server (doubled triple dot?):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2121REFERENCE:CVE-2001-0491:DESCRIPTION:multiple attacks using .., ..., and .... in different commands:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0491REFERENCE:CVE-2001-0615:DESCRIPTION:... or .... in chat server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0615","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'....' (multiple dot)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","TYPE:Maintenance:NOTE:Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit.::",
  234. 330,"Use of Insufficiently Random Values",Class,Usable,"The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.","When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.","","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between it and a truly random value.::","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Confidentiality Other Other When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other If software relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Man-in-the-middle attack tool::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a random enough number.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::","::REFERENCE:CVE-2009-3278:DESCRIPTION:Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3278REFERENCE:CVE-2009-3238:DESCRIPTION:Random number generator can repeatedly generate the same value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3238REFERENCE:CVE-2009-2367:DESCRIPTION:Web application generates predictable session IDs, allowing session hijacking.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2367REFERENCE:CVE-2009-2158:DESCRIPTION:Password recovery utility generates a relatively small number of random passwords, simplifying brute force attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2158REFERENCE:CVE-2009-0255:DESCRIPTION:Cryptographic key created with a seed based on the system time.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0255REFERENCE:CVE-2008-5162:DESCRIPTION:Kernel function does not have a good entropy source just after boot.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162REFERENCE:CVE-2008-4905:DESCRIPTION:Blogging software uses a hard-coded salt when calculating a password hash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4905REFERENCE:CVE-2008-4929:DESCRIPTION:Bulletin board application uses insufficiently random names for uploaded files, allowing other users to access private files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4929REFERENCE:CVE-2008-3612:DESCRIPTION:Handheld device uses predictable TCP sequence numbers, allowing spoofing or hijacking of TCP connections.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3612REFERENCE:CVE-2008-2433:DESCRIPTION:Web management console generates session IDs based on the login time, making it easier to conduct session hijacking.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2433REFERENCE:CVE-2008-0166:DESCRIPTION:SSL library uses a weak random number generator that only generates 65,536 unique keys.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166REFERENCE:CVE-2008-2108:DESCRIPTION:Chain: insufficient precision causes extra zero bits to be assigned, reducing entropy for an API function that generates random numbers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108REFERENCE:CVE-2008-2020:DESCRIPTION:CAPTCHA implementation does not produce enough different images, allowing bypass using a database of all possible checksums.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2020REFERENCE:CVE-2008-0087:DESCRIPTION:DNS client uses predictable DNS transaction IDs, allowing DNS spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0087REFERENCE:CVE-2008-0141:DESCRIPTION:Application generates passwords that are based on the time of day.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0141","::CryptographyAuthenticationSession Management","","TAXONOMY NAME:PLOVER:ENTRY NAME:Randomness and Predictability::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Insecure Randomness::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A2:ENTRY NAME:Broken Access Control:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:CON33-C:ENTRY NAME:Avoid race conditions when using library functions:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC30-C:ENTRY NAME:Do not use the rand() function for generating pseudorandom numbers:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC32-C:ENTRY NAME:Properly seed pseudorandom number generators:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:WASC:ENTRY ID:11:ENTRY NAME:Brute Force::::TAXONOMY NAME:WASC:ENTRY ID:18:ENTRY NAME:Credential/Session Prediction::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC02-J:ENTRY NAME:Generate strong random numbers::","::112::485::59::","TYPE:Relationship:NOTE:This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.::",
  235. 331,"Insufficient Entropy",Base,Draft,"The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.","","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.::","::REFERENCE:CVE-2001-0950:DESCRIPTION:Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0950","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insufficient Entropy::::TAXONOMY NAME:WASC:ENTRY ID:11:ENTRY NAME:Brute Force::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC32-C:ENTRY NAME:Properly seed pseudorandom number generators:MAPPING FIT:Exact::","::59::","",
  236. 332,"Insufficient Entropy in PRNG",Variant,Draft,"The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.","","::NATURE:ChildOf:CWE ID:331:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:331:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:331:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash.::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users.::","","::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider a PRNG that re-seeds itself as needed from high-quality pseudo-random output, such as hardware devices.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:When deciding which PRNG to use, look at its sources of entropy. Depending on what your security needs are, you may need to use a random number generator that always uses strong random data -- i.e., a random number generator that attempts to be strong but will fail in a weak way or will always provide some middle ground of protection through techniques like re-seeding. Generally, something that always provides a predictable amount of strength is preferable.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Insufficient entropy in PRNG::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC02-J:ENTRY NAME:Generate strong random numbers::","","",
  237. 333,"Improper Handling of Insufficient Entropy in TRNG",Variant,Draft,"True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.","The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.","::NATURE:ChildOf:CWE ID:331:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:331:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:703:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart A program may crash or block if it runs out of random numbers.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure of TRNG::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC02-J:ENTRY NAME:Generate strong random numbers::","","",
  238. 334,"Small Space of Random Values",Base,Draft,"The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.","","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other An attacker could easily guess the values used. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.::","","::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::","::REFERENCE:CVE-2002-0583:DESCRIPTION:Product uses 5 alphanumeric characters for filenames of expense claim reports, stored under web root.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0583REFERENCE:CVE-2002-0903:DESCRIPTION:Product uses small number of random numbers for a code to approve an action, and also uses predictable new user IDs, allowing attackers to hijack new accounts.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0903REFERENCE:CVE-2003-1230:DESCRIPTION:SYN cookies implementation only uses 32-bit keys, making it easier to brute force ISN.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1230REFERENCE:CVE-2004-0230:DESCRIPTION:Complex predictability / randomness (reduced space).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Small Space of Random Values::","","",
  239. 335,"Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",Base,Draft,"The software uses a Pseudo-Random Number Generator (PRNG) that does not correctly manage seeds.","","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other if a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:PRNG Seed Error::","","",
  240. 336,"Same Seed in Pseudo-Random Number Generator (PRNG)",Base,Draft,"A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.","If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG.","::NATURE:ChildOf:CWE ID:335:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:335:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:SCOPE:Access Control:TECHNICAL IMPACT:Other Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices.::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Same Seed in PRNG::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC02-J:ENTRY NAME:Generate strong random numbers::","","",
  241. 337,"Predictable Seed in Pseudo-Random Number Generator (PRNG)",Base,Draft,"A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.","The use of predictable seeds significantly reduces the number of possible seeds that an attacker would need to test in order to predict which random numnbers will be generated by the PRNG.","::NATURE:ChildOf:CWE ID:335:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:335:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Use non-predictable inputs for seed generation.::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Predictable Seed in PRNG::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC02-J:ENTRY NAME:Generate strong random numbers::","","",
  242. 338,"Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",Base,Draft,"The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.","When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks. Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography.","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism If a PRNG is used for authentication and authorization, such as a session ID or a seed for generating a cryptographic key, then an attacker may be able to easily guess the ID or cryptographic key and gain access to restricted functionality.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.::","::REFERENCE:CVE-2009-3278:DESCRIPTION:Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3278REFERENCE:CVE-2009-3238:DESCRIPTION:Random number generator can repeatedly generate the same value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3238REFERENCE:CVE-2009-2367:DESCRIPTION:Web application generates predictable session IDs, allowing session hijacking.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2367REFERENCE:CVE-2008-0166:DESCRIPTION:SSL library uses a weak random number generator that only generates 65,536 unique keys.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166","","","TAXONOMY NAME:CLASP:ENTRY NAME:Non-cryptographic PRNG::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC30-C:ENTRY NAME:Do not use the rand() function for generating pseudorandom numbers:MAPPING FIT:CWE More Abstract::","","",
  243. 339,"Small Seed Space in PRNG",Base,Draft,"A PRNG uses a relatively small space of seeds.","","::NATURE:ChildOf:CWE ID:335:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:335:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:341:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a random enough number.::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Small Seed Space in PRNG::","","TYPE:Maintenance:NOTE:This entry overlaps predictable from observable state (CWE-341).::",
  244. 34,"Path Traversal: '....//'",Variant,Incomplete,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The '....//' manipulation is useful for bypassing some path traversal protection schemes. If ../ is filtered in a sequential fashion, as done by some regular expression engines, then ....// can collapse into the ../ unsafe value (CWE-182). It could also be useful when .. is removed, if the operating system treats // and / as equivalent.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction::","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2004-1670:DESCRIPTION:Mail server allows remote attackers to create arbitrary directories via a .. or rename arbitrary files via a ....// in user supplied parameters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1670","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'....//' (doubled dot dot slash)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","TYPE:Relationship:NOTE:This could occur due to a cleansing error that removes a single ../ from ....//::",
  245. 340,"Predictability Problems",Class,Incomplete,"Weaknesses in this category are related to schemes that generate numbers or identifiers that are more predictable than required by the application.","","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Predictability problems::::TAXONOMY NAME:WASC:ENTRY ID:11:ENTRY NAME:Brute Force::","","",
  246. 341,"Predictable from Observable State",Base,Draft,"A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.","","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context:NOTE:Other Varies by Context This weakness could be exploited by an attacker in a number ways depending on the context. If a predictable number is used to generate IDs or keys that are used within protection mechanisms, then an attacker could gain unauthorized access to the system. If predictable filenames are used for storing sensitive information, then an attacker might gain access to the system and may be able to gain access to the information in the file.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Increase the entropy used to seed a PRNG.::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.::","::REFERENCE:CVE-2002-0389:DESCRIPTION:Mail server stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0389REFERENCE:CVE-2001-1141:DESCRIPTION:PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1141REFERENCE:CVE-2000-0335:DESCRIPTION:DNS resolver library uses predictable IDs, which allows a local attacker to spoof DNS query results.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0335REFERENCE:CVE-2005-1636:DESCRIPTION:MFV. predictable filename and insecure permissions allows file modification to execute SQL queries.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1636","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Predictable from Observable State::","","",
  247. 342,"Predictable Exact Value from Previous Values",Base,Draft,"An exact value or random number can be precisely predicted by observing previous values.","","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Increase the entropy used to seed a PRNG.::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.::","::REFERENCE:CVE-2002-1463:DESCRIPTION:Firewall generates easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1463REFERENCE:CVE-1999-0074:DESCRIPTION:Listening TCP ports are sequentially allocated, allowing spoofing attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0074REFERENCE:CVE-1999-0077:DESCRIPTION:Predictable TCP sequence numbers allow spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0077REFERENCE:CVE-2000-0335:DESCRIPTION:DNS resolver uses predictable IDs, allowing a local user to spoof DNS query results.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0335","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Predictable Exact Value from Previous Values::","","",
  248. 343,"Predictable Value Range from Previous Values",Base,Draft,"The software's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.","The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker cannot predict the exact value that will be produced next, but can narrow down the possibilities significantly. This reduces the amount of effort to perform a brute force attack. For example, suppose the product generates random numbers between 1 and 100, but it always produces a larger value until it reaches 100. If the generator produces an 80, then the attacker knows that the next value will be somewhere between 81 and 100. Instead of 100 possibilities, the attacker only needs to consider 20.","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE::STRATEGY::EFFECTIVENESS::DESCRIPTION:Increase the entropy used to seed a PRNG.::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Predictable Value Range from Previous Values::","","",
  249. 344,"Use of Invariant Value in Dynamically Changing Context",Base,Draft,"The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.","","::NATURE:ChildOf:CWE ID:330:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:330:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","","::REFERENCE:CVE-2002-0980:DESCRIPTION:Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0980","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Static Value in Unpredictable Context::","","TYPE:Relationship:NOTE:overlaps default configuration.::",
  250. 345,"Insufficient Verification of Data Authenticity",Class,Draft,"The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.","","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Varies by Context Unexpected State::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insufficient Verification of Data::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A3:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:12:ENTRY NAME:Content Spoofing::","::111::141::142::148::218::384::385::386::387::388::389::4::","TYPE:Relationship:NOTE:origin validation could fall under this.::::TYPE:Maintenance:NOTE:The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.::",
  251. 346,"Origin Validation Error",Base,Draft,"The software does not properly verify that the source of data or communication is valid.","","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:1000::NATURE:ChildOf:CWE ID:284:VIEW ID:699::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Gain Privileges or Assume Identity Varies by Context:NOTE:Access Control Other Gain Privileges or Assume Identity Varies by Context An attacker can access any functionality that is inadvertently accessible to the source.::","","","::REFERENCE:CVE-2000-1218:DESCRIPTION:DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1218REFERENCE:CVE-2005-0877:DESCRIPTION:DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0877REFERENCE:CVE-2001-1452:DESCRIPTION:DNS server caches glue records received from non-delegated name servers:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1452REFERENCE:CVE-2005-2188:DESCRIPTION:user ID obtained from untrusted source (URL):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2188REFERENCE:CVE-2003-0174:DESCRIPTION:LDAP service does not verify if a particular attribute was set by the LDAP server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0174REFERENCE:CVE-1999-1549:DESCRIPTION:product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1549REFERENCE:CVE-2003-0981:DESCRIPTION:product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0981","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Origin Validation Error::","::111::141::142::21::384::385::386::387::388::389::510::59::60::75::76::89::","TYPE:Maintenance:NOTE:This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.::::TYPE:Terminology:NOTE:The Origin Validation Error term was used by Taimur Aslam in his August 1995 thesis. Although not formally defined, an issue is considered to be an origin validation error if either (1) an object [accepts] input from an unauthorized subject, or (2) the system [fails] to properly or completely authenticate a subject. A later section says that an origin validation error can occur when the system (1) does not properly authenticate a user or process or (2) does not properly authenticate the shared data or libraries. The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.::",
  252. 347,"Improper Verification of Cryptographic Signature",Base,Draft,"The software does not verify, or incorrectly verifies, the cryptographic signature for data.","","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699::NATURE:ChildOf:CWE ID:345:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Gain Privileges or Assume Identity Modify Application Data Execute Unauthorized Code or Commands:NOTE:Access Control Integrity Confidentiality Gain Privileges or Assume Identity Modify Application Data Execute Unauthorized Code or Commands An attacker could gain access to sensitive data and possibly execute unauthorized code.::","","","::REFERENCE:CVE-2002-1796:DESCRIPTION:Does not properly verify signatures for trusted entities.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1796REFERENCE:CVE-2005-2181:DESCRIPTION:Insufficient verification allows spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2181REFERENCE:CVE-2005-2182:DESCRIPTION:Insufficient verification allows spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2182REFERENCE:CVE-2002-1706:DESCRIPTION:Accepts a configuration file without a Message Integrity Check (MIC) signature.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1706","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Improperly Verified Signature::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC06-J:ENTRY NAME:Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar::","::463::","",
  253. 348,"Use of Less Trusted Source",Base,Draft,"The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.","","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data.::","","","::REFERENCE:CVE-2001-0860:DESCRIPTION:Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0860REFERENCE:CVE-2004-1950:DESCRIPTION:Web product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1950REFERENCE:BID:15326:DESCRIPTION:Similar to CVE-2004-1950:LINK:http://www.securityfocus.com/bid/15326/infoREFERENCE:CVE-2001-0908:DESCRIPTION:Product logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0908REFERENCE:CVE-2006-1126:DESCRIPTION:PHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1126","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Use of Less Trusted Source::","::141::142::73::76::85::","",
  254. 349,"Acceptance of Extraneous Untrusted Data With Trusted Data",Base,Draft,"The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.","","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Integrity:TECHNICAL IMPACT:Bypass Protection Mechanism Modify Application Data:NOTE:Access Control Integrity Bypass Protection Mechanism Modify Application Data An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.::","","","::REFERENCE:CVE-2002-0018:DESCRIPTION:Does not verify that trusted entity is authoritative for all entities in its response.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0018","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Untrusted Data Appended with Trusted Data::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ENV01-J:ENTRY NAME:Place all security-sensitive code in a single JAR and sign and seal it::","::141::142::75::","",
  255. 35,"Path Traversal: '.../...//'",Variant,Incomplete,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The '.../...//' manipulation is useful for bypassing some path traversal protection schemes. If ../ is filtered in a sequential fashion, as done by some regular expression engines, then .../...// can collapse into the ../ unsafe value (CWE-182). Removing the first ../ yields ....//; the second removal yields ../. Depending on the algorithm, the software could be susceptible to CWE-34 but not CWE-35, or vice versa.","::NATURE:ChildOf:CWE ID:23:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:23:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2005-2169:DESCRIPTION:chain: .../...// bypasses protection mechanism using regexp's that remove ../ resulting in collapse into an unsafe value ../ (CWE-182) and resultant path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2169REFERENCE:CVE-2005-0202:DESCRIPTION:.../..../// bypasses regexp's that remove ./ and ../:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0202","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'.../...//'::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  256. 350,"Reliance on Reverse DNS Resolution for a Security-Critical Action",Variant,Draft,"The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.","Since DNS names can be easily spoofed or misreported, and it may be difficult for the software to detect if a trusted DNS server has been compromised, DNS names do not constitute a valid authentication mechanism. When the software performs a reverse DNS resolution for an IP address, if an attacker controls the server for that IP address, then the attacker can cause the server to return an arbitrary hostname. As a result, the attacker may be able to bypass authentication, cause the wrong hostname to be recorded in log files to hide activities, or perform other attacks. Attackers can spoof DNS names by either (1) compromising a DNS server and modifying its records (sometimes called DNS cache poisoning), or (2) having legitimate control over a DNS server associated with their IP address.","::NATURE:ChildOf:CWE ID:290:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:290:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:923:VIEW ID:1000::NATURE:ChildOf:CWE ID:807:VIEW ID:1000::NATURE:CanPrecede:CWE ID:923:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism:NOTE:Access Control Gain Privileges or Assume Identity Bypass Protection Mechanism Malicious users can fake authentication information by providing false DNS information.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform proper forward and reverse DNS lookups to detect DNS spoofing.::","::REFERENCE:CVE-2001-1488:DESCRIPTION:Does not do double-reverse lookup to prevent DNS spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1488REFERENCE:CVE-2001-1500:DESCRIPTION:Does not verify reverse-resolved hostnames in DNS.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1500REFERENCE:CVE-2000-1221:DESCRIPTION:Authentication bypass using spoofed reverse-resolved DNS hostnames.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1221REFERENCE:CVE-2002-0804:DESCRIPTION:Authentication bypass using spoofed reverse-resolved DNS hostnames.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0804REFERENCE:CVE-2001-1155:DESCRIPTION:Filter does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155REFERENCE:CVE-2004-0892:DESCRIPTION:Reverse DNS lookup used to spoof trusted content in intermediary.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0892REFERENCE:CVE-2003-0981:DESCRIPTION:Product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0981","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Improperly Trusted Reverse DNS::::TAXONOMY NAME:CLASP:ENTRY NAME:Trusting self-reported DNS name::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP29:ENTRY NAME:Faulty endpoint authentication::","::142::275::73::89::","TYPE:Maintenance:NOTE:CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.::",
  257. 351,"Insufficient Type Distinction",Base,Draft,"The software does not properly distinguish between different types of elements in a way that leads to insecure behavior.","","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:436:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","","::REFERENCE:CVE-2005-2260:DESCRIPTION:Browser user interface does not distinguish between user-initiated and synthetic events.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2260REFERENCE:CVE-2005-2801:DESCRIPTION:Product does not compare all required data in two separate elements, causing it to think they are the same, leading to loss of ACLs. Similar to Same Name error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insufficient Type Distinction::","","TYPE:Relationship:NOTE:Overlaps others, e.g. Multiple Interpretation Errors.::",
  258. 352,"Cross-Site Request Forgery (CSRF)",Compound,Draft,"The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.","When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:1003:ORDINAL:Primary::NATURE:Requires:CWE ID:346:VIEW ID:1000::NATURE:Requires:CWE ID:441:VIEW ID:1000::NATURE:Requires:CWE ID:642:VIEW ID:1000::NATURE:Requires:CWE ID:613:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Undetermined::","","::TERM:Session Riding:DESCRIPTION:::TERM:Cross Site Reference Forgery:DESCRIPTION:::TERM:XSRF:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Non-Repudiation:SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism Read Application Data Modify Application Data DoS: Crash, Exit, or Restart:NOTE:Confidentiality Integrity Availability Non-Repudiation Access Control Gain Privileges or Assume Identity Bypass Protection Mechanism Read Application Data Modify Application Data DoS: Crash, Exit, or Restart The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges.::","::METHOD:Manual Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual analysis can be useful for finding this weakness, and for minimizing false positives assuming an understanding of business logic. However, it might not achieve desired code coverage within limited time constraints. For black-box analysis, if credentials are not known for privileged accounts, then the most security-critical portions of the application may not receive sufficient attention. Consider using OWASP CSRFTester to identify potential issues and aid in manual analysis.::METHOD:Automated Static Analysis:EFFECTIVENESS:Limited:DESCRIPTION:CSRF is currently difficult to detect reliably using automated techniques. This is because each application has its own implicit security policy that dictates which requests can be influenced by an outsider and automatically performed on behalf of a user, versus which requests require strong confidence that the user intends to make the request. For example, a keyword search of the public portion of a web site is typically expected to be encoded within a link that can be launched automatically when the user clicks on the link.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction::","::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330] Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332]::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the double-submitted cookie method as described by Felten and Zeller: When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same. Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult. This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use the GET method for any request that triggers a state change.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.::","::REFERENCE:CVE-2004-1703:DESCRIPTION:Add user accounts via a URL in an img tag:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1703REFERENCE:CVE-2004-1995:DESCRIPTION:Add user accounts via a URL in an img tag:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1995REFERENCE:CVE-2004-1967:DESCRIPTION:Arbitrary code execution by specifying the code in a crafted img tag or URL:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1967REFERENCE:CVE-2004-1842:DESCRIPTION:Gain administrative privileges via a URL in an img tag:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1842REFERENCE:CVE-2005-1947:DESCRIPTION:Delete a victim's information via a URL or an img tag:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1947REFERENCE:CVE-2005-2059:DESCRIPTION:Change another user's settings via a URL or an img tag:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2059REFERENCE:CVE-2005-1674:DESCRIPTION:Perform actions as administrator via a URL or an img tag:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1674REFERENCE:CVE-2009-3520:DESCRIPTION:modify password for the administrator:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3520REFERENCE:CVE-2009-3022:DESCRIPTION:CMS allows modification of configuration via CSRF attack against the administrator:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3022REFERENCE:CVE-2009-3759:DESCRIPTION:web interface allows password changes or stopping a virtual machine via CSRF:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3759","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Cross-Site Request Forgery (CSRF)::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A5:ENTRY NAME:Cross Site Request Forgery (CSRF):MAPPING FIT:Exact::::TAXONOMY NAME:WASC:ENTRY ID:9:ENTRY NAME:Cross-site Request Forgery::","::111::462::467::62::","TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::::TYPE:Theoretical:NOTE:The CSRF topology is multi-channel: 1. Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. 2. Intermediary (as user) to server (as victim). The activation point is an internal channel.::",
  259. 353,"Missing Support for Integrity Check",Base,Draft,"The software uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.","If integrity check values or checksums are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets.","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:354:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other Data that is parsed and used may be corrupted.::SCOPE:Non-Repudiation:SCOPE:Other:TECHNICAL IMPACT:Hide Activities Other:NOTE:Non-Repudiation Other Hide Activities Other Without a checksum it is impossible to determine if any changes have been made to the data after it was sent.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Add an appropriately sized checksum to the protocol, ensuring that data received may be simply validated before it is parsed and used.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that the checksums present in the protocol design are properly implemented and added to each message before it is sent.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to add integrity check value::","::13::14::39::74::75::","",
  260. 354,"Improper Validation of Integrity Check Value",Base,Draft,"The software does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.","Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the algorithm used for calculating the checksum. It is then a simple matter of implementing the calculation and verifying that the calculated checksum and the received checksum match. Improper verification of the calculated checksum and the received checksum can lead to far greater consequences.","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:754:VIEW ID:1000::NATURE:PeerOf:CWE ID:353:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Other:NOTE:Integrity Other Modify Application Data Other Integrity checks usually use a secret key that helps authenticate the data origin. Skipping integrity checking generally opens up the possibility that new data from an invalid source can be injected.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other Data that is parsed and used may be corrupted.::SCOPE:Non-Repudiation:SCOPE:Other:TECHNICAL IMPACT:Hide Activities Other:NOTE:Non-Repudiation Other Hide Activities Other Without a checksum check, it is impossible to determine if any changes have been made to the data after it was sent.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to check integrity check value::","::463::75::","",
  261. 356,"Product UI does not Warn User of Unsafe Actions",Base,Incomplete,"The software's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.","Software systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the user downloads a file from an unknown source and attempts to execute the file on their machine, then the application's GUI can indicate that the file is unsafe.","::NATURE:ChildOf:CWE ID:221:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities::","","","::REFERENCE:CVE-1999-1055:DESCRIPTION:Product does not warn user when document contains certain dangerous functions or macros.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1055REFERENCE:CVE-1999-0794:DESCRIPTION:Product does not warn user when document contains certain dangerous functions or macros.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0794REFERENCE:CVE-2000-0277:DESCRIPTION:Product does not warn user when document contains certain dangerous functions or macros.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0277REFERENCE:CVE-2000-0517:DESCRIPTION:Product does not warn user about a certificate if it has already been accepted for a different site. Possibly resultant.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0517REFERENCE:CVE-2005-0602:DESCRIPTION:File extractor does not warn user it setuid/setgid files could be extracted. Overlaps privileges/permissions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0602REFERENCE:CVE-2000-0342:DESCRIPTION:E-mail client allows bypass of warning for dangerous attachments via a Windows .LNK file that refers to the attachment.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0342","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Product UI does not warn user of unsafe actions::","","TYPE:Relationship:NOTE:Often resultant, e.g. in unhandled error conditions.::::TYPE:Relationship:NOTE:Can overlap privilege errors, conceptually at least.::",
  262. 357,"Insufficient UI Warning of Dangerous Operations",Base,Draft,"The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.","","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities::","","","::REFERENCE:CVE-2007-1099:DESCRIPTION:User not sufficiently warned if host key mismatch occurs:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1099","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insufficient UI warning of dangerous operations::","","",
  263. 358,"Improperly Implemented Security Check for Standard",Base,Draft,"The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.","","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:345:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:290:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","","::REFERENCE:CVE-2002-0862:DESCRIPTION:Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0862REFERENCE:CVE-2002-0970:DESCRIPTION:Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0970REFERENCE:CVE-2002-1407:DESCRIPTION:Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1407REFERENCE:CVE-2005-0198:DESCRIPTION:Logic error prevents some required conditions from being enforced during Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0198REFERENCE:CVE-2004-2163:DESCRIPTION:Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2163REFERENCE:CVE-2005-2181:DESCRIPTION:Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2181REFERENCE:CVE-2005-2182:DESCRIPTION:Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2182REFERENCE:CVE-2005-2298:DESCRIPTION:Security check not applied to all components, allowing bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2298","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Improperly Implemented Security Check for Standard::","","TYPE:Relationship:NOTE:This is a missing step error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.::",
  264. 359,"Exposure of Private Information ('Privacy Violation')",Class,Incomplete,"The software does not properly prevent private data (such as credit card numbers) from being accessed by actors who either (1) are not explicitly authorized to access the data or (2) do not have the implicit consent of the people to which the data is related.","Mishandling private information, such as customer passwords or Social Security numbers, can compromise user privacy and is often illegal. An exposure of private information does not necessarily prevent the software from working properly, and in fact it might be intended by the developer, but it can still be undesirable (or explicitly prohibited by law) for the people who are associated with this private information. Privacy violations may occur when: Private user information enters the program. The data is written to an external location, such as the console, file system, or network. Private data can enter a program in a variety of ways: Directly from the user in the form of a password or personal information Accessed from a database or other data store by the application Indirectly from a partner or other third party Some types of private information include: Government identifiers, such as Social Security Numbers Contact information, such as home addresses and telephone numbers Geographic location - where the user is (or was) Employment history Financial data - such as credit card numbers, salary, bank accounts, and debts Pictures, video, or audio Behavioral patterns - such as web surfing history, when certain activities are performed, etc. Relationships (and types of relationships) with others - family, friends, contacts, etc. Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc. Health - medical conditions, insurance status, prescription records Credentials, such as passwords, which can be used to access other information. Some of this information may be characterized as PII (Personally Identifiable Information), Protected Health Information (PHI), etc. Categories of private information may overlap or vary based on the intended usage or the policies and practices of a particular industry. Depending on its location, the type of business it conducts, and the nature of any private data it handles, an organization may be required to comply with one or more of the following federal and state regulations: - Safe Harbor Privacy Framework [REF-340] - Gramm-Leach Bliley Act (GLBA) [REF-341] - Health Insurance Portability and Accountability Act (HIPAA) [REF-342] - California SB-1386 [REF-343]. Sometimes data that is not labeled as private can have a privacy implication in a different context. For example, student identification numbers are usually not considered private because there is no explicit and publicly-available mapping to an individual student's personal information. However, if a school generates identification numbers based on student social security numbers, then the identification numbers should be considered private. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted.","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","::TERM:Privacy leak:DESCRIPTION:::TERM:Privacy leakage:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Privacy Violation::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO13-J:ENTRY NAME:Do not log sensitive information outside a trust boundary::","::464::467::","",
  265. 36,"Absolute Path Traversal",Base,Draft,"The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as /abs/path that can resolve to a location that is outside of that directory.","This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.","::NATURE:ChildOf:CWE ID:22:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:22:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Files or Directories:NOTE:Integrity Modify Files or Directories The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories:NOTE:Confidentiality Read Files or Directories The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.::","","","::REFERENCE:CVE-2002-1345:DESCRIPTION:Multiple FTP clients write arbitrary files via absolute paths in server responses:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1345REFERENCE:CVE-2001-1269:DESCRIPTION:ZIP file extractor allows full path:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1269REFERENCE:CVE-2002-1818:DESCRIPTION:Path traversal using absolute pathname:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1818REFERENCE:CVE-2002-1913:DESCRIPTION:Path traversal using absolute pathname:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1913REFERENCE:CVE-2005-2147:DESCRIPTION:Path traversal using absolute pathname:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2147REFERENCE:CVE-2000-0614:DESCRIPTION:Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0614REFERENCE:CVE-1999-1263:DESCRIPTION:Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1263REFERENCE:CVE-2003-0753:DESCRIPTION:Remote attackers can read arbitrary files via a full pathname to the target file in config parameter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0753REFERENCE:CVE-2002-1525:DESCRIPTION:Remote attackers can read arbitrary files via an absolute pathname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1525REFERENCE:CVE-2001-0038:DESCRIPTION:Remote attackers can read arbitrary files by specifying the drive letter in the requested URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0038REFERENCE:CVE-2001-0255:DESCRIPTION:FTP server allows remote attackers to list arbitrary directories by using the ls command and including the drive letter name (e.g. C:) in the requested pathname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0255REFERENCE:CVE-2001-0933:DESCRIPTION:FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0933REFERENCE:CVE-2002-0466:DESCRIPTION:Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0466REFERENCE:CVE-2002-1483:DESCRIPTION:Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form C: (Drive letter), //absolute/path, or .. .:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483REFERENCE:CVE-2004-2488:DESCRIPTION:FTP server read/access arbitrary files using C: filenames:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2488REFERENCE:CVE-2001-0687:DESCRIPTION:FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (computernamesharename).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0687","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Absolute Path Traversal::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","::597::","",
  266. 360,"Trust of System Event Data",Base,Incomplete,"Security based on event locations are insecure and can be spoofed.","Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Access Control Gain Privileges or Assume Identity Execute Unauthorized Code or Commands If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Never trust or rely any of the information in an Event for security.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Trust of system event data::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP29:ENTRY NAME:Faulty endpoint authentication::","","",
  267. 362,"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')",Class,Draft,"The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.","This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider. A race condition occurs within concurrent environments, and is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc. A race condition violates these properties, which are closely related: Exclusivity - the code sequence is given exclusive access to the shared resource, i.e., no other code sequence can modify properties of the shared resource before the original sequence has completed execution. Atomicity - the code sequence is behaviorally atomic, i.e., no other thread or process can concurrently execute the same sequence of instructions (or a subset) against the same resource. A race condition exists when an interfering code sequence can still access the shared resource, violating exclusivity. Programmers may assume that certain code sequences execute too quickly to be affected by an interfering code sequence; when they are not, this violates atomicity. For example, the single x++ statement may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read (the original value of x), followed by a computation (x+1), followed by a write (save the result to x). The interfering code sequence could be trusted or untrusted. A trusted interfering code sequence occurs within the program; it cannot be modified by the attacker, and it can only be invoked indirectly. An untrusted interfering code sequence can be authored directly by the attacker, and typically it is external to the vulnerable program.","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Sometimes:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Concurrent Systems Operating on Shared Resources:PARADIGN PREVALENCE:Often::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other) When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion (CWE-400).::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Instability:NOTE:Availability DoS: Crash, Exit, or Restart DoS: Instability When a race condition allows multiple control flows to access a resource simultaneously, it might lead the program(s) into unexpected states, possibly resulting in a crash.::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Read Application Data:NOTE:Confidentiality Integrity Read Files or Directories Read Application Data When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59).::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.::METHOD:White Box:EFFECTIVENESS::DESCRIPTION:Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use thread-safe capabilities such as the data access abstraction in Spring.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring. Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When using multithreading and operating on shared variables, only use thread-safe functions.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use atomic operations on shared variables. Be wary of innocent-looking constructs such as x++. This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::","::REFERENCE:CVE-2008-5044:DESCRIPTION:Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5044REFERENCE:CVE-2008-2958:DESCRIPTION:chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2958REFERENCE:CVE-2008-1570:DESCRIPTION:chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1570REFERENCE:CVE-2008-0058:DESCRIPTION:Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0058REFERENCE:CVE-2008-0379:DESCRIPTION:Race condition during initialization triggers a buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0379REFERENCE:CVE-2007-6599:DESCRIPTION:Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6599REFERENCE:CVE-2007-6180:DESCRIPTION:chain: race condition triggers NULL pointer dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6180REFERENCE:CVE-2007-5794:DESCRIPTION:Race condition in library function could cause data to be sent to the wrong process.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794REFERENCE:CVE-2007-3970:DESCRIPTION:Race condition in file parser leads to heap corruption.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3970REFERENCE:CVE-2008-5021:DESCRIPTION:chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5021REFERENCE:CVE-2009-4895:DESCRIPTION:chain: race condition for an argument value, possibly resulting in NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4895REFERENCE:CVE-2009-3547:DESCRIPTION:chain: race condition might allow resource to be released before operating on it, leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Race Conditions::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA03-J:ENTRY NAME:Do not assume that a group of calls to independently atomic methods is atomic::","::26::29::","TYPE:Maintenance:NOTE:The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.::::TYPE:Research Gap:NOTE:Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.::::TYPE:Research Gap:NOTE:Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.::::TYPE:Research Gap:NOTE:From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.::",
  268. 363,"Race Condition Enabling Link Following",Base,Draft,"The software checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the software to access the wrong file.","While developers might expect that there is a very narrow time window between the time of check and time of use, there is still a race condition. An attacker could cause the software to slow down (e.g. with memory consumption), causing the time window to become larger. Alternately, in some situations, the attacker could win the race by performing a large number of attacks.","::NATURE:ChildOf:CWE ID:367:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:367:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:59:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Race condition enabling link following::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS35-C:ENTRY NAME:Avoid race conditions while checking for the existence of a symbolic link:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP20:ENTRY NAME:Race Condition Window::","::26::","TYPE:Relationship:NOTE:This is already covered by the Link Following weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions.::",
  269. 364,"Signal Handler Race Condition",Base,Incomplete,"The software uses a signal handler that introduces a race condition.","Race conditions frequently occur in signal handlers, since signal handlers support asynchronous actions. These race conditions have a variety of root causes and symptoms. Attackers may be able to exploit a signal handler race condition to cause the software state to be corrupted, possibly leading to a denial of service or even code execution. These issues occur when non-reentrant functions, or state-sensitive actions occur in the signal handler, where they may be called at any time. These behaviors can violate assumptions being made by the regular code that is interrupted, or by other signal handlers that may also be invoked. If these functions are called at an inopportune moment - such as while a non-reentrant function is already running - memory corruption could occur that may be exploitable for code execution. Another signal race condition commonly found occurs when free is called within a signal handler, resulting in a double free and therefore a write-what-where condition. Even if a given pointer is set to NULL after it has been freed, a race condition still exists between the time the memory was freed and the pointer was set to NULL. This is especially problematic if the same signal handler has been set for more than one signal -- since it means that the signal handler itself may be reentered. There are several known behaviors related to signal handlers that have received the label of signal handler race condition: Shared state (e.g. global data or static variables) that are accessible to both a signal handler and regular code Shared state between a signal handler and other signal handlers Use of non-reentrant functionality within a signal handler - which generally implies that shared state is being used. For example, malloc() and free() are non-reentrant because they may use global or static data structures for managing memory, and they are indirectly used by innocent-seeming functions such as syslog(); these functions could be exploited for memory corruption and, possibly, code execution. Association of the same signal handler function with multiple signals - which might imply shared state, since the same code and resources are accessed. For example, this can be a source of double-free and use-after-free weaknesses. Use of setjmp and longjmp, or other mechanisms that prevent a signal handler from returning control back to the original functionality While not technically a race condition, some signal handlers are designed to be called at most once, and being called more than once can introduce security problems, even when there are not any concurrent calls to the signal handler. This can be a source of double-free and use-after-free weaknesses. Signal handler vulnerabilities are often classified based on the absence of a specific protection mechanism, although this style of classification is discouraged in CWE because programmers often have a choice of several different mechanisms for addressing the weakness. Such protection mechanisms may preserve exclusivity of access to the shared resource, and behavioral atomicity for the relevant code: Avoiding shared state Using synchronization in the signal handler Using synchronization in the regular code Disabling or masking other signals, which provides atomicity (which effectively ensures exclusivity)","::NATURE:ChildOf:CWE ID:362:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:362:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:415:VIEW ID:1000::NATURE:CanPrecede:CWE ID:416:VIEW ID:1000::NATURE:CanPrecede:CWE ID:123:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Sometimes::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Modify Application Data Modify Memory DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Modify Application Data Modify Memory DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands It may be possible to cause data corruption and possibly execute arbitrary code by modifying global variables or data structures at unexpected times, violating the assumptions of code that uses this global data.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity If a signal handler interrupts code that is executing with privileges, it may be possible that the signal handler will also be executed with elevated privileges, possibly making subsequent exploits more severe.::","","::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Design signal handlers to only set flags, rather than perform complex functionality. These flags can then be checked and acted upon within the main program loop.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Only use reentrant functions within signal handlers. Also, use sanity checks to ensure that state is consistent while performing asynchronous actions that affect the state of execution.::","::REFERENCE:CVE-1999-0035:DESCRIPTION:Signal handler does not disable other signal handlers, allowing it to be interrupted, causing other functionality to access files/etc. with raised privileges:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0035REFERENCE:CVE-2001-0905:DESCRIPTION:Attacker can send a signal while another signal handler is already running, leading to crash or execution with root privileges:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0905REFERENCE:CVE-2001-1349:DESCRIPTION:unsafe calls to library functions from signal handler:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1349REFERENCE:CVE-2004-0794:DESCRIPTION:SIGURG can be used to remotely interrupt signal handler; other variants exist:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0794REFERENCE:CVE-2004-2259:DESCRIPTION:SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259","::SignalsInterprocess Communication","System Process::","TAXONOMY NAME:PLOVER:ENTRY NAME:Signal handler race condition::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Signal Handling Race Conditions::::TAXONOMY NAME:CLASP:ENTRY NAME:Race condition in signal handler::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","","TYPE:Research Gap:NOTE:Probably under-studied.::",
  270. 365,"Race Condition in Switch",Base,Draft,"The code contains a switch statement in which the switched variable can be modified while the switch is still executing, resulting in unexpected behavior.","This issue is particularly important in the case of switch statements that involve fall-through style case statements - ie., those which do not end with break. If the variable being tested by the switch changes in the course of execution, this could change the intended logic of the switch so much that it places the process in a contradictory state and in some cases could even result in memory corruption.","::NATURE:ChildOf:CWE ID:367:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:367:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:364:VIEW ID:1000::NATURE:PeerOf:CWE ID:366:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic Unexpected State:NOTE:Integrity Other Alter Execution Logic Unexpected State This weakness may lead to unexpected system state, resulting in unpredictable behavior.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Variables that may be subject to race conditions should be locked before the switch statement starts and only unlocked after the statement ends.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Race condition in switch::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS35-C:ENTRY NAME:Avoid race conditions while checking for the existence of a symbolic link::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","","",
  271. 366,"Race Condition within a Thread",Base,Draft,"If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.","","::NATURE:ChildOf:CWE ID:362:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:362:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic Unexpected State:NOTE:Integrity Other Alter Execution Logic Unexpected State The main problem is that -- if a lock is overcome -- data could be altered in a bad state.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use locking functionality. This is the recommended solution. Implement some form of locking mechanism around code which alters or reads persistent data in a multithreaded environment.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Create resource-locking sanity checks. If no inherent locking mechanisms exist, use flags and signals to enforce your own blocking scheme when resources are being used by other threads of execution.::","","","System Process::","TAXONOMY NAME:CLASP:ENTRY NAME:Race condition within a thread::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:CON32-C:ENTRY NAME:Prevent data races when accessing bit-fields from multiple threads:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:CON40-C:ENTRY NAME:Do not refer to an atomic variable twice in an expression:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:CON43-C:ENTRY NAME:Do not allow data races in multithreaded code:MAPPING FIT:Exact::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA02-J:ENTRY NAME:Ensure that compound operations on shared variables are atomic::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA03-J:ENTRY NAME:Do not assume that a group of calls to independently atomic methods is atomic::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","::26::29::","",
  272. 367,"Time-of-check Time-of-use (TOCTOU) Race Condition",Base,Incomplete,"The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.","This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.","::NATURE:ChildOf:CWE ID:362:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:362:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:TOCTTOU:DESCRIPTION:The TOCTTOU acronym expands to Time Of Check To Time Of Use.::TERM:TOCCTOU:DESCRIPTION:The TOCCTOU acronym is most likely a typo of TOCTTOU, but it has been used in some influential documents, so the typo is repeated fairly frequently.::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic Unexpected State:NOTE:Integrity Other Alter Execution Logic Unexpected State The attacker can gain access to otherwise unauthorized resources.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Modify Files or Directories Modify Memory Other:NOTE:Integrity Other Modify Application Data Modify Files or Directories Modify Memory Other Race conditions such as this kind may be employed to gain read or write access to resources which are not normally readable or writable by the user in question.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other The resource in question, or other resources (through the corrupted one), may be changed in undesirable ways by a malicious user.::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities If a file or other resource is written in this method, as opposed to in a valid way, logging of the activity may not occur.::SCOPE:Non-Repudiation:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Non-Repudiation Other Other In some cases it may be possible to delete files a malicious user might not otherwise have access to, such as log files.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Limit the interleaving of operations on files from multiple processes.::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Recheck the resource after the use call to verify that the action was taken appropriately.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that some environmental locking mechanism can be used to protect resources effectively.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.::","::REFERENCE:CVE-2003-0813:DESCRIPTION:A multi-threaded race condition allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0813REFERENCE:CVE-2004-0594:DESCRIPTION:PHP flaw allows remote attackers to execute arbitrary code by aborting execution before the initialization of key data structures is complete.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0594REFERENCE:CVE-2008-2958:DESCRIPTION:chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2958REFERENCE:CVE-2008-1570:DESCRIPTION:chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1570","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Time-of-check Time-of-use race condition::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:File Access Race Conditions: TOCTOU::::TAXONOMY NAME:CLASP:ENTRY NAME:Time of check, time of use race condition::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO01-C:ENTRY NAME:Be careful using functions that use file names for identification::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP20:ENTRY NAME:Race Condition Window::","::27::29::","TYPE:Relationship:NOTE:TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem.::::TYPE:Research Gap:NOTE:Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure.::",
  273. 368,"Context Switching Race Condition",Base,Draft,"A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.","This is commonly seen in web browser vulnerabilities in which the attacker can perform certain actions while the browser is transitioning from a trusted to an untrusted domain, or vice versa, and the browser performs the actions on one domain using the trust level and resources of the other domain.","::NATURE:ChildOf:CWE ID:362:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:362:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:364:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:This weakness can be primary to almost anything, depending on the context of the race condition.::ORDINALITY:Resultant:DESCRIPTION:This weakness can be resultant from insufficient compartmentalization (CWE-653), incorrect locking, improper initialization or shutdown, or a number of other weaknesses.::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Application Data Read Application Data::","","","::REFERENCE:CVE-2009-1837:DESCRIPTION:Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1837REFERENCE:CVE-2004-2260:DESCRIPTION:Browser updates address bar as soon as user clicks on a link instead of when the page has loaded, allowing spoofing by redirecting to another page using onUnload method. ** this is one example of the role of hooks and context switches, and should be captured somehow - also a race condition of sorts **:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2260REFERENCE:CVE-2004-0191:DESCRIPTION:XSS when web browser executes Javascript events in the context of a new page while it's being loaded, allowing interaction with previous page in different domain.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0191REFERENCE:CVE-2004-2491:DESCRIPTION:Web browser fills in address bar of clicked-on link before page has been loaded, and doesn't update afterward.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2491","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Context Switching Race Condition::","::26::29::","TYPE:Relationship:NOTE:Can overlap signal handler race conditions.::::TYPE:Research Gap:NOTE:Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.::",
  274. 369,"Divide By Zero",Base,Draft,"The product divides a value by zero.","This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not properly detected. It frequently occurs in calculations involving physical dimensions such as size, length, width, and height.","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:682:VIEW ID:1003:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart A Divide by Zero results in a crash.::","","","::REFERENCE:CVE-2007-3268:DESCRIPTION:Invalid size value leads to divide by zero.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3268REFERENCE:CVE-2007-2723:DESCRIPTION:Empty content triggers divide by zero.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2723REFERENCE:CVE-2007-2237:DESCRIPTION:Height value of 0 triggers divide by zero.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2237","","","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FLP03-C:ENTRY NAME:Detect and handle floating point errors::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT33-C:ENTRY NAME:Ensure that division and remainder operations do not result in divide-by-zero errors:MAPPING FIT:Exact::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:NUM02-J:ENTRY NAME:Ensure that division and modulo operations do not result in divide-by-zero errors::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  275. 37,"Path Traversal: '/absolute/pathname/here'",Variant,Draft,"A software system that accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:36:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:36:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:160:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-1345:DESCRIPTION:Multiple FTP clients write arbitrary files via absolute paths in server responses:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1345REFERENCE:CVE-2001-1269:DESCRIPTION:ZIP file extractor allows full path:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1269REFERENCE:CVE-2002-1818:DESCRIPTION:Path traversal using absolute pathname:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1818REFERENCE:CVE-2002-1913:DESCRIPTION:Path traversal using absolute pathname:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1913REFERENCE:CVE-2005-2147:DESCRIPTION:Path traversal using absolute pathname:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2147REFERENCE:CVE-2000-0614:DESCRIPTION:Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0614","","","TAXONOMY NAME:PLOVER:ENTRY NAME:/absolute/pathname/here::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO05-C:ENTRY NAME:Identify files using multiple file attributes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  276. 370,"Missing Check for Certificate Revocation after Initial Check",Variant,Draft,"The software does not check the revocation status of a certificate after its initial revocation check, which can cause the software to perform privileged actions even after the certificate is revoked at a later time.","If the revocation status of a certificate is not checked before each action that requires privileges, the system may be subject to a race condition. If a certificate is revoked after the initial check, all subsequent actions taken with the owner of the revoked certificate will lose all benefits guaranteed by the certificate. In fact, it is almost certain that the use of a revoked certificate indicates malicious activity.","::NATURE:ChildOf:CWE ID:299:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:299:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:296:VIEW ID:1000::NATURE:PeerOf:CWE ID:297:VIEW ID:1000::NATURE:PeerOf:CWE ID:298:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Trust may be assigned to an entity who is not who it claims to be.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data Data from an untrusted (and possibly malicious) source may be integrated.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that certificates are checked for revoked status before each use of a protected resource. If the certificate is checked before each access of a protected resource, the delay subject to a possible race condition becomes almost negligible and significantly reduces the risk associated with this issue.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Race condition in checking for certificate revocation::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP20:ENTRY NAME:Race Condition Window::","::26::29::","",
  277. 372,"Incomplete Internal State Distinction",Base,Draft,"The software does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.","","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Varies by Context Unexpected State::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Incomplete Internal State Distinction::","::74::","TYPE:Relationship:NOTE:This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.::::TYPE:Relationship:NOTE:This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.::::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory.::",
  278. 374,"Passing Mutable Objects to an Untrusted Method",Base,Draft,"The program sends non-cloned mutable data as an argument to a method or function.","The function or method that has been called can alter or delete the mutable data. This could violate assumptions that the calling function has made about its state. In situations where unknown code is called with references to mutable data, this external code could make changes to the data sent. If this data was not previously cloned, the modified data might not be valid in the context of execution.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory Potentially data could be tampered with by another function which should not have been tampered with.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Pass in data which should not be altered as constant or immutable.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Clone all mutable data before passing it into an external function . This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Passing mutable objects to an untrusted method::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ04-J:ENTRY NAME:Provide mutable classes with copy functionality to safely allow passing instances to untrusted code::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  279. 375,"Returning a Mutable Object to an Untrusted Caller",Base,Draft,"Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.","In situations where functions return references to mutable data, it is possible that the external code which called the function may make changes to the data sent. If this data was not previously cloned, the class will then be using modified data which may violate assumptions about its internal state.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Access Control Integrity Modify Memory Potentially data could be tampered with by another function which should not have been tampered with.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Declare returned data which should not be altered as constant or immutable.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Clone all mutable data before returning references to it. This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Mutable object returned::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ04-J:ENTRY NAME:Provide mutable classes with copy functionality to safely allow passing instances to untrusted code::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ05-J:ENTRY NAME:Defensively copy private mutable class members before returning their references::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP34-PL:ENTRY NAME:Do not modify $_ in list or sorting functions:MAPPING FIT:Imprecise::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  280. 377,"Insecure Temporary File",Base,Incomplete,"Creating and using insecure temporary files can leave application and system data vulnerable to attack.","","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Insecure Temporary File::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:CON33-C:ENTRY NAME:Avoid race conditions when using library functions:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO00-J:ENTRY NAME:Do not operate on files in shared directories::","","TYPE:Other:NOTE:Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: Unique Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: Unique Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags wb+, that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.::",
  281. 378,"Creation of Temporary File With Insecure Permissions",Base,Draft,"Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.","","::NATURE:ChildOf:CWE ID:377:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data If the temporary file can be read by the attacker, sensitive information may be in that file which could be revealed.::SCOPE:Authorization:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Authorization Other Other If that file can be written to by the attacker, the file might be moved into a place to which the attacker does not have access. This will allow the attacker to gain selective resource access-control privileges.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other Depending on the data stored in the temporary file, there is the potential for an attacker to gain an additional input vector which is trusted as non-malicious. It may be possible to make arbitrary changes to data structures, user information, or even process ownership.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that you use proper file permissions. This can be achieved by using a safe temp file function. Temporary files should be writable and readable only by the process that owns the file.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Randomize temporary file names. This can also be achieved by using a safe temp-file function. This will ensure that temporary files will not be created in predictable places.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Improper temp file opening::","","",
  282. 379,"Creation of Temporary File in Directory with Incorrect Permissions",Base,Incomplete,"The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.","On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the application that is using the temporary file could be known. If one has access to list the processes on the system, the attacker has gained information about what the user is doing at that time. By correlating this with the applications the user is running, an attacker could potentially discover what a user's actions are. From this, higher levels of security could be breached.","::NATURE:ChildOf:CWE ID:377:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Since the file is visible and the application which is using the temp file could be known, the attacker has gained information about what the user is doing at that time.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid using vulnerable temp file functions.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Guessed or visible temporary file::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO15-C:ENTRY NAME:Ensure that file operations are performed in a secure directory::","","",
  283. 38,"Path Traversal: 'absolutepathnamehere'",Variant,Draft,"A software system that accepts input in the form of a backslash absolute path ('absolutepathnamehere') without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:36:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:36:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-1999-1263:DESCRIPTION:Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1263REFERENCE:CVE-2003-0753:DESCRIPTION:Remote attackers can read arbitrary files via a full pathname to the target file in config parameter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0753REFERENCE:CVE-2002-1525:DESCRIPTION:Remote attackers can read arbitrary files via an absolute pathname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1525","","","TAXONOMY NAME:PLOVER:ENTRY NAME:\absolute\pathname\here ('backslash absolute path')::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO05-C:ENTRY NAME:Identify files using multiple file attributes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  284. 382,"J2EE Bad Practices: Use of System.exit()",Variant,Draft,"A J2EE application uses System.exit(), which also shuts down its container.","It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks.","::NATURE:ChildOf:CWE ID:705:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:The shutdown function should be a privileged function available only to a properly authorized administrative user::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Web applications should not call methods that cause the virtual machine to exit, such as System.exit()::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Web applications should also not throw any Throwables to the application server as this may adversely affect the container.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Bad Practices: System.exit()::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR09-J:ENTRY NAME:Do not allow untrusted code to terminate the JVM::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  285. 383,"J2EE Bad Practices: Direct Use of Threads",Variant,Draft,"Thread management in a Web application is forbidden in some circumstances and is always highly error prone.","Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the behavior of the application container. Even without interfering with the container, thread management usually leads to bugs that are hard to detect and diagnose like deadlock, race conditions, and other synchronization errors.","::NATURE:ChildOf:CWE ID:695:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For EJB, use framework approaches for parallel execution, instead of using threads.::","","","System Process::","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Bad Practices: Threads::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  286. 384,"Session Fixation",Compound,Incomplete,"Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.","Such a scenario is commonly observed when: 1. A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. 2. An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. 3. The application or container uses predictable session identifiers. In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699::NATURE:ChildOf:CWE ID:287:VIEW ID:1003:ORDINAL:Primary::NATURE:Requires:CWE ID:346:VIEW ID:1000::NATURE:Requires:CWE ID:472:VIEW ID:1000::NATURE:Requires:CWE ID:441:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Invalidate any existing session identifiers prior to authorizing a new user session.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Session Fixation::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A3:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:37:ENTRY NAME:Session Fixation::","::196::21::31::39::59::60::61::","TYPE:Other:NOTE:Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.::",
  287. 385,"Covert Timing Channel",Base,Incomplete,"Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.","In some instances, knowing when data is transmitted between parties can provide a malicious user with privileged information. Also, externally monitoring the timing of operations can potentially reveal sensitive data. For example, a cryptographic operation can expose its internal state if the time it takes to perform the operation varies, based on the state. Covert channels are frequently classified as either storage or timing channels. Some examples of covert timing channels are the system's paging rate, the time a certain transaction requires to execute, and the time it takes to gain access to a shared bus.","::NATURE:ChildOf:CWE ID:514:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:514:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Read Application Data Other:NOTE:Confidentiality Other Read Application Data Other Information exposure.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Whenever possible, specify implementation strategies that do not introduce time variances in operations.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:It is reasonable to add artificial or random delays so that the amount of CPU time consumed is independent of the action being taken by the application.::","","","","TAXONOMY NAME:Landwehr:ENTRY NAME:Timing::::TAXONOMY NAME:CLASP:ENTRY NAME:Covert Timing Channel::","::462::","",
  288. 386,"Symbolic Name not Mapping to Correct Object",Base,Draft,"A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.","","::NATURE:ChildOf:CWE ID:706:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:367:VIEW ID:1000::NATURE:PeerOf:CWE ID:610:VIEW ID:1000::NATURE:PeerOf:CWE ID:486:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity The attacker can gain access to otherwise unauthorized resources.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Modify Files or Directories Read Application Data Read Files or Directories Other:NOTE:Integrity Confidentiality Other Modify Application Data Modify Files or Directories Read Application Data Read Files or Directories Other Race conditions such as this kind may be employed to gain read or write access to resources not normally readable or writable by the user in question.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Other:NOTE:Integrity Other Modify Application Data Other The resource in question, or other resources (through the corrupted one) may be changed in undesirable ways by a malicious user.::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities If a file or other resource is written in this method, as opposed to a valid way, logging of the activity may not occur.::SCOPE:Non-Repudiation:SCOPE:Integrity:TECHNICAL IMPACT:Modify Files or Directories:NOTE:Non-Repudiation Integrity Modify Files or Directories In some cases it may be possible to delete files that a malicious user might not otherwise have access to -- such as log files.::","","","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Symbolic name not mapping to correct object::","","",
  289. 39,"Path Traversal: 'C:dirname'",Variant,Draft,"An attacker can inject a drive letter or Windows volume letter ('C:dirname') into a software system to potentially redirect access to an unintended location or arbitrary file.","","::NATURE:ChildOf:CWE ID:36:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:36:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Files or Directories:NOTE:Integrity Modify Files or Directories The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories:NOTE:Confidentiality Read Files or Directories The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2001-0038:DESCRIPTION:Remote attackers can read arbitrary files by specifying the drive letter in the requested URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0038REFERENCE:CVE-2001-0255:DESCRIPTION:FTP server allows remote attackers to list arbitrary directories by using the ls command and including the drive letter name (e.g. C:) in the requested pathname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0255REFERENCE:CVE-2001-0687:DESCRIPTION:FTP server allows a remote attacker to retrieve privileged system information by specifying arbitrary paths.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0687REFERENCE:CVE-2001-0933:DESCRIPTION:FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0933REFERENCE:CVE-2002-0466:DESCRIPTION:Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0466REFERENCE:CVE-2002-1483:DESCRIPTION:Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form C: (Drive letter), //absolute/path, or .. .:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483REFERENCE:CVE-2004-2488:DESCRIPTION:FTP server read/access arbitrary files using C: filenames:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2488","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'C:dirname' or C: (Windows volume or 'drive letter')::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO05-C:ENTRY NAME:Identify files using multiple file attributes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  290. 390,"Detection of Error Condition Without Action",Class,Draft,"The software detects a specific error, but takes no actions to handle the error.","","::NATURE:ChildOf:CWE ID:755:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:401:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Varies by Context Unexpected State Alter Execution Logic:NOTE:Integrity Other Varies by Context Unexpected State Alter Execution Logic An attacker could utilize an ignored error condition to place the system in an unexpected state that could lead to the execution of unintended logic and could cause other unintended behavior.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Subject the software to extensive testing to discover some of the possible instances of where/how errors or return values are not handled. Consider testing techniques such as ad hoc, equivalence partitioning, robustness and fault tolerance, mutation, and fuzzing.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Improper error handling::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR00-J:ENTRY NAME:Do not suppress or ignore checked exceptions::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","::250::66::7::83::","",
  291. 391,"Unchecked Error Condition",Base,Incomplete,"Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.","","::NATURE:ChildOf:CWE ID:703:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Varies by Context Unexpected State Alter Execution Logic::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:The choice between a language which has named or unnamed exceptions needs to be done. While unnamed exceptions exacerbate the chance of not properly dealing with an exception, named exceptions suffer from the up call version of the weak base class problem.::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:A language can be used which requires, at compile time, to catch all serious exceptions. However, one must make sure to use the most current version of the API as new exceptions could be added.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Catch all relevant exceptions. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unchecked Return Value::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Empty Catch Block::::TAXONOMY NAME:CLASP:ENTRY NAME:Uncaught exception::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A7:ENTRY NAME:Improper Error Handling:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR00-C:ENTRY NAME:Adopt and implement a consistent and comprehensive error-handling policy::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR33-C:ENTRY NAME:Detect and handle standard library errors:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR34-C:ENTRY NAME:Detect errors when converting a string to a number:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FLP32-C:ENTRY NAME:Prevent or detect domain and range errors in math functions:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS54-C:ENTRY NAME:Detect and handle POSIX library errors:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP31-PL:ENTRY NAME:Do not suppress or ignore exceptions:MAPPING FIT:Imprecise::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","","TYPE:Maintenance:NOTE:This entry needs significant modification. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue.::::TYPE:Other:NOTE:When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: This method call can never fail. It doesn't matter if this call fails.::",
  292. 392,"Missing Report of Error Condition",Base,Draft,"The software encounters an error but does not provide a status code or return value to indicate that an error has occurred.","","::NATURE:ChildOf:CWE ID:684:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:703:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Varies by Context Unexpected State:NOTE:Integrity Other Varies by Context Unexpected State Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.::","","","::REFERENCE:CVE-2004-0063:DESCRIPTION:Function returns OK even if another function returns a different status code than expected, leading to accepting an invalid PIN number.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0063REFERENCE:CVE-2002-1446:DESCRIPTION:Error checking routine in PKCS#11 library returns OK status even when invalid signature is detected, allowing spoofed messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1446REFERENCE:CVE-2002-0499:DESCRIPTION:Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0499REFERENCE:CVE-2005-2459:DESCRIPTION:Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2459","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Error Status Code::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:TPS03-J:ENTRY NAME:Ensure that tasks executing in a thread pool do not fail silently::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP6:ENTRY NAME:Incorrect Exception Behavior::","","",
  293. 393,"Return of Wrong Status Code",Base,Draft,"A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.","This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not.","::NATURE:ChildOf:CWE ID:684:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:703:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Unexpected State Alter Execution Logic:NOTE:Integrity Other Unexpected State Alter Execution Logic This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors.::","","","::REFERENCE:CVE-2003-1132:DESCRIPTION:DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1132REFERENCE:CVE-2001-1509:DESCRIPTION:Hardware-specific implementation of system call causes incorrect results from geteuid.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1509REFERENCE:CVE-2001-1559:DESCRIPTION:System call returns wrong value, leading to a resultant NULL dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1559REFERENCE:CVE-2014-1266:DESCRIPTION:chain: incorrect goto in Apple SSL product bypasses certificate validation, allowing man-in-the-middle attack (Apple goto fail bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint ('Man-in-the-Middle')).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Wrong Status Code::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP6:ENTRY NAME:Incorrect Exception Behavior::","","TYPE:Relationship:NOTE:This can be primary or resultant, but it is probably most often primary to other issues.::::TYPE:Maintenance:NOTE:This probably overlaps various categories, especially those related to error handling.::",
  294. 394,"Unexpected Status Code or Return Value",Base,Draft,"The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software.","","::NATURE:ChildOf:CWE ID:754:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Unexpected State Alter Execution Logic::","","","::REFERENCE:CVE-2004-1395:DESCRIPTION:Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server's listening loop to exit.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1395REFERENCE:CVE-2002-2124:DESCRIPTION:Unchecked return code from recv() leads to infinite loop.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2124REFERENCE:CVE-2005-2553:DESCRIPTION:Kernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn't.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2553REFERENCE:CVE-2005-1858:DESCRIPTION:Memory not properly cleared when read() function call returns fewer bytes than expected.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1858REFERENCE:CVE-2000-0536:DESCRIPTION:Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0536REFERENCE:CVE-2001-0910:DESCRIPTION:Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0910REFERENCE:CVE-2004-2371:DESCRIPTION:Game server doesn't check return values for functions that handle text strings and associated size values.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2371REFERENCE:CVE-2005-1267:DESCRIPTION:Resultant infinite loop when function call returns -1 value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1267","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unexpected Status Code or Return Value::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP00-PL:ENTRY NAME:Do not return undef:MAPPING FIT:Imprecise::","","TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::",
  295. 395,"Use of NullPointerException Catch to Detect NULL Pointer Dereference",Base,Draft,"Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.","Programmers typically catch NullPointerException under three circumstances: The program contains a null pointer dereference. Catching the resulting exception was easier than fixing the underlying problem. The program explicitly throws a NullPointerException to signal an error condition. The code is part of a test harness that supplies unexpected input to the classes under test. Of these three circumstances, only the last is acceptable.","::NATURE:ChildOf:CWE ID:705:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:755:VIEW ID:1000::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU)::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not extensively rely on catching exceptions (especially for validating user input) to handle errors. Handling exceptions can decrease the performance of an application.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Catching NullPointerException::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR08-J:ENTRY NAME:Do not catch NullPointerException or any of its ancestors::","","",
  296. 396,"Declaration of Catch for Generic Exception",Base,Draft,"Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.","Multiple catch blocks can get ugly and repetitive, but condensing catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of Java's typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention.","::NATURE:ChildOf:CWE ID:705:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:755:VIEW ID:1000::NATURE:ChildOf:CWE ID:221:VIEW ID:1000::","","::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:SCOPE:Other:TECHNICAL IMPACT:Hide Activities Alter Execution Logic::","","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Overly-Broad Catch Block::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP5:ENTRY NAME:Ambiguous Exception Type::","","",
  297. 397,"Declaration of Throws for Generic Exception",Base,Draft,"Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.","Declaring a method to throw Exception or Throwable makes it difficult for callers to perform proper error handling and error recovery. Java's exception mechanism, for example, is set up to make it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system.","::NATURE:ChildOf:CWE ID:705:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:221:VIEW ID:1000::NATURE:ChildOf:CWE ID:703:VIEW ID:1000::","","::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:SCOPE:Other:TECHNICAL IMPACT:Hide Activities Alter Execution Logic::","","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Overly-Broad Throws Declaration::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR07-J:ENTRY NAME:Do not throw RuntimeException, Exception, or Throwable::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP5:ENTRY NAME:Ambiguous Exception Type::","","",
  298. 40,"Path Traversal: 'UNCsharename' (Windows UNC Share)",Variant,Draft,"An attacker can inject a Windows UNC share ('UNCsharename') into a software system to potentially redirect access to an unintended location or arbitrary file.","","::NATURE:ChildOf:CWE ID:36:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:36:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2001-0687:DESCRIPTION:FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (computernamesharename).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0687","","","TAXONOMY NAME:PLOVER:ENTRY NAME:'\\UNC\share\name\' (Windows UNC share)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  299. 400,"Uncontrolled Resource Consumption ('Resource Exhaustion')",Class,Incomplete,"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.","Limited resources include memory, file system storage, database connection pool entries, or CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the software, and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system. Resource exhaustion problems have at least two common causes: Error conditions and other exceptional circumstances Confusion over which part of the program is responsible for releasing the resource","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Operation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other):NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other) The most common result of resource exhaustion is denial of service. The software may slow down, crash due to unhandled errors, or lock out legitimate users.::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other In some cases it may be possible to force the software to fail open in the event of resource exhaustion. The state of the software -- and possibly the security functionality - may then be compromised.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:Limited:DESCRIPTION:Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the software within a short time frame.::METHOD:Fuzzing:EFFECTIVENESS:Opportunistic:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted software in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Mitigation of resource exhaustion attacks requires that the target system either: recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed. The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that protocols have specific limits of scale placed on them.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that all failures in resource allocation place the system into a safe posture.::","::REFERENCE:CVE-2009-2874:DESCRIPTION:Product allows attackers to cause a crash via a large number of connections.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2874REFERENCE:CVE-2009-1928:DESCRIPTION:Malformed request triggers uncontrolled recursion, leading to stack exhaustion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1928REFERENCE:CVE-2009-2858:DESCRIPTION:Chain: memory leak (CWE-404) leads to resource exhaustion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2858REFERENCE:CVE-2009-2726:DESCRIPTION:Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2726REFERENCE:CVE-2009-2540:DESCRIPTION:Large integer value for a length property in an object causes a large amount of memory allocation.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2540REFERENCE:CVE-2009-2299:DESCRIPTION:Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2299REFERENCE:CVE-2009-2054:DESCRIPTION:Product allows exhaustion of file descriptors when processing a large number of TCP packets.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2054REFERENCE:CVE-2008-5180:DESCRIPTION:Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5180REFERENCE:CVE-2008-2121:DESCRIPTION:TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2121REFERENCE:CVE-2008-2122:DESCRIPTION:Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2122REFERENCE:CVE-2008-1700:DESCRIPTION:Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1700REFERENCE:CVE-2007-4103:DESCRIPTION:Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4103REFERENCE:CVE-2006-1173:DESCRIPTION:Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173REFERENCE:CVE-2007-0897:DESCRIPTION:Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0897","","","TAXONOMY NAME:CLASP:ENTRY NAME:Resource exhaustion (file descriptor, disk space, sockets, ...)::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:10:ENTRY NAME:Denial of Service::::TAXONOMY NAME:WASC:ENTRY ID:41:ENTRY NAME:XML Attribute Blowup::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER12-J:ENTRY NAME:Avoid memory and resource leaks during serialization::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC05-J:ENTRY NAME:Do not exhaust heap space::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP13:ENTRY NAME:Unrestricted Consumption::","::147::197::2::82::","TYPE:Other:NOTE:Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. A prime example of this can be found in old switches that were vulnerable to macof attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.::",
  300. 401,"Improper Release of Memory Before Removing Last Reference ('Memory Leak')",Base,Draft,"The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.","This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions.","::NATURE:ChildOf:CWE ID:772:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Memory Leak:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Instability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability DoS: Crash, Exit, or Restart DoS: Instability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) Most memory leaks result in general software reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition.::","","::PHASE:Implementation:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone. For example, glibc in Linux provides protection against free of invalid pointers. When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391]. To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an abstraction library to abstract away risky APIs. Not a complete solution.::PHASE:Architecture and Design Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code.::","::REFERENCE:CVE-2005-3119:DESCRIPTION:Memory leak because function does not free() an element of a data structure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3119REFERENCE:CVE-2004-0427:DESCRIPTION:Memory leak when counter variable is not decremented.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0427REFERENCE:CVE-2002-0574:DESCRIPTION:chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0574REFERENCE:CVE-2005-3181:DESCRIPTION:Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3181REFERENCE:CVE-2004-0222:DESCRIPTION:Memory leak via unknown manipulations as part of protocol test suite.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0222REFERENCE:CVE-2001-0136:DESCRIPTION:Memory leak via a series of the same command.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0136","::Memory Management","Memory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Memory leak::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Memory Leak::::TAXONOMY NAME:CLASP:ENTRY NAME:Failure to deallocate data::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM31-C:ENTRY NAME:Free dynamically allocated memory when no longer needed:MAPPING FIT:Exact::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC04-J:ENTRY NAME:Do not leak memory::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP14:ENTRY NAME:Failure to release resource::","","TYPE:Relationship:NOTE:This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.::::TYPE:Terminology:NOTE:memory leak has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).::",
  301. 402,"Transmission of Private Resources into a New Sphere ('Resource Leak')",Class,Draft,"The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software.","","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","","","","::TERM:Resource Leak:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Resource leaks::","","",
  302. 403,"Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",Base,Draft,"A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.","When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might introduce a vulnerability if the child process can access the file descriptor but does not have the privileges to access the associated file.","::NATURE:ChildOf:CWE ID:402:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:402:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Unix:OPERATING SYSTEM PREVALENCE:Undetermined::","","::TERM:File descriptor leak:DESCRIPTION:While this issue is frequently called a file descriptor leak, the leak term is often used in two different ways - exposure of a resource, or consumption of a resource. Use of this term could cause confusion.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","","::REFERENCE:CVE-2003-0740:DESCRIPTION:Server leaks a privileged file descriptor, allowing the server to be hijacked.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0740REFERENCE:CVE-2004-1033:DESCRIPTION:File descriptor leak allows read of restricted files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1033REFERENCE:CVE-2000-0094:DESCRIPTION:Access to restricted resource using modified file descriptor for stderr.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0094REFERENCE:CVE-2002-0638:DESCRIPTION:Open file descriptor used as alternate channel in complex race condition.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0638REFERENCE:CVE-2003-0489:DESCRIPTION:Program does not fully drop privileges after creating a file descriptor, which allows access to the descriptor via a separate vulnerability.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0489REFERENCE:CVE-2003-0937:DESCRIPTION:User bypasses restrictions by obtaining a file descriptor then calling setuid program, which does not close the descriptor.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0937REFERENCE:CVE-2004-2215:DESCRIPTION:Terminal manager does not properly close file descriptors, allowing attackers to access terminals of other users.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2215REFERENCE:CVE-2006-5397:DESCRIPTION:Module opens a file for reading twice, allowing attackers to read files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5397","","System Process::::File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:UNIX file descriptor leak::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO42-C:ENTRY NAME:Ensure files are properly closed when they are no longer needed::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  303. 404,"Improper Resource Shutdown or Release",Base,Draft,"The program does not release or incorrectly releases a resource before it is made available for re-use.","When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:405:VIEW ID:1000::NATURE:CanPrecede:CWE ID:619:VIEW ID:1000::NATURE:CanPrecede:CWE ID:619:VIEW ID:699::","::ORDINALITY:Primary:DESCRIPTION:Improper release or shutdown of resources can be primary to resource exhaustion, performance, and information confidentiality problems to name a few.::ORDINALITY:Resultant:DESCRIPTION:Improper release or shutdown of resources can be resultant from improper error handling or insufficient resource tracking.::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:DoS: Resource Consumption (Other) Varies by Context:NOTE:Availability Other DoS: Resource Consumption (Other) Varies by Context Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.::","::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::","::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.::","::REFERENCE:CVE-1999-1127:DESCRIPTION:Does not shut down named pipe connections if malformed data is sent.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1127REFERENCE:CVE-2001-0830:DESCRIPTION:Sockets not properly closed when attacker repeatedly connects and disconnects from server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0830REFERENCE:CVE-2002-1372:DESCRIPTION:Return values of file/socket operations not checked, allowing resultant consumption of file descriptors.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1372","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Improper resource shutdown or release::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Unreleased Resource::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO42-C:ENTRY NAME:Close files when they are no longer needed:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM31-C:ENTRY NAME:Free dynamically allocated memory when no longer needed:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO04-J:ENTRY NAME:Release resources when they are no longer needed::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP14:ENTRY NAME:Failure to release resource::","::125::130::131::","TYPE:Relationship:NOTE:Overlaps memory leaks, asymmetric resource consumption, malformed input errors.::",
  304. 405,"Asymmetric Resource Consumption (Amplification)",Class,Incomplete,"Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.","This situation is amplified if the software allows malicious users or attackers to consume more resources than their access level permits. Exploiting such a weakness can lead to asymmetric resource consumption, aiding in amplification attacks against the system or the network.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Operation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Amplification DoS: Resource Consumption (Other):NOTE:Availability DoS: Amplification DoS: Resource Consumption (Other) Sometimes this is a factor in flood attacks, but other types of amplification exist.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:An application must make resources available to a client commensurate with the client's access level.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:An application must, at all times, keep track of allocated resources and meter their usage appropriately.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Asymmetric resource consumption (amplification)::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:41:ENTRY NAME:XML Attribute Blowup::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:TPS00-J:ENTRY NAME:Use thread pools to enable graceful degradation of service during traffic bursts::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO04-J:ENTRY NAME:Release resources when they are no longer needed::","","",
  305. 406,"Insufficient Control of Network Message Volume (Network Amplification)",Base,Incomplete,"The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor.","In the absence of a policy to restrict asymmetric resource consumption, the application or system cannot distinguish between legitimate transmissions and traffic intended to serve as an amplifying attack on target systems. Systems can often be configured to restrict the amount of traffic sent out on behalf of a client, based on the client's origin or access level. This is usually defined in a resource allocation policy. In the absence of a mechanism to keep track of transmissions, the system or application can be easily abused to transmit asymmetrically greater traffic than the request or client should be permitted to.","::NATURE:ChildOf:CWE ID:405:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:405:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Operation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Amplification DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other):NOTE:Availability DoS: Amplification DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other) System resources can be quickly consumed leading to poor application performance or system crash. This may affect network performance and could be used to attack other systems and applications relying on network performance.::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:An application must make network resources available to a client commensurate with the client's access level.::PHASE:Policy:STRATEGY::EFFECTIVENESS::DESCRIPTION:Define a clear policy for network resource allocation and consumption.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:An application must, at all times, keep track of network resources and meter their usage appropriately.::","::REFERENCE:CVE-1999-0513:DESCRIPTION:Classic Smurf attack, using spoofed ICMP packets to broadcast addresses.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0513REFERENCE:CVE-1999-1379:DESCRIPTION:DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1379REFERENCE:CVE-2000-0041:DESCRIPTION:Large datagrams are sent in response to malformed datagrams.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0041REFERENCE:CVE-1999-1066:DESCRIPTION:Game server sends a large amount.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1066REFERENCE:CVE-2013-5211:DESCRIPTION:composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Network Amplification::","","TYPE:Relationship:NOTE:This can be resultant from weaknesses that simplify spoofing attacks.::::TYPE:Theoretical:NOTE:Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim.::",
  306. 407,"Algorithmic Complexity",Base,Incomplete,"An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.","","::NATURE:ChildOf:CWE ID:405:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:405:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:405:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other) The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.::","","","::REFERENCE:CVE-2003-0244:DESCRIPTION:CPU consumption via inputs that cause many hash table collisions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0244REFERENCE:CVE-2003-0364:DESCRIPTION:CPU consumption via inputs that cause many hash table collisions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0364REFERENCE:CVE-2002-1203:DESCRIPTION:Product performs unnecessary processing before dropping an invalid packet.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1203REFERENCE:CVE-2001-1501:DESCRIPTION:CPU and memory consumption using many wildcards.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1501REFERENCE:CVE-2004-2527:DESCRIPTION:Product allows attackers to cause multiple copies of a program to be loaded more quickly than the program can detect that other copies are running, then exit. This type of error should probably have its own category, where teardown takes more time than initialization.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2527REFERENCE:CVE-2006-6931:DESCRIPTION:Network monitoring system allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a backtracking attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6931REFERENCE:CVE-2006-3380:DESCRIPTION:Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3380REFERENCE:CVE-2006-3379:DESCRIPTION:Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3379REFERENCE:CVE-2005-2506:DESCRIPTION:OS allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2506REFERENCE:CVE-2005-1792:DESCRIPTION:Memory leak by performing actions faster than the software can clear them.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1792","::Cryptography","","TAXONOMY NAME:PLOVER:ENTRY NAME:Algorithmic Complexity::","","",
  307. 408,"Incorrect Behavior Order: Early Amplification",Base,Draft,"The software allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.","","::NATURE:ChildOf:CWE ID:405:VIEW ID:1000::NATURE:ChildOf:CWE ID:405:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:696:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Amplification DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability DoS: Amplification DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.::","","","::REFERENCE:CVE-2004-2458:DESCRIPTION:Tool creates directories before authenticating user.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2458","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Early Amplification::","","TYPE:Relationship:NOTE:Overlaps authentication errors.::",
  308. 409,"Improper Handling of Highly Compressed Data (Data Amplification)",Base,Incomplete,"The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.","An example of data amplification is a decompression bomb, a small ZIP file that can produce a large amount of data when it is decompressed.","::NATURE:ChildOf:CWE ID:405:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:405:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Amplification DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability DoS: Amplification DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.::","","","::REFERENCE:CVE-2009-1955:DESCRIPTION:XML bomb in web server module:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955REFERENCE:CVE-2003-1564:DESCRIPTION:Parsing library allows XML bomb:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Data Amplification::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS04-J:ENTRY NAME:Limit the size of files passed to ZipInputStream::","","",
  309. 41,"Improper Resolution of Path Equivalence",Base,Incomplete,"The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.","Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object.","::NATURE:ChildOf:CWE ID:706:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Access Control:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories Bypass Protection Mechanism:NOTE:Confidentiality Integrity Access Control Read Files or Directories Modify Files or Directories Bypass Protection Mechanism An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism than an attacker may be able to bypass the mechanism.::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2000-1114:DESCRIPTION:Source code disclosure using trailing dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1114REFERENCE:CVE-2002-1986,:DESCRIPTION:Source code disclosure using trailing dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1986,REFERENCE:CVE-2004-2213:DESCRIPTION:Source code disclosure using trailing dot or trailing encoding space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2213REFERENCE:CVE-2005-3293:DESCRIPTION:Source code disclosure using trailing dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3293REFERENCE:CVE-2004-0061:DESCRIPTION:Bypass directory access restrictions using trailing dot in URL:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0061REFERENCE:CVE-2000-1133:DESCRIPTION:Bypass directory access restrictions using trailing dot in URL:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1133REFERENCE:CVE-2001-1386:DESCRIPTION:Bypass check for .lnk extension using .lnk.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386REFERENCE:CVE-2001-0693:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0693REFERENCE:CVE-2001-0778:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0778REFERENCE:CVE-2001-1248:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1248REFERENCE:CVE-2004-0280:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0280REFERENCE:CVE-2005-0622:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0622REFERENCE:CVE-2005-1656:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1656REFERENCE:CVE-2002-1603:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1603REFERENCE:CVE-2001-0054:DESCRIPTION:Multi-Factor Vulnerability (MVF). directory traversal and other issues in FTP server using Web encodings such as %20; certain manipulations have unusual side effects.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0054REFERENCE:CVE-2002-1451:DESCRIPTION:Trailing space (+ in query string) leads to source code disclosure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1451REFERENCE:CVE-2000-0293:DESCRIPTION:Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0293REFERENCE:CVE-2001-1567:DESCRIPTION:+ characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1567REFERENCE:CVE-2002-0253:DESCRIPTION:Overlaps infoleak:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0253REFERENCE:CVE-2001-0446:DESCRIPTION:Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0446REFERENCE:CVE-2004-0334:DESCRIPTION:Bypass Basic Authentication for files using trailing /:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0334REFERENCE:CVE-2001-0893:DESCRIPTION:Read sensitive files with trailing /:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0893REFERENCE:CVE-2001-0892:DESCRIPTION:Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0892REFERENCE:CVE-2004-1814:DESCRIPTION:Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1814REFERENCE:BID:3518:DESCRIPTION:Source code disclosure:LINK:http://www.securityfocus.com/bid/3518REFERENCE:CVE-2002-1483:DESCRIPTION:Read files with full pathname using multiple internal slash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483REFERENCE:CVE-1999-1456:DESCRIPTION:Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1456REFERENCE:CVE-2004-0578:DESCRIPTION:Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0578REFERENCE:CVE-2002-0275:DESCRIPTION:Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0275REFERENCE:CVE-2004-1032:DESCRIPTION:Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1032REFERENCE:CVE-2002-1238:DESCRIPTION:Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1238REFERENCE:CVE-2004-1878:DESCRIPTION:Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1878REFERENCE:CVE-2005-1365:DESCRIPTION:Server allows remote attackers to execute arbitrary commands via a URL with multiple leading / (slash) characters and .. sequences.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1365REFERENCE:CVE-2000-1050:DESCRIPTION:Access directory using multiple leading slash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1050REFERENCE:CVE-2001-1072:DESCRIPTION:Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1072REFERENCE:CVE-2004-0235:DESCRIPTION:Archive extracts to arbitrary files using multiple leading slash in filenames in the archive.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0235REFERENCE:CVE-2002-1078:DESCRIPTION:Directory listings in web server using multiple trailing slash:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1078REFERENCE:CVE-2004-0847:DESCRIPTION:ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) (backslash) or (2) %5C (encoded backslash), aka Path Validation Vulnerability.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0847REFERENCE:CVE-2000-0004:DESCRIPTION:Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0004REFERENCE:CVE-2002-0304:DESCRIPTION:Server allows remote attackers to read password-protected files via a /./ in the HTTP request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0304REFERENCE:BID:6042:DESCRIPTION:Input Validation error:LINK:http://www.securityfocus.com/bid/6042REFERENCE:CVE-1999-1083:DESCRIPTION:Possibly (could be a cleansing error):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1083REFERENCE:CVE-2004-0815:DESCRIPTION:/./////etc cleansed to .///etc then /etc:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0815REFERENCE:CVE-2002-0112:DESCRIPTION:Server allows remote attackers to view password protected files via /./ in the URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0112REFERENCE:CVE-2004-0696:DESCRIPTION:List directories using desired path and *:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0696REFERENCE:CVE-2002-0433:DESCRIPTION:List files in web server using *.ext:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433REFERENCE:CVE-2001-1152:DESCRIPTION:Proxy allows remote attackers to bypass blacklist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1152REFERENCE:CVE-2000-0191:DESCRIPTION:application check access for restricted URL before canonicalization:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0191REFERENCE:CVE-2005-1366:DESCRIPTION:CGI source disclosure using dirname/../cgi-bin:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1366REFERENCE:CVE-1999-0012:DESCRIPTION:Multiple web servers allow restriction bypass using 8.3 names instead of long names:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0012REFERENCE:CVE-2001-0795:DESCRIPTION:Source code disclosure using 8.3 file name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0795REFERENCE:CVE-2005-0471:DESCRIPTION:Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0471","","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Path Equivalence::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO02-C:ENTRY NAME:Canonicalize path names originating from untrusted sources::","::3::4::","TYPE:Relationship:NOTE:Some of these manipulations could be effective in path traversal issues, too.::",
  310. 410,"Insufficient Resource Pool",Base,Incomplete,"The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.","Frequently the consequence is a flood of connection or sessions.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:400:VIEW ID:1000::NATURE:CanPrecede:CWE ID:400:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Other:NOTE:Availability Integrity Other DoS: Crash, Exit, or Restart Other Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider implementing a velocity check mechanism which would detect abusive behavior.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider load balancing as an option to handle heavy loads.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make sure that resource handles are properly closed when no longer needed.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).::","::REFERENCE:CVE-1999-1363:DESCRIPTION:Large number of locks on file exhausts the pool and causes crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1363REFERENCE:CVE-2001-1340:DESCRIPTION:Product supports only one connection and does not disconnect a user who does not provide credentials.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1340REFERENCE:CVE-2002-0406:DESCRIPTION:Large number of connections without providing credentials allows connection exhaustion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0406","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insufficient Resource Pool::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:TPS00-J:ENTRY NAME:Use thread pools to enable graceful degradation of service during traffic bursts::","","",
  311. 412,"Unrestricted Externally Accessible Lock",Base,Incomplete,"The software properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.","This prevents the software from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant locks might include an exclusive lock or mutex, or modifying a shared resource that is treated as a lock. If the lock can be held for an indefinite period of time, then the denial of service could be permanent.","::NATURE:ChildOf:CWE ID:667:VIEW ID:1000:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:410:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) When an attacker can control a lock, the program may wait indefinitely until the attacker releases the lock, causing a denial of service to other users of the program. This is especially problematic if there is a blocking operation on the lock.::","::METHOD:White Box:EFFECTIVENESS::DESCRIPTION:Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.::","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use any access control that is offered by the functionality that is offering the lock.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use unpredictable names or identifiers for the locks. This might not always be possible or feasible.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider modifying your code to use non-blocking synchronization methods.::","::REFERENCE:CVE-2001-0682:DESCRIPTION:Program can not execute when attacker obtains a mutex.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0682REFERENCE:CVE-2002-1914:DESCRIPTION:Program can not execute when attacker obtains a lock on a critical output file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1914REFERENCE:CVE-2002-1915:DESCRIPTION:Program can not execute when attacker obtains a lock on a critical output file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1915REFERENCE:CVE-2002-0051:DESCRIPTION:Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0051REFERENCE:CVE-2000-0338:DESCRIPTION:Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0338REFERENCE:CVE-2000-1198:DESCRIPTION:Chain: Lock files with predictable names. Resultant from randomness.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1198REFERENCE:CVE-2002-1869:DESCRIPTION:Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1869","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unrestricted Critical Resource Lock::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Deadlock::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:LCK00-J:ENTRY NAME:Use private final lock objects to synchronize classes that may interact with untrusted code::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:LCK07-J:ENTRY NAME:Avoid deadlock by requesting and releasing locks in the same order::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP22:ENTRY NAME:Unrestricted lock::","::25::","TYPE:Relationship:NOTE:This overlaps Insufficient Resource Pool when the pool is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases.::",
  312. 413,"Improper Resource Locking",Base,Draft,"The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource.","When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the software. This might violate the software's assumption that the resource will not change, potentially leading to unexpected behaviors.","::NATURE:ChildOf:CWE ID:667:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Modify Application Data DoS: Instability DoS: Crash, Exit, or Restart::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a non-conflicting privilege scheme.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use synchronization when locking a resource.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insufficient Resource Locking::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA00-J:ENTRY NAME:Ensure visibility when accessing shared primitive variables::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA02-J:ENTRY NAME:Ensure that compound operations on shared variables are atomic::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:LCK00-J:ENTRY NAME:Use private final lock objects to synchronize classes that may interact with untrusted code::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","","",
  313. 414,"Missing Lock Check",Base,Draft,"A product does not check to see if a lock is present before performing sensitive operations on a resource.","","::NATURE:ChildOf:CWE ID:667:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Modify Application Data DoS: Instability DoS: Crash, Exit, or Restart::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement a reliable lock mechanism.::","::REFERENCE:CVE-2004-1056:DESCRIPTION:Product does not properly check if a lock is present, allowing other attackers to access functionality.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1056","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Lock Check::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","","",
  314. 415,"Double Free",Variant,Draft,"The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.","When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.","::NATURE:ChildOf:CWE ID:666:VIEW ID:1000::NATURE:ChildOf:CWE ID:675:VIEW ID:1000::NATURE:ChildOf:CWE ID:825:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:416:VIEW ID:1000::NATURE:PeerOf:CWE ID:416:VIEW ID:699::NATURE:PeerOf:CWE ID:123:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Double-free:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Choose a language that provides automatic memory management.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a static analysis tool to find double free instances.::","::REFERENCE:CVE-2006-5051:DESCRIPTION:Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051REFERENCE:CVE-2004-0642:DESCRIPTION:Double free resultant from certain error conditions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0642REFERENCE:CVE-2004-0772:DESCRIPTION:Double free resultant from certain error conditions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0772REFERENCE:CVE-2005-1689:DESCRIPTION:Double free resultant from certain error conditions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1689REFERENCE:CVE-2003-0545:DESCRIPTION:Double free from invalid ASN.1 encoding.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0545REFERENCE:CVE-2003-1048:DESCRIPTION:Double free from malformed GIF.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1048REFERENCE:CVE-2005-0891:DESCRIPTION:Double free from malformed GIF.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0891REFERENCE:CVE-2002-0059:DESCRIPTION:Double free from malformed compressed data.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0059","","Memory::","TAXONOMY NAME:PLOVER:ENTRY NAME:DFREE - Double-Free Vulnerability::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Double Free::::TAXONOMY NAME:CLASP:ENTRY NAME:Doubly freeing memory::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM00-C:ENTRY NAME:Allocate and free memory in the same module, at the same level of abstraction::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM01-C:ENTRY NAME:Store a new value in pointers immediately after free()::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM30-C:ENTRY NAME:Do not access freed memory:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM31-C:ENTRY NAME:Free dynamically allocated memory exactly once::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP12:ENTRY NAME:Faulty Memory Release::","","TYPE:Relationship:NOTE:This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.::::TYPE:Maintenance:NOTE:It could be argued that Double Free would be most appropriately located as a child of Use after Free, but Use and Release are considered to be distinct operations within vulnerability theory, therefore this is more accurately Release of a Resource after Expiration or Release, which doesn't exist yet.::",
  315. 416,"Use After Free",Base,Draft,"Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.","The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system's reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes: Error conditions and other exceptional circumstances. Confusion over which part of the program is responsible for freeing the memory. In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.","::NATURE:ChildOf:CWE ID:825:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:120:VIEW ID:1000::NATURE:CanPrecede:CWE ID:123:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Dangling pointer:DESCRIPTION:::TERM:Use-After-Free:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Choose a language that provides automatic memory management.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.::","::REFERENCE:CVE-2010-4168:DESCRIPTION:Use-after-free triggered by closing a connection while data is still being transmitted.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4168REFERENCE:CVE-2010-2941:DESCRIPTION:Improper allocation for invalid data leads to use-after-free.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2941REFERENCE:CVE-2010-2547:DESCRIPTION:certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2547REFERENCE:CVE-2010-1772:DESCRIPTION:Timers are not disabled when a related object is deleted:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1772REFERENCE:CVE-2010-1437:DESCRIPTION:Access to a dead object that is being cleaned up:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1437REFERENCE:CVE-2010-1208:DESCRIPTION:object is deleted even with a non-zero reference count, and later accessed:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1208REFERENCE:CVE-2010-0629:DESCRIPTION:use-after-free involving request containing an invalid version number:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0629REFERENCE:CVE-2010-0378:DESCRIPTION:unload of an object that is currently being accessed by other functionality:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0378REFERENCE:CVE-2010-0302:DESCRIPTION:incorrectly tracking a reference count leads to use-after-free:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0302REFERENCE:CVE-2010-0249:DESCRIPTION:use-after-free related to use of uninitialized memory:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249REFERENCE:CVE-2010-0050:DESCRIPTION:HTML document with incorrectly-nested tags:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0050REFERENCE:CVE-2009-3658:DESCRIPTION:Use after free in ActiveX object by providing a malformed argument to a method:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3658REFERENCE:CVE-2009-3616:DESCRIPTION:use-after-free by disconnecting during data transfer, or a message containing incorrect data types:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3616REFERENCE:CVE-2009-3553:DESCRIPTION:disconnect during a large data transfer causes incorrect reference count, leading to use-after-free:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3553REFERENCE:CVE-2009-2416:DESCRIPTION:use-after-free found by fuzzing:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416REFERENCE:CVE-2009-1837:DESCRIPTION:Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1837REFERENCE:CVE-2009-0749:DESCRIPTION:realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0749REFERENCE:CVE-2010-3328:DESCRIPTION:Use-after-free in web browser, probably resultant from not initializing memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3328REFERENCE:CVE-2008-5038:DESCRIPTION:use-after-free when one thread accessed memory that was freed by another thread:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5038REFERENCE:CVE-2008-0077:DESCRIPTION:assignment of malformed values to certain properties triggers use after free:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0077REFERENCE:CVE-2006-4434:DESCRIPTION:mail server does not properly handle a long header.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4434REFERENCE:CVE-2010-2753:DESCRIPTION:chain: integer overflow leads to use-after-free:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2753REFERENCE:CVE-2006-4997:DESCRIPTION:freed pointer dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4997","","Memory::","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Use After Free::::TAXONOMY NAME:CLASP:ENTRY NAME:Using freed memory::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM00-C:ENTRY NAME:Allocate and free memory in the same module, at the same level of abstraction::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM01-C:ENTRY NAME:Store a new value in pointers immediately after free()::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM30-C:ENTRY NAME:Do not access freed memory:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP15:ENTRY NAME:Faulty Resource Use::","","",
  316. 419,"Unprotected Primary Channel",Base,Draft,"The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.","","::NATURE:ChildOf:CWE ID:923:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not expose administrative functionnality on the user UI.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect the administrative/restricted functionality with a strong authentication mechanism.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unprotected Primary Channel::","::383::","",
  317. 42,"Path Equivalence: 'filename.' (Trailing Dot)",Variant,Incomplete,"A software system that accepts path input in the form of trailing dot ('filedir.') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:162:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","","::REFERENCE:CVE-2000-1114:DESCRIPTION:Source code disclosure using trailing dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1114REFERENCE:CVE-2002-1986,:DESCRIPTION:Source code disclosure using trailing dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1986,REFERENCE:CVE-2004-2213:DESCRIPTION:Source code disclosure using trailing dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2213REFERENCE:CVE-2005-3293:DESCRIPTION:Source code disclosure using trailing dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3293REFERENCE:CVE-2004-0061:DESCRIPTION:Bypass directory access restrictions using trailing dot in URL:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0061REFERENCE:CVE-2000-1133:DESCRIPTION:Bypass directory access restrictions using trailing dot in URL:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1133REFERENCE:CVE-2001-1386:DESCRIPTION:Bypass check for .lnk extension using .lnk.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Trailing Dot - 'filedir.'::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  318. 420,"Unprotected Alternate Channel",Base,Draft,"The software protects a primary channel, but it does not use the same level of protection for an alternate channel.","","::NATURE:ChildOf:CWE ID:923:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.::","::REFERENCE:CVE-2002-0567:DESCRIPTION:DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0567REFERENCE:CVE-2002-1578:DESCRIPTION:Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1578REFERENCE:CVE-2003-1035:DESCRIPTION:User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1035REFERENCE:CVE-2002-1863:DESCRIPTION:FTP service can not be disabled even when other access controls would require it.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1863REFERENCE:CVE-2002-0066:DESCRIPTION:Windows named pipe created without authentication/access control, allowing configuration modification.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0066REFERENCE:CVE-2004-1461:DESCRIPTION:Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1461","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unprotected Alternate Channel::","","TYPE:Relationship:NOTE:This can be primary to authentication errors, and resultant from unhandled error conditions.::",
  319. 421,"Race Condition During Access to Alternate Channel",Base,Draft,"The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.","This creates a race condition that allows an attacker to access the channel before the authorized user does.","::NATURE:ChildOf:CWE ID:420:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:420:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:362:VIEW ID:1000::NATURE:ChildOf:CWE ID:362:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism::","","","::REFERENCE:CVE-1999-0351:DESCRIPTION:FTP Pizza Thief vulnerability. Attacker can connect to a port that was intended for use by another client.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0351REFERENCE:CVE-2003-0230:DESCRIPTION:Product creates Windows named pipe during authentication that another attacker can hijack by connecting to it.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0230","","System Process::","TAXONOMY NAME:PLOVER:ENTRY NAME:Alternate Channel Race Condition::","","",
  320. 422,"Unprotected Windows Messaging Channel ('Shatter')",Variant,Draft,"The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.","","::NATURE:ChildOf:CWE ID:420:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:420:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:360:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always verify and authenticate the source of the message.::","::REFERENCE:CVE-2002-0971:DESCRIPTION:Bypass GUI and access restricted dialog box.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0971REFERENCE:CVE-2002-1230:DESCRIPTION:Gain privileges via Windows message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1230REFERENCE:CVE-2003-0350:DESCRIPTION:A control allows a change to a pointer for a callback function using Windows message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0350REFERENCE:CVE-2003-0908:DESCRIPTION:Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access open file dialog.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0908REFERENCE:CVE-2004-0213:DESCRIPTION:Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0213REFERENCE:CVE-2004-0207:DESCRIPTION:User can call certain API functions to modify certain properties of privileged programs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0207","","System Process::","TAXONOMY NAME:PLOVER:ENTRY NAME:Unprotected Windows Messaging Channel ('Shatter')::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP30:ENTRY NAME:Missing endpoint authentication::","","TYPE:Relationship:NOTE:Overlaps privilege errors and UI errors.::::TYPE:Research Gap:NOTE:Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.::",
  321. 424,"Improper Protection of Alternate Path",Class,Draft,"The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.","","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000::NATURE:ChildOf:CWE ID:638:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Deploy different layers of protection to implement security in depth.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Alternate Path Errors::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP35:ENTRY NAME:Insecure resource access::","::127::","",
  322. 425,"Direct Request ('Forced Browsing')",Base,Incomplete,"The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.","Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.","::NATURE:ChildOf:CWE ID:862:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:862:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:288:VIEW ID:1000::NATURE:ChildOf:CWE ID:288:VIEW ID:699::NATURE:ChildOf:CWE ID:424:VIEW ID:1000::NATURE:ChildOf:CWE ID:424:VIEW ID:699::NATURE:CanPrecede:CWE ID:471:VIEW ID:1000::NATURE:CanPrecede:CWE ID:98:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:forced browsing:DESCRIPTION:The forced browsing term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Modify Application Data Execute Unauthorized Code or Commands Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider using MVC based frameworks such as Struts.::","::REFERENCE:CVE-2004-2144:DESCRIPTION:Bypass authentication via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2144REFERENCE:CVE-2005-1892:DESCRIPTION:Infinite loop or infoleak triggered by direct requests.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1892REFERENCE:CVE-2004-2257:DESCRIPTION:Bypass auth/auth via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2257REFERENCE:CVE-2005-1688:DESCRIPTION:Direct request leads to infoleak by error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1688REFERENCE:CVE-2005-1697:DESCRIPTION:Direct request leads to infoleak by error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1697REFERENCE:CVE-2005-1698:DESCRIPTION:Direct request leads to infoleak by error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1698REFERENCE:CVE-2005-1685:DESCRIPTION:Authentication bypass via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1685REFERENCE:CVE-2005-1827:DESCRIPTION:Authentication bypass via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1827REFERENCE:CVE-2005-1654:DESCRIPTION:Authorization bypass using direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1654REFERENCE:CVE-2005-1668:DESCRIPTION:Access privileged functionality using direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1668REFERENCE:CVE-2002-1798:DESCRIPTION:Upload arbitrary files via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1798","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Direct Request aka 'Forced Browsing'::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A10:ENTRY NAME:Failure to Restrict URL Access:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A2:ENTRY NAME:Broken Access Control:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:34:ENTRY NAME:Predictable Resource Location::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP30:ENTRY NAME:Missing endpoint authentication::","::127::87::","TYPE:Relationship:NOTE:Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.::::TYPE:Theoretical:NOTE:Forced browsing is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically authentication bypass or path disclosure, although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.::",
  323. 426,"Untrusted Search Path",Base,Draft,"The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.","This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts. Some of the most common variants of untrusted search path are: In various UNIX and Linux-based systems, the PATH environment variable may be consulted to locate executable programs, and LD_PRELOAD may be used to locate a separate library. In various Microsoft-based systems, the PATH environment variable is consulted to locate a DLL, if the DLL is not found in other paths that appear earlier in the search order.","::NATURE:ChildOf:CWE ID:642:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:673:VIEW ID:1000::NATURE:PeerOf:CWE ID:427:VIEW ID:1000::NATURE:PeerOf:CWE ID:428:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:OS-Independent:OPERATING SYSTEM PREVALENCE:Undetermined::","","::TERM:Untrusted Path:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Access Control Gain Privileges or Assume Identity Execute Unauthorized Code or Commands There is the potential for arbitrary code execution with privileges of the vulnerable program.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart The program could be redirected to the wrong files, potentially triggering a crash or hang when the targeted file is too large or does not have the expected format.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories:NOTE:Confidentiality Read Files or Directories The program could send the output of unauthorized files to the attacker.::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::","::PHASE:Architecture and Design Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.::","::REFERENCE:CVE-1999-1120:DESCRIPTION:Application relies on its PATH environment variable to find and execute program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1120REFERENCE:CVE-2008-1810:DESCRIPTION:Database application relies on its PATH environment variable to find and execute program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1810REFERENCE:CVE-2007-2027:DESCRIPTION:Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2027REFERENCE:CVE-2008-3485:DESCRIPTION:Untrusted search path using malicious .EXE in Windows environment.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3485REFERENCE:CVE-2008-2613:DESCRIPTION:setuid program allows compromise using path that finds and loads a malicious library.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2613REFERENCE:CVE-2008-1319:DESCRIPTION:Server allows client to specify the search path, which can be modified to point to a program that the client has uploaded.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1319","::Program InvocationCode Libraries","System Process::","TAXONOMY NAME:PLOVER:ENTRY NAME:Untrusted Search Path::::TAXONOMY NAME:CLASP:ENTRY NAME:Relative path library search::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ENV03-C:ENTRY NAME:Sanitize the environment when invoking external programs::","::38::","TYPE:Research Gap:NOTE:Search path issues on Windows are under-studied and possibly under-reported.::",
  324. 427,"Uncontrolled Search Path Element",Base,Draft,"The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.","Although this weakness can occur with any type of resource, it is frequently introduced when a product uses a directory search path to find executables or code libraries, but the path contains a directory that can be modified by an attacker, such as /tmp or the current working directory. In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled: the directory from which the program has been loaded the current working directory. In some cases, the attack can be conducted remotely, such as when SMB or WebDAV network shares are used. In some Unix-based systems, a PATH might be created that contains an empty element, e.g. by splicing an empty variable into the PATH. This empty element can be interpreted as equivalent to the current working directory, which might be an untrusted search element.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:OS-Independent:OPERATING SYSTEM PREVALENCE:Undetermined::","","::TERM:DLL preloading:DESCRIPTION:This term is one of several that are used to describe exploitation of untrusted search path elements in Windows systems, which received wide attention in August 2010. From a weakness perspective, the term is imprecise because it can apply to both CWE-426 and CWE-427.::TERM:Binary planting:DESCRIPTION:This term is one of several that are used to describe exploitation of untrusted search path elements in Windows systems, which received wide attention in August 2010. From a weakness perspective, the term is imprecise because it can apply to both CWE-426 and CWE-427.::TERM:Insecure library loading:DESCRIPTION:This term is one of several that are used to describe exploitation of untrusted search path elements in Windows systems, which received wide attention in August 2010. From a weakness perspective, the term is imprecise because it can apply to both CWE-426 and CWE-427.::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Architecture and Design Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a blacklist approach, it might not be a complete solution.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.::","::REFERENCE:CVE-2010-3402:DESCRIPTION:DLL hijacking issue in document editor.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3402REFERENCE:CVE-2010-3397:DESCRIPTION:DLL hijacking issue in encryption software.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3397REFERENCE:CVE-2010-3138:DESCRIPTION:DLL hijacking issue in library used by multiple media players.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3138REFERENCE:CVE-2010-3152:DESCRIPTION:DLL hijacking issue in illustration program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3152REFERENCE:CVE-2010-3147:DESCRIPTION:DLL hijacking issue in address book.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3147REFERENCE:CVE-2010-3135:DESCRIPTION:DLL hijacking issue in network monitoring software.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3135REFERENCE:CVE-2010-3131:DESCRIPTION:DLL hijacking issue in web browser.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3131REFERENCE:CVE-2010-1795:DESCRIPTION:DLL hijacking issue in music player/organizer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1795REFERENCE:CVE-2002-1576:DESCRIPTION:Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1576REFERENCE:CVE-1999-1461:DESCRIPTION:Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1461REFERENCE:CVE-1999-1318:DESCRIPTION:Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1318REFERENCE:CVE-2003-0579:DESCRIPTION:Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0579REFERENCE:CVE-2000-0854:DESCRIPTION:When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0854REFERENCE:CVE-2001-0943:DESCRIPTION:Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0943REFERENCE:CVE-2001-0942:DESCRIPTION:Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0942REFERENCE:CVE-2001-0507:DESCRIPTION:Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0507REFERENCE:CVE-2002-2017:DESCRIPTION:Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2017REFERENCE:CVE-1999-0690:DESCRIPTION:Product includes the current directory in root's PATH variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0690REFERENCE:CVE-2001-0912:DESCRIPTION:Error during packaging causes product to include a hard-coded, non-standard directory in search path.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0912REFERENCE:CVE-2001-0289:DESCRIPTION:Product searches current working directory for configuration file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0289REFERENCE:CVE-2005-1705:DESCRIPTION:Product searches current working directory for configuration file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1705REFERENCE:CVE-2005-1307:DESCRIPTION:Product executable other program from current working directory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1307REFERENCE:CVE-2002-2040:DESCRIPTION:Untrusted path.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2040REFERENCE:CVE-2005-2072:DESCRIPTION:Modification of trusted environment variable leads to untrusted path vulnerability.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2072REFERENCE:CVE-2005-1632:DESCRIPTION:Product searches /tmp for modules before other paths.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1632","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Uncontrolled Search Path Element::","::38::471::","TYPE:Relationship:NOTE:Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).::::TYPE:Maintenance:NOTE:This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.::",
  325. 428,"Unquoted Search Path or Element",Base,Draft,"The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.","If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as C:Program.exe to be run by a privileged program making use of WinExec.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::OPERATING SYSTEM NAME:Windows NT:OPERATING SYSTEM PREVALENCE:Sometimes::OPERATING SYSTEM NAME:Windows NT:OPERATING SYSTEM PREVALENCE:Sometimes::OPERATING SYSTEM NAME:Windows NT:OPERATING SYSTEM PREVALENCE:Sometimes::OPERATING SYSTEM NAME:macOS:OPERATING SYSTEM PREVALENCE:Rarely::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Properly quote the full search path before executing a program on the system.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2005-1185:DESCRIPTION:Small handful of others. Program doesn't quote the C:Program Files path when calling a program to be executed - or any other path with a directory or file whose name contains a space - so attacker can put a malicious program.exe into C:.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1185REFERENCE:CVE-2005-2938:DESCRIPTION:CreateProcess() and CreateProcessAsUser() can be misused by applications to allow program.exe style attacks in C::LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2938REFERENCE:CVE-2000-1128:DESCRIPTION:Applies to Common Files folder, with a malicious common.exe, instead of Program Files/program.exe.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1128","::Program Invocation","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unquoted Search Path or Element::","::38::","TYPE:Applicable Platform:NOTE:This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .::::TYPE:Maintenance:NOTE:This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification.::::TYPE:Research Gap:NOTE:Under-studied, probably under-reported.::",
  326. 43,"Path Equivalence: 'filename....' (Multiple Trailing Dot)",Variant,Incomplete,"A software system that accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:42:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:42:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:163:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","::REFERENCE:BUGTRAQ:20040205:DESCRIPTION:Apache + Resin Reveals JSP Source Code ...:LINK:http://marc.info/?l=bugtraq&m=107605633904122&w=2REFERENCE:CVE-2004-0281:DESCRIPTION:Multiple trailing dot allows directory listing:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0281","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Multiple Trailing Dot - 'filedir....'::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  327. 430,"Deployment of Wrong Handler",Base,Incomplete,"The wrong handler is assigned to process an object.","An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically determining type of the object even if it is contradictory to an explicitly specified type.","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:433:VIEW ID:1000::NATURE:PeerOf:CWE ID:434:VIEW ID:1000::","::ORDINALITY:Resultant:DESCRIPTION:This weakness is usually resultant from other weaknesses.::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Varies by Context Unexpected State::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform a type check before interpreting an object.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Reject any inconsistent types, such as a file with a .GIF extension that appears to consist of PHP code.::","::REFERENCE:CVE-2001-0004:DESCRIPTION:Source code disclosure via manipulated file extension that causes parsing by wrong DLL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0004REFERENCE:CVE-2002-0025:DESCRIPTION:Web browser does not properly handle the Content-Type header field, causing a different application to process the document.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0025REFERENCE:CVE-2000-1052:DESCRIPTION:Source code disclosure by directly invoking a servlet.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1052REFERENCE:CVE-2002-1742:DESCRIPTION:Arbitrary Perl functions can be loaded by calling a non-existent function that activates a handler.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1742","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Improper Handler Deployment::","","",
  328. 431,"Missing Handler",Base,Draft,"A handler is not available or implemented.","When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution.","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:433:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Handle all possible situations (e.g. error condition).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If an operation can throw an Exception, implement a handler for that specific exception.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Handler::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","","",
  329. 432,"Dangerous Signal Handler not Disabled During Sensitive Operations",Base,Draft,"The application uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.","During the execution of a signal handler, it can be interrupted by another handler when a different signal is sent. If the two handlers share state - such as global variables - then an attacker can corrupt the state by sending another signal before the first handler has completed execution.","::NATURE:ChildOf:CWE ID:364:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:364:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Turn off dangerous handlers when performing sensitive operations.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:SIG00-C:ENTRY NAME:Mask signals handled by noninterruptible signal handlers::::TAXONOMY NAME:PLOVER:ENTRY NAME:Dangerous handler not cleared/disabled during sensitive operations::","","",
  330. 433,"Unparsed Raw Web Content Delivery",Variant,Incomplete,"The software stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.","If code is stored in a file with an extension such as .inc or .pl, and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.","::NATURE:ChildOf:CWE ID:219:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform a type check before interpreting files.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not store sensitive information in files which may be misinterpreted.::","::REFERENCE:CVE-2002-1886:DESCRIPTION:.inc file stored under web document root and returned unparsed by the server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1886REFERENCE:CVE-2002-2065:DESCRIPTION:.inc file stored under web document root and returned unparsed by the server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2065REFERENCE:CVE-2005-2029:DESCRIPTION:.inc file stored under web document root and returned unparsed by the server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2029REFERENCE:CVE-2001-0330:DESCRIPTION:direct request to .pl file leaves it unparsed:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0330REFERENCE:CVE-2002-0614:DESCRIPTION:.inc file:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0614REFERENCE:CVE-2004-2353:DESCRIPTION:unparsed config.conf file:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2353REFERENCE:CVE-2007-3365:DESCRIPTION:Chain: uppercase file extensions causes web server to return script source code instead of executing the script.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3365","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unparsed Raw Web Content Delivery::","","TYPE:Relationship:NOTE:This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).::",
  331. 434,"Unrestricted Upload of File with Dangerous Type",Base,Draft,"The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.","","::NATURE:ChildOf:CWE ID:669:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:669:VIEW ID:1003:ORDINAL:Primary::NATURE:PeerOf:CWE ID:351:VIEW ID:1000::NATURE:PeerOf:CWE ID:436:VIEW ID:1000::NATURE:PeerOf:CWE ID:430:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:This can be primary when there is no check at all.::ORDINALITY:Resultant:DESCRIPTION:This is frequently resultant when use of double extensions (e.g. .php.gif) bypasses a sanity check.::ORDINALITY:Resultant:DESCRIPTION:This can be resultant from client-side enforcement (CWE-602); some products will include web script in web clients to check the filename, without verifying on the server side.::","::LANGUAGE NAME:ASP.NET:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Sometimes::","","::TERM:Unrestricted File Upload:DESCRIPTION:The unrestricted file upload term is used in vulnerability databases and elsewhere, but it is insufficiently precise. The phrase could be interpreted as the lack of restrictions on the size or number of uploaded files, which is a resource consumption issue.::",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for .asp and .php extensions uploaded to web servers because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system.::","::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]::PHASE:Architecture and Design:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that filename.php.gif is fed to the PHP interpreter.[REF-422] [REF-423]::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::","::REFERENCE:CVE-2001-0901:DESCRIPTION:Web-based mail product stores .shtml attachments that could contain SSI:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0901REFERENCE:CVE-2002-1841:DESCRIPTION:PHP upload does not restrict file types:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1841REFERENCE:CVE-2005-1868:DESCRIPTION:upload and execution of .php file:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1868REFERENCE:CVE-2005-1881:DESCRIPTION:upload file with dangerous extension:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1881REFERENCE:CVE-2005-0254:DESCRIPTION:program does not restrict file types:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0254REFERENCE:CVE-2004-2262:DESCRIPTION:improper type checking of uploaded files:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2262REFERENCE:CVE-2006-4558:DESCRIPTION:Double php extension leaves an active php extension in the generated filename.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4558REFERENCE:CVE-2006-6994:DESCRIPTION:ASP program allows upload of .asp files by bypassing client-side checks:LINK:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2006-6994REFERENCE:CVE-2005-3288:DESCRIPTION:ASP file upload:LINK:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2005-3288REFERENCE:CVE-2006-2428:DESCRIPTION:ASP file upload:LINK:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2006-2428","::File Processing","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Unrestricted File Upload::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A3:ENTRY NAME:Malicious File Execution:MAPPING FIT:CWE More Specific::","::1::122::","TYPE:Relationship:NOTE:This can have a chaining relationship with incomplete blacklist / permissive whitelist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems.::::TYPE:Research Gap:NOTE:PHP applications are most targeted, but this likely applies to other languages that support file upload, as well as non-web technologies. ASP applications have also demonstrated this problem.::",
  332. 435,"Improper Interaction Between Multiple Correctly-Behaving Entities",Class,Draft,"An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.","When a system or process combines multiple independent components, this often produces new, emergent behaviors at the system level. However, if the interactions between these components are not fully accounted for, some of the emergent behaviors can be incorrect or even insecure.","","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Interaction Error:DESCRIPTION:::TERM:Emergent Fault:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State Varies by Context::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Interaction Errors::","","TYPE:Relationship:NOTE:The Interaction Error term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when de facto standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.::",
  333. 436,"Interpretation Conflict",Base,Incomplete,"Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.","This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave.","::NATURE:ChildOf:CWE ID:435:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:435:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Unexpected State Varies by Context::","","","::REFERENCE:CVE-2005-1215:DESCRIPTION:Bypass filters or poison web cache using requests with multiple Content-Length headers, a non-standard behavior.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1215REFERENCE:CVE-2002-0485:DESCRIPTION:Anti-virus product allows bypass via Content-Type and Content-Disposition headers that are mixed case, which are still processed by some clients.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0485REFERENCE:CVE-2002-1978:DESCRIPTION:FTP clients sending a command with PASV in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1978REFERENCE:CVE-2002-1979:DESCRIPTION:FTP clients sending a command with PASV in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1979REFERENCE:CVE-2002-0637:DESCRIPTION:Virus product bypass with spaces between MIME header fields and the : separator, a non-standard message that is accepted by some clients.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0637REFERENCE:CVE-2002-1777:DESCRIPTION:AV product detection bypass using inconsistency manipulation (file extension in MIME Content-Type vs. Content-Disposition field).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1777REFERENCE:CVE-2005-3310:DESCRIPTION:CMS system allows uploads of files with GIF/JPG extensions, but if they contain HTML, Internet Explorer renders them as HTML instead of images.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3310REFERENCE:CVE-2005-4260:DESCRIPTION:Interpretation conflict allows XSS via invalid < when a > is expected, which is treated as > by many web browsers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4260REFERENCE:CVE-2005-4080:DESCRIPTION:Interpretation conflict (non-standard behavior) enables XSS because browser ignores invalid characters in the middle of tags.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4080","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Multiple Interpretation Error (MIE)::::TAXONOMY NAME:WASC:ENTRY ID:27:ENTRY NAME:HTTP Response Smuggling::","::105::273::33::","",
  334. 437,"Incomplete Model of Endpoint Features",Base,Incomplete,"A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.","","::NATURE:ChildOf:CWE ID:436:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:436:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Unexpected State Varies by Context::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Extra Unhandled Features::","","TYPE:Relationship:NOTE:This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification.::",
  335. 439,"Behavioral Change in New Version or Environment",Base,Draft,"A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.","","::NATURE:ChildOf:CWE ID:435:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Functional change:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","","::REFERENCE:CVE-2002-1976:DESCRIPTION:Linux kernel 2.2 and above allow promiscuous mode using a different method than previous versions, and ifconfig is not aware of the new method (alternate path property).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1976REFERENCE:CVE-2005-1711:DESCRIPTION:Product uses defunct method from another product that does not return an error code and allows detection avoidance.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1711REFERENCE:CVE-2003-0411:DESCRIPTION:chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype text.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0411","","","TAXONOMY NAME:PLOVER:ENTRY NAME:CHANGE Behavioral Change::","","",
  336. 44,"Path Equivalence: 'file.name' (Internal Dot)",Variant,Incomplete,"A software system that accepts path input in the form of internal dot ('file.ordir') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Internal Dot - 'file.ordir'::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",
  337. 440,"Expected Behavior Violation",Base,Draft,"A feature, API, or function being used by a product behaves differently than the product expects.","","::NATURE:ChildOf:CWE ID:684:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","","::REFERENCE:CVE-2003-0187:DESCRIPTION:Inconsistency in support of linked lists causes program to use large timeouts on undeserving connections.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0187REFERENCE:CVE-2003-0465:DESCRIPTION:strncpy in Linux kernel acts different than libc on x86, leading to expected behavior difference - sort of a multiple interpretation error?:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0465REFERENCE:CVE-2005-3265:DESCRIPTION:Buffer overflow in product stems to the use of a third party library function that is expected to have internal protection against overflows, but doesn't.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3265","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Expected behavior violation::","","TYPE:Theoretical:NOTE:The consistency dimension of validity is the most appropriate relevant property of an expected behavior violation. That is, the behavior of the application is not consistent with the expectations of the developer, leading to a violation of the validity property of the software.::",
  338. 441,"Unintended Proxy or Intermediary ('Confused Deputy')",Class,Draft,"The software receives a request, message, or directive from an upstream component, but the software does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the software's control sphere. This causes the software to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.","If an attacker cannot directly contact a target, but the software has access to the target, then the attacker can send a request to the software and have it be forwarded from the target. The request would appear to be coming from the software's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker. Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when: The software runs with different privileges or on a different system, or otherwise has different levels of access than the upstream component; The attacker is prevented from making the request directly to the target; and The attacker can create a request that the proxy does not explicitly intend to be forwarded on the behalf of the requester. Such a request might point to an unexpected hostname, port number, or service. Or, the request might be sent to an allowed service, but the request could contain disallowed directives, commands, or resources.","::NATURE:ChildOf:CWE ID:610:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:610:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:610:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:668:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Confused Deputy:DESCRIPTION:This weakness is sometimes referred to as the Confused deputy problem, in which an attacker misused the authority of one victim (the confused deputy) when targeting another victim.::",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Hide Activities::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Enforce the use of strong mutual authentication mechanism between the two parties.::","::REFERENCE:CVE-1999-0017:DESCRIPTION:FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker's.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0017REFERENCE:CVE-1999-0168:DESCRIPTION:RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0168REFERENCE:CVE-2005-0315:DESCRIPTION:FTP server does not ensure that the IP address in a PORT command is the same as the FTP user's session, allowing port scanning by proxy.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0315REFERENCE:CVE-2002-1484:DESCRIPTION:Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1484REFERENCE:CVE-2004-2061:DESCRIPTION:CGI script accepts and retrieves incoming URLs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2061REFERENCE:CVE-2001-1484:DESCRIPTION:Bounce attack allows access to TFTP from trusted side.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1484REFERENCE:CVE-2010-1637:DESCRIPTION:Web-based mail program allows internal network scanning using a modified POP3 port number.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1637REFERENCE:CVE-2009-0037:DESCRIPTION:URL-downloading library automatically follows redirects to file:// and scp:// URLs:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unintended proxy/intermediary::::TAXONOMY NAME:PLOVER:ENTRY NAME:Proxied Trusted Channel::::TAXONOMY NAME:WASC:ENTRY ID:32:ENTRY NAME:Routing Detour::","::141::142::219::465::","TYPE:Relationship:NOTE:This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.::::TYPE:Maintenance:NOTE:This could possibly be considered as an emergent resource.::::TYPE:Theoretical:NOTE:It could be argued that the confused deputy is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.::",
  339. 444,"Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')",Base,Incomplete,"When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to smuggle a request to one device without the other device being aware of it.","","::NATURE:ChildOf:CWE ID:436:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:436:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Non-Repudiation:SCOPE:Access Control:TECHNICAL IMPACT:Unexpected State Hide Activities Bypass Protection Mechanism:NOTE:Integrity Non-Repudiation Access Control Unexpected State Hide Activities Bypass Protection Mechanism An attacker could create a request to exploit a number of weaknesses including 1) the request can trick the web server to associate a URL with another URLs webpage and caching the contents of the webpage (web cache poisoning attack), 2) the request can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the request can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use only SSL communication.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Terminate the client session after each request.::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Turn all pages to non-cacheable.::","::REFERENCE:CVE-2005-2088:DESCRIPTION:Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088REFERENCE:CVE-2005-2089:DESCRIPTION:Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2089REFERENCE:CVE-2005-2090:DESCRIPTION:Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090REFERENCE:CVE-2005-2091:DESCRIPTION:Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2091REFERENCE:CVE-2005-2092:DESCRIPTION:Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2092REFERENCE:CVE-2005-2093:DESCRIPTION:Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2093REFERENCE:CVE-2005-2094:DESCRIPTION:Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2094","","","TAXONOMY NAME:PLOVER:ENTRY NAME:HTTP Request Smuggling::::TAXONOMY NAME:WASC:ENTRY ID:26:ENTRY NAME:HTTP Request Smuggling::","::105::33::","TYPE:Theoretical:NOTE:Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).::",
  340. 446,"UI Discrepancy for Security Feature",Base,Incomplete,"The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.","When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the software does not actually enable the encryption. Alternately, the user might provide a restrict ALL' access control rule, but the software only implements restrict SOME.","::NATURE:ChildOf:CWE ID:684:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","","::REFERENCE:CVE-1999-1446:DESCRIPTION:UI inconsistency; visited URLs list not cleared when Clear History option is selected.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1446","","","TAXONOMY NAME:PLOVER:ENTRY NAME:User interface inconsistency::","","TYPE:Relationship:NOTE:This is often resultant.::::TYPE:Maintenance:NOTE:This node is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature.::",
  341. 447,"Unimplemented or Unsupported Feature in UI",Base,Draft,"A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.","","::NATURE:ChildOf:CWE ID:446:VIEW ID:1000::NATURE:ChildOf:CWE ID:446:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:671:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform functionality testing before deploying the application.::","::REFERENCE:CVE-2000-0127:DESCRIPTION:GUI configuration tool does not enable a security option when a checkbox is selected, although that option is honored when manually set in the configuration file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0127REFERENCE:CVE-2001-0863:DESCRIPTION:Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0863REFERENCE:CVE-2001-0865:DESCRIPTION:Router does not implement a specific keyword when it is used in an ACL, allowing filter bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0865REFERENCE:CVE-2004-0979:DESCRIPTION:Web browser does not properly modify security setting when the user sets it.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0979","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Unimplemented or unsupported feature in UI::","","TYPE:Research Gap:NOTE:This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant.::",
  342. 448,"Obsolete Feature in UI",Base,Draft,"A UI function is obsolete and the product does not warn the user.","","::NATURE:ChildOf:CWE ID:446:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:446:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove the obsolete feature from the UI. Warn the user that the feature is no longer supported.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Obsolete feature in UI::","","",
  343. 449,"The UI Performs the Wrong Action",Base,Incomplete,"The UI performs the wrong action with respect to the user's request.","","::NATURE:ChildOf:CWE ID:446:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:446:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform extensive functionality testing of the UI. The UI should behave as specified.::","::REFERENCE:CVE-2001-1387:DESCRIPTION:Network firewall accidentally implements one command line option as if it were another, possibly leading to behavioral infoleak.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1387REFERENCE:CVE-2001-0081:DESCRIPTION:Command line option correctly suppresses a user prompt but does not properly disable a feature, although when the product prompts the user, the feature is properly disabled.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0081REFERENCE:CVE-2002-1977:DESCRIPTION:Product does not time out according to user specification, leaving sensitive data available after it has expired.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1977","","","TAXONOMY NAME:PLOVER:ENTRY NAME:The UI performs the wrong action::","","",
  344. 45,"Path Equivalence: 'file...name' (Multiple Internal Dot)",Variant,Incomplete,"A software system that accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:44:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:44:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:165:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Multiple Internal Dot - 'file...dir'::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",
  345. 450,"Multiple Interpretations of UI Input",Base,Draft,"The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.","","::NATURE:ChildOf:CWE ID:357:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Multiple Interpretations of UI Input::","","",
  346. 451,"User Interface (UI) Misrepresentation of Critical Information",Class,Draft,"The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.","If an attacker can cause the UI to display erroneous data, or to otherwise convince the user to display information that appears to come from a trusted source, then the attacker could trick the user into performing the wrong action. This is often a component in phishing attacks, but other kinds of problems exist. For example, if the UI is used to monitor the security state of a system or network, then omitting or obscuring an important indicator could prevent the user from detecting and reacting to a security-critical event. UI misrepresentation can take many forms: Incorrect indicator: incorrect information is displayed, which prevents the user from understanding the true state of the software or the environment the software is monitoring, especially of potentially-dangerous conditions or operations. This can be broken down into several different subtypes. Overlay: an area of the display is intended to give critical information, but another process can modify the display by overlaying another element on top of it. The user is not interacting with the expected portion of the user interface. This is the problem that enables clickjacking attacks, although many other types of attacks exist that involve overlay. Icon manipulation: the wrong icon, or the wrong color indicator, can be influenced (such as making a dangerous .EXE executable look like a harmless .GIF) Timing: the software is performing a state transition or context switch that is presented to the user with an indicator, but a race condition can cause the wrong indicator to be used before the product has fully switched context. The race window could be extended indefinitely if the attacker can trigger an error. Visual truncation: important information could be truncated from the display, such as a long filename with a dangerous extension that is not displayed in the GUI because the malicious portion is truncated. The use of excessive whitespace can also cause truncation, or place the potentially-dangerous indicator outside of the user's field of view (e.g. filename.txt .exe). A different type of truncation can occur when a portion of the information is removed due to reasons other than length, such as the accidental insertion of an end-of-input marker in the middle of an input, such as a NUL byte in a C-style string. Visual distinction: visual information might be presented in a way that makes it difficult for the user to quickly and correctly distinguish between critical and unimportant segments of the display. Homographs: letters from different character sets, fonts, or languages can appear very similar (i.e. may be visually equivalent) in a way that causes the human user to misread the text (for example, to conduct phishing attacks to trick a user into visiting a malicious web site with a visually-similar name as a trusted site). This can be regarded as a type of visual distinction issue.","::NATURE:ChildOf:CWE ID:684:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:221:VIEW ID:1000::NATURE:PeerOf:CWE ID:346:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:SCOPE:Access Control:TECHNICAL IMPACT:Hide Activities Bypass Protection Mechanism::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Perform data validation (e.g. syntax, length, etc.) before interpreting the data.::PHASE:Architecture and Design:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Create a strategy for presenting information, and plan for how to display unusual characters.::","::REFERENCE:CVE-2004-2227:DESCRIPTION:Web browser's filename selection dialog only shows the beginning portion of long filenames, which can trick users into launching executables with dangerous extensions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2227REFERENCE:CVE-2001-0398:DESCRIPTION:Attachment with many spaces in filename bypasses dangerous content warning and uses different icon. Likely resultant.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0398REFERENCE:CVE-2001-0643:DESCRIPTION:Misrepresentation and equivalence issue.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0643REFERENCE:CVE-2005-0593:DESCRIPTION:Lock spoofing from several different weaknesses.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0593REFERENCE:CVE-2004-1104:DESCRIPTION:Incorrect indicator: web browser can be tricked into presenting the wrong URL:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1104REFERENCE:CVE-2005-0143:DESCRIPTION:Incorrect indicator: Lock icon displayed when an insecure page loads a binary file loaded from a trusted site.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0143REFERENCE:CVE-2005-0144:DESCRIPTION:Incorrect indicator: Secure lock icon is presented for one channel, while an insecure page is being simultaneously loaded in another channel.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0144REFERENCE:CVE-2004-0761:DESCRIPTION:Incorrect indicator: Certain redirect sequences cause security lock icon to appear in web browser, even when page is not encrypted.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0761REFERENCE:CVE-2004-2219:DESCRIPTION:Incorrect indicator: Spoofing via multi-step attack that causes incorrect information to be displayed in browser address bar.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2219REFERENCE:CVE-2004-0537:DESCRIPTION:Overlay: Wide favorites icon can overlay and obscure address bar:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0537REFERENCE:CVE-2005-2271:DESCRIPTION:Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. origin validation error of a sort?:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2271REFERENCE:CVE-2005-2272:DESCRIPTION:Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. origin validation error of a sort?:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2272REFERENCE:CVE-2005-2273:DESCRIPTION:Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. origin validation error of a sort?:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2273REFERENCE:CVE-2005-2274:DESCRIPTION:Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. origin validation error of a sort?:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2274REFERENCE:CVE-2001-1410:DESCRIPTION:Visual distinction: Browser allows attackers to create chromeless windows and spoof victim's display using unprotected Javascript method.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1410REFERENCE:CVE-2002-0197:DESCRIPTION:Visual distinction: Chat client allows remote attackers to spoof encrypted, trusted messages with lines that begin with a special sequence, which makes the message appear legitimate.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0197REFERENCE:CVE-2005-0831:DESCRIPTION:Visual distinction: Product allows spoofing names of other users by registering with a username containing hex-encoded characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0831REFERENCE:CVE-2003-1025:DESCRIPTION:Visual truncation: Special character in URL causes web browser to truncate the user portion of the user@domain URL, hiding real domain in the address bar.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1025REFERENCE:CVE-2005-0243:DESCRIPTION:Visual truncation: Chat client does not display long filenames in file dialog boxes, allowing dangerous extensions via manipulations including (1) many spaces and (2) multiple file extensions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0243REFERENCE:CVE-2005-1575:DESCRIPTION:Visual truncation: Web browser file download type can be hidden using whitespace.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1575REFERENCE:CVE-2004-2530:DESCRIPTION:Visual truncation: Visual truncation in chat client using whitespace to hide dangerous file extension.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2530REFERENCE:CVE-2005-0590:DESCRIPTION:Visual truncation: Dialog box in web browser allows user to spoof the hostname via a long user:pass sequence in the URL, which appears before the real hostname.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0590REFERENCE:CVE-2004-1451:DESCRIPTION:Visual truncation: Null character in URL prevents entire URL from being displayed in web browser.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1451REFERENCE:CVE-2004-2258:DESCRIPTION:Miscellaneous -- [step-based attack, GUI] -- Password-protected tab can be bypassed by switching to another tab, then back to original tab.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2258REFERENCE:CVE-2005-1678:DESCRIPTION:Miscellaneous -- Dangerous file extensions not displayed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1678REFERENCE:CVE-2002-0722:DESCRIPTION:Miscellaneous -- Web browser allows remote attackers to misrepresent the source of a file in the File Download dialogue box.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0722","","","TAXONOMY NAME:PLOVER:ENTRY NAME:UI Misrepresentation of Critical Information::","","TYPE:Maintenance:NOTE:This entry could be broken down into smaller entries. It is probably more like a Class than a Base.::::TYPE:Research Gap:NOTE:Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant.::",
  347. 453,"Insecure Default Variable Initialization",Base,Draft,"The software, by default, initializes an internal variable with an insecure or less secure value than is possible.","","::NATURE:ChildOf:CWE ID:665:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Sometimes:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data An attacker could gain access to and modify sensitive data or system information.::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Insecure default variable initialization::","","TYPE:Maintenance:NOTE:This overlaps other categories, probably should be split into separate items.::",
  348. 454,"External Initialization of Trusted Variables or Data Stores",Base,Draft,"The software initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.","A software system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.","::NATURE:ChildOf:CWE ID:665:VIEW ID:1000:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:456:VIEW ID:1000::","","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Sometimes:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data An attacker could gain access to and modify sensitive data or system information.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid any external control of variables. If necessary, restrict the variables that can be modified using a whitelist, and use a different namespace or naming convention if possible.::","::REFERENCE:CVE-2000-0959:DESCRIPTION:Does not clear dangerous environment variables, enabling symlink attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0959REFERENCE:CVE-2001-0033:DESCRIPTION:Specify alternate configuration directory in environment variable, enabling untrusted path.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0033REFERENCE:CVE-2001-0872:DESCRIPTION:Dangerous environment variable not cleansed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872REFERENCE:CVE-2001-0084:DESCRIPTION:Specify arbitrary modules using environment variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0084","","","TAXONOMY NAME:PLOVER:ENTRY NAME:External initialization of trusted variables or values::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP25:ENTRY NAME:Tainted input to variable::","","TYPE:Relationship:NOTE:Overlaps Missing variable initialization, especially in PHP.::::TYPE:Applicable Platform:NOTE:This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.::",
  349. 455,"Non-exit on Failed Initialization",Base,Draft,"The software does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error, which can cause the software to execute in a less secure fashion than intended by the administrator.","","::NATURE:ChildOf:CWE ID:665:VIEW ID:1000::NATURE:ChildOf:CWE ID:705:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:636:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Alter Execution Logic:NOTE:Integrity Other Modify Application Data Alter Execution Logic The application could be placed in an insecure state that may allow an attacker to modify sensitive data or allow unintended logic to be executed.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Follow the principle of failing securely when an error occurs. The system should enter a state where it is not vulnerable and will not display sensitive error messages to a potential attacker.::","::REFERENCE:CVE-2005-1345:DESCRIPTION:Product does not trigger a fatal error if missing or invalid ACLs are in a configuration file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1345","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Non-exit on Failed Initialization::","","TYPE:Research Gap:NOTE:Under-studied. These issues are not frequently reported, and it is difficult to find published examples.::",
  350. 456,"Missing Initialization of a Variable",Base,Draft,"The software does not initialize critical variables, which causes the execution environment to use unexpected values.","","::NATURE:ChildOf:CWE ID:909:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:89:VIEW ID:1000::NATURE:CanPrecede:CWE ID:120:VIEW ID:1000::NATURE:CanPrecede:CWE ID:98:VIEW ID:1000::NATURE:CanPrecede:CWE ID:457:VIEW ID:1000::NATURE:CanPrecede:CWE ID:457:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Unexpected State Quality Degradation Varies by Context:NOTE:Integrity Other Unexpected State Quality Degradation Varies by Context The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Check that critical variables are initialized.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a static analysis tool to spot non-initialized variables.::","::REFERENCE:CVE-2005-2978:DESCRIPTION:Product uses uninitialized variables for size and index, leading to resultant buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2978REFERENCE:CVE-2005-2109:DESCRIPTION:Internal variable in PHP application is not initialized, allowing external modification.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2109REFERENCE:CVE-2005-2193:DESCRIPTION:Array variable not initialized in PHP application, leading to resultant SQL injection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2193","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Missing Initialization::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR30-C:ENTRY NAME:Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:DCL04-PL:ENTRY NAME:Always initialize local variables:MAPPING FIT:Exact::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:DCL33-PL:ENTRY NAME:Declare identifiers before using them:MAPPING FIT:Imprecise::","","TYPE:Relationship:NOTE:This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.::::TYPE:Research Gap:NOTE:It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.::",
  351. 457,"Use of Uninitialized Variable",Variant,Draft,"The code uses a variable that has not been initialized, leading to unpredictable or unintended results.","In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.","::NATURE:ChildOf:CWE ID:665:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:665:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Availability Integrity Other Other Initial variables usually contain junk, which can not be trusted for consistency. This can lead to denial of service conditions, or modify control flow in unexpected ways. In some cases, an attacker can pre-initialize the variable using previous actions, which might enable code execution. This can cause a race condition if a lock variable check passes when it should not.::SCOPE:Authorization:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Authorization Other Other Strings that are not initialized are especially dangerous, since many functions expect a null at the end -- and only at the end -- of a string.::","","::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Assign all variables to an initial value.::PHASE:Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS::DESCRIPTION:Most compilers will complain about the use of uninitialized variables if warnings are turned on.::PHASE:Implementation Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name.::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:The choice could be made to use a language that is not susceptible to these issues.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Mitigating technologies such as safe string libraries and container abstractions could be introduced.::","::REFERENCE:CVE-2008-0081:DESCRIPTION:Uninitialized variable leads to code execution in popular desktop application.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081REFERENCE:CVE-2007-4682:DESCRIPTION:Crafted input triggers dereference of an uninitialized object pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4682REFERENCE:CVE-2007-3468:DESCRIPTION:Crafted audio file triggers crash when an uninitialized variable is used.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3468REFERENCE:CVE-2007-2728:DESCRIPTION:Uninitialized random seed variable used.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2728","","","TAXONOMY NAME:CLASP:ENTRY NAME:Uninitialized variable::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Uninitialized Variable::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:DCL33-PL:ENTRY NAME:Declare identifiers before using them:MAPPING FIT:Imprecise::","","",
  352. 459,"Incomplete Cleanup",Base,Draft,"The software does not properly clean up and remove temporary or supporting resources after they have been used.","","::NATURE:ChildOf:CWE ID:404:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Insufficient Cleanup:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Other Read Application Data Modify Application Data DoS: Resource Consumption (Other):NOTE:Other Confidentiality Integrity Other Read Application Data Modify Application Data DoS: Resource Consumption (Other) It is possible to overflow the number of temporary files because directories typically have limits on the number of files allowed. This could create a denial of service problem.::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed.::","::REFERENCE:CVE-2000-0552:DESCRIPTION:World-readable temporary file not deleted after use.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0552REFERENCE:CVE-2005-2293:DESCRIPTION:Temporary file not deleted after use, leaking database usernames and passwords.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2293REFERENCE:CVE-2002-0788:DESCRIPTION:Interaction error creates a temporary file that can not be deleted due to strong permissions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0788REFERENCE:CVE-2002-2066:DESCRIPTION:Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2066REFERENCE:CVE-2002-2067:DESCRIPTION:Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2067REFERENCE:CVE-2002-2068:DESCRIPTION:Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2068REFERENCE:CVE-2002-2069:DESCRIPTION:Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2069REFERENCE:CVE-2002-2070:DESCRIPTION:Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2070REFERENCE:CVE-2005-1744:DESCRIPTION:Users not logged out when application is restarted after security-relevant changes were made.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1744","::File Processing","","TAXONOMY NAME:PLOVER:ENTRY NAME:Incomplete Cleanup::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A10:ENTRY NAME:Insecure Configuration Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO42-C:ENTRY NAME:Close files when they are no longer needed:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM31-C:ENTRY NAME:Free dynamically allocated memory when no longer needed:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO04-J:ENTRY NAME:Release resources when they are no longer needed::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO00-J:ENTRY NAME:Do not operate on files in shared directories::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP14:ENTRY NAME:Failure to release resource::","","TYPE:Relationship:NOTE:CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for proper cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.::::TYPE:Relationship:NOTE:Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).::",
  353. 46,"Path Equivalence: 'filename ' (Trailing Space)",Variant,Incomplete,"A software system that accepts path input in the form of trailing space ('filedir ') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:162:VIEW ID:1000::NATURE:CanPrecede:CWE ID:289:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","::REFERENCE:CVE-2001-0693:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0693REFERENCE:CVE-2001-0778:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0778REFERENCE:CVE-2001-1248:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1248REFERENCE:CVE-2004-0280:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0280REFERENCE:CVE-2004-2213:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2213REFERENCE:CVE-2005-0622:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0622REFERENCE:CVE-2005-1656:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1656REFERENCE:CVE-2002-1603:DESCRIPTION:Source disclosure via trailing encoded space %20:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1603REFERENCE:CVE-2001-0054:DESCRIPTION:Multi-Factor Vulnerability (MVF). directory traversal and other issues in FTP server using Web encodings such as %20; certain manipulations have unusual side effects.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0054REFERENCE:CVE-2002-1451:DESCRIPTION:Trailing space (+ in query string) leads to source code disclosure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1451","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Trailing Space - 'filedir '::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  354. 460,"Improper Cleanup on Thrown Exception",Variant,Draft,"The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.","Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening.","::NATURE:ChildOf:CWE ID:459:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:755:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context:NOTE:Other Varies by Context The code could be left in a bad state.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Improper cleanup on thrown exception::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR03-J:ENTRY NAME:Restore prior object state on method failure::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR05-J:ENTRY NAME:Do not let checked exceptions escape from a finally block::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP31-PL:ENTRY NAME:Do not suppress or ignore exceptions:MAPPING FIT:Imprecise::","","",
  355. 462,"Duplicate Key in Associative List (Alist)",Base,Incomplete,"Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.","A duplicate key entry -- if the alist is designed properly -- could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an association list are not recommended and should not be allowed.","::NATURE:ChildOf:CWE ID:694:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a hash table instead of an alist.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an alist which checks the uniqueness of hash keys with each entry before inserting the entry.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Duplicate key in associative list (alist)::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ENV02-C:ENTRY NAME:Beware of multiple environment variables with the same effective name::","","",
  356. 463,"Deletion of Data Structure Sentinel",Base,Incomplete,"The accidental deletion of a data-structure sentinel can cause serious programming logic problems.","Often times data-structure sentinels are used to mark structure of the data structure. A common example of this is the null character at the end of strings. Another common example is linked lists which may contain a sentinel to mark the end of the list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the deletion or modification outside of some wrapper interface which provides safety.","::NATURE:ChildOf:CWE ID:707:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:464:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Availability Other Other Generally this error will cause the data structure to not work properly.::SCOPE:Authorization:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Authorization Other Other If a control character, such as NULL is removed, one may cause resource access control problems.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an abstraction library to abstract away risky APIs. Not a complete solution.::PHASE:Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use OS-level preventative functionality. Not a complete solution.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Deletion of data-structure sentinel::","","",
  357. 464,"Addition of Data Structure Sentinel",Base,Incomplete,"The accidental addition of a data-structure sentinel can cause serious programming logic problems.","Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the addition or modification of sentinels.","::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data Generally this error will cause the data structure to not work properly by truncating the data.::","","::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Encapsulate the user from interacting with data sentinels. Validate user input to verify that sentinels are not present.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Proper error checking can reduce the risk of inadvertently introducing sentinel values into data. For example, if a parsing function fails or encounters an error, it might return a value that is the same as the sentinel.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an abstraction library to abstract away risky APIs. This is not a complete solution.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use OS-level preventative functionality. This is not a complete solution.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Addition of data-structure sentinel::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR03-C:ENTRY NAME:Do not inadvertently truncate a null-terminated byte string::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR06-C:ENTRY NAME:Do not assume that strtok() leaves the parse string unchanged::","","",
  358. 466,"Return of Pointer Value Outside of Expected Range",Base,Draft,"A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.","","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Memory Modify Memory::","","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Illegal Pointer Value::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","TYPE:Maintenance:NOTE:This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.::",
  359. 467,"Use of sizeof() on a Pointer Type",Variant,Draft,"The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.","The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on a platform. More often than not, the appearance of sizeof(pointer) indicates a bug.","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:131:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Memory Read Memory:NOTE:Integrity Confidentiality Modify Memory Read Memory This error can often cause one to allocate a buffer that is much smaller than what is needed, leading to resultant weaknesses such as buffer overflows.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use expressions such as sizeof(*pointer) instead of sizeof(pointer), unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Use of sizeof() on a pointer type::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR01-C:ENTRY NAME:Do not apply the sizeof operator to a pointer when taking the size of an array::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM35-C:ENTRY NAME:Allocate sufficient memory for an object:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP10:ENTRY NAME:Incorrect Buffer Length Computation::","","",
  360. 468,"Incorrect Pointer Scaling",Base,Incomplete,"In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.","","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Memory Modify Memory:NOTE:Confidentiality Integrity Read Memory Modify Memory Incorrect pointer scaling will often result in buffer overflow conditions. Confidentiality can be compromised if the weakness is in the context of a buffer over-read or under-read.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a platform with high-level memory abstractions.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always use array indexing instead of direct pointer manipulation.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use technologies for preventing buffer overflows.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Unintentional pointer scaling::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR39-C:ENTRY NAME:Do not add or subtract a scaled integer to a pointer:MAPPING FIT:Exact::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP08-C:ENTRY NAME:Ensure pointer arithmetic is used correctly::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  361. 469,"Use of Pointer Subtraction to Determine Size",Base,Draft,"The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.","","::NATURE:ChildOf:CWE ID:682:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Gain Privileges or Assume Identity:NOTE:Access Control Integrity Confidentiality Availability Execute Unauthorized Code or Commands Gain Privileges or Assume Identity There is the potential for arbitrary code execution with privileges of the vulnerable program.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Save an index variable. This is the recommended solution. Rather than subtract pointers from one another, use an index variable of the same size as the pointers in question. Use this variable to walk from one pointer to the other and calculate the difference. Always sanity check this number.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Improper pointer subtraction::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR36-C:ENTRY NAME:Do not subtract or compare two pointers that do not refer to the same array:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP7:ENTRY NAME:Faulty Pointer Use::","","",
  362. 47,"Path Equivalence: ' filename' (Leading Space)",Variant,Incomplete,"A software system that accepts path input in the form of leading space (' filedir') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Leading Space - ' filedir'::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  363. 470,"Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",Base,Draft,"The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.","If the application uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the application to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the application's classpath (CWE-427) or add new entries to the application's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the application.","::NATURE:ChildOf:CWE ID:913:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:610:VIEW ID:1000::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined:::LANGUAGE CLASS:Interpreted:LANGUAGE PREVALENCE:Sometimes::","","::TERM:Reflection Injection:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Alter Execution Logic:NOTE:Integrity Confidentiality Availability Other Execute Unauthorized Code or Commands Alter Execution Logic The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state.::SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Other:NOTE:Availability Other DoS: Crash, Exit, or Restart Other The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the application to exit or hang.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Refactor your code to avoid using reflection.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use user-controlled inputs to select and load classes or code.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Apply strict input validation by using whitelists or indirect selection to ensure that the user is only selecting allowable classes or code.::","::REFERENCE:CVE-2004-2331:DESCRIPTION:Database system allows attackers to bypass sandbox restrictions by using the Reflection APi.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2331","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Unsafe Reflection::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC06-J:ENTRY NAME:Do not use reflection to increase accessibility of classes, methods, or fields::","","",
  364. 471,"Modification of Assumed-Immutable Data (MAID)",Base,Draft,"The software does not properly protect an assumed-immutable element from being modified by an attacker.","This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data Common data types that are attacked are environment variables, web application parameters, and HTTP headers.::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Architecture and Design Operation Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When the data is stored or transmitted through untrusted sources that could modify the data, implement integrity checks to detect unauthorized modification, or store/transmit the data in a trusted location that is free from external influence.::","::REFERENCE:CVE-2002-1757:DESCRIPTION:Relies on $PHP_SELF variable for authentication.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1757REFERENCE:CVE-2005-1905:DESCRIPTION:Gain privileges by modifying assumed-immutable code addresses that are accessed by a driver.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1905","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Modification of Assumed-Immutable Data::","::384::385::386::387::388::","TYPE:Relationship:NOTE:MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.::::TYPE:Theoretical:NOTE:There are many examples where the MUTABILITY property is a major factor in a vulnerability.::",
  365. 472,"External Control of Assumed-Immutable Web Parameter",Base,Draft,"The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.","If a web product does not properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Web applications often mistakenly make the assumption that data passed to the client in hidden fields or cookies is not susceptible to tampering. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input. For example, custom cookies commonly store session data or persistent data across sessions. This kind of session data is normally involved in security related decisions on the server side, such as user authentication and access control. Thus, the cookies might contain sensitive data such as user credentials and privileges. This is a dangerous practice, as it can often lead to improper reliance on the value of the client-provided cookie by the server side application.","::NATURE:ChildOf:CWE ID:642:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:471:VIEW ID:1000::NATURE:ChildOf:CWE ID:471:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Assumed-Immutable Parameter Tampering:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data Without appropriate protection mechanisms, the client can easily tamper with cookies and similar web data. Reliance on the cookies without detailed validation can lead to problems such as SQL injection. If you use cookie values for security related decisions on the server side, manipulating the cookies might lead to violations of security policies such as authentication bypassing, user impersonation and privilege escalation. In addition, storing sensitive data in the cookie without appropriate protection can also lead to disclosure of sensitive user data, especially data stored in persistent cookies.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-0108:DESCRIPTION:Forum product allows spoofed messages of other users via hidden form fields for name and e-mail address.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0108REFERENCE:CVE-2000-0253:DESCRIPTION:Shopping cart allows price modification via hidden form field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0253REFERENCE:CVE-2000-0254:DESCRIPTION:Shopping cart allows price modification via hidden form field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0254REFERENCE:CVE-2000-0926:DESCRIPTION:Shopping cart allows price modification via hidden form field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0926REFERENCE:CVE-2000-0101:DESCRIPTION:Shopping cart allows price modification via hidden form field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0101REFERENCE:CVE-2000-0102:DESCRIPTION:Shopping cart allows price modification via hidden form field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0102REFERENCE:CVE-2000-0758:DESCRIPTION:Allows admin access by modifying value of form field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0758REFERENCE:CVE-2002-1880:DESCRIPTION:Read messages by modifying message ID parameter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1880REFERENCE:CVE-2000-1234:DESCRIPTION:Send email to arbitrary users by modifying email parameter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1234REFERENCE:CVE-2005-1652:DESCRIPTION:Authentication bypass by setting a parameter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1652REFERENCE:CVE-2005-1784:DESCRIPTION:Product does not check authorization for configuration change admin script, leading to password theft via modified e-mail address field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1784REFERENCE:CVE-2005-2314:DESCRIPTION:Logic error leads to password disclosure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2314REFERENCE:CVE-2005-1682:DESCRIPTION:Modification of message number parameter allows attackers to read other people's messages.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1682","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Web Parameter Tampering::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A4:ENTRY NAME:Insecure Direct Object Reference:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::","::146::31::39::","TYPE:Relationship:NOTE:This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion.::::TYPE:Theoretical:NOTE:This is a technology-specific MAID problem.::",
  366. 473,"PHP External Variable Modification",Variant,Draft,"A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.","","::NATURE:ChildOf:CWE ID:471:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:471:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:98:VIEW ID:1000::","","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data::","","::PHASE:Requirements Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Carefully identify which variables can be controlled or influenced by an external user, and consider adopting a naming convention to emphasize when externally modifiable variables are being used. An application should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary. Do not allow your application to run with register_globals enabled. If you implement a register_globals emulator, be extremely careful of variable extraction, dynamic evaluation, and similar issues, since weaknesses in your emulation could allow external variable modification to take place even without register_globals.::","::REFERENCE:CVE-2000-0860:DESCRIPTION:File upload allows arbitrary file read by setting hidden form variables to match internal variable names.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0860REFERENCE:CVE-2001-0854:DESCRIPTION:Mistakenly trusts $PHP_SELF variable to determine if include script was called by its parent.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0854REFERENCE:CVE-2002-0764:DESCRIPTION:PHP remote file inclusion by modified assumed-immutable variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0764REFERENCE:CVE-2001-1025:DESCRIPTION:Modify key variable when calling scripts that don't load a library that initializes it.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1025REFERENCE:CVE-2003-0754:DESCRIPTION:Authentication bypass by modifying array used for authentication.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0754","","","TAXONOMY NAME:PLOVER:ENTRY NAME:PHP External Variable Modification::","::77::","TYPE:Relationship:NOTE:This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.::",
  367. 474,"Use of Function with Inconsistent Implementations",Base,Draft,"The code uses a function that has inconsistent implementations across operating systems and versions.","The use of inconsistent implementations can cause changes in behavior when the code is ported or built under a different environment than the programmer expects, which can lead to security problems in some cases. The implementation of many functions varies by platform, and at times, even by different versions of the same platform. Implementation differences can include: Slight differences in the way parameters are interpreted leading to inconsistent results. Some implementations of the function carry significant security risks. The function might not be defined on all platforms. The function might change which return codes it can provide, or change the meaning of its return codes.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","::PHASE:Architecture and Design Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not accept inconsistent behavior from the API specifications when the deviant behavior increase the risk level.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Inconsistent Implementations::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  368. 475,"Undefined Behavior for Input to API",Base,Incomplete,"The behavior of this function is undefined unless its control parameter is set to a specific value.","","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Undefined Behavior::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","TYPE:Other:NOTE:The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64::",
  369. 476,"NULL Pointer Dereference",Base,Draft,"A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.","NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:NULL pointer dereferences are frequently resultant from rarely encountered error conditions, since these are most likely to escape detection during the testing phases.::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands In very rare circumstances and environments, code execution is possible.::","::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences can be prevented.::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:The choice could be made to use a language that is not susceptible to these issues.::PHASE:Implementation:STRATEGY::EFFECTIVENESS:Moderate:DESCRIPTION:Check the results of all functions that return a value and verify that the value is non-null before acting upon it.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::","::REFERENCE:CVE-2005-3274:DESCRIPTION:race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274REFERENCE:CVE-2002-1912:DESCRIPTION:large number of packets leads to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1912REFERENCE:CVE-2005-0772:DESCRIPTION:packet with invalid error status value triggers NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0772REFERENCE:CVE-2009-4895:DESCRIPTION:chain: race condition for an argument value, possibly resulting in NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4895REFERENCE:CVE-2009-3547:DESCRIPTION:chain: race condition might allow resource to be released before operating on it, leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547REFERENCE:CVE-2009-3620:DESCRIPTION:chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620REFERENCE:CVE-2009-2698:DESCRIPTION:chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698REFERENCE:CVE-2009-2692:DESCRIPTION:chain: uninitialized function pointers can be dereferenced allowing code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692REFERENCE:CVE-2009-0949:DESCRIPTION:chain: improper initialization of memory can lead to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949REFERENCE:CVE-2008-3597:DESCRIPTION:chain: game server can access player data structures before initialization has happened leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3597REFERENCE:CVE-2008-5183:DESCRIPTION:chain: unchecked return value can lead to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183REFERENCE:CVE-2004-0079:DESCRIPTION:SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0079REFERENCE:CVE-2004-0365:DESCRIPTION:Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0365REFERENCE:CVE-2003-1013:DESCRIPTION:Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1013REFERENCE:CVE-2003-1000:DESCRIPTION:Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1000REFERENCE:CVE-2004-0389:DESCRIPTION:Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0389REFERENCE:CVE-2004-0119:DESCRIPTION:OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0119REFERENCE:CVE-2004-0458:DESCRIPTION:Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0458REFERENCE:CVE-2002-0401:DESCRIPTION:Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0401","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Null Dereference::::TAXONOMY NAME:CLASP:ENTRY NAME:Null-pointer dereference::::TAXONOMY NAME:PLOVER:ENTRY NAME:Null Dereference (Null Pointer Dereference)::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP34-C:ENTRY NAME:Do not dereference null pointers:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP7:ENTRY NAME:Faulty Pointer Use::","","",
  370. 477,"Use of Obsolete Function",Base,Draft,"The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.","As programming languages evolve, functions occasionally become obsolete due to: Advances in the language Improved understanding of how operations should be performed effectively and securely Changes in the conventions that govern certain operations Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Origin Analysis::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality.::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider seriously the security implications of using an obsolete function. Consider using alternate functions.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Obsolete::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:DCL30-PL:ENTRY NAME:Do not import deprecated modules:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP30-PL:ENTRY NAME:Do not use deprecated or obsolete functions or modules:MAPPING FIT:CWE More Specific::","","",
  371. 478,"Missing Default Case in Switch Statement",Variant,Draft,"The code does not have a default case in a switch statement, which might lead to complex logical errors and resultant weaknesses.","This flaw represents a common problem in software development, in which not all possible values for a variable are considered or handled by a given process. Because of this, further decisions are made based on poor information, and cascading failure results. This cascading failure may result in any number of security issues, and constitutes a significant failure in the system.","::NATURE:ChildOf:CWE ID:1023:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Varies by Context Alter Execution Logic:NOTE:Integrity Varies by Context Alter Execution Logic Depending on the logical circumstances involved, any consequences may result: e.g., issues of confidentiality, authentication, authorization, availability, integrity, accountability, or non-repudiation.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that there are no unaccounted for cases, when adjusting flow or values based on the value of a given variable. In switch statements, this can be accomplished through the use of the default label.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:In the case of switch style statements, the very simple act of creating a default case can mitigate this situation, if done correctly. Often however, the default case is used simply to represent an assumed option, as opposed to working as a check for invalid input. This is poor practice and in some cases is as bad as omitting a default case entirely.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to account for default case in switch::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","","",
  372. 479,"Signal Handler Use of a Non-reentrant Function",Variant,Draft,"The program defines a signal handler that calls a non-reentrant function.","Non-reentrant functions are functions that cannot safely be called, interrupted, and then recalled before the first call has finished without resulting in memory corruption. This can lead to an unexpected system state an unpredictable results with a variety of potential consequences depending on context, including denial of service and code execution. Many functions are not reentrant, but some of them can result in the corruption of memory if they are used in a signal handler. The function call syslog() is an example of this. In order to perform its functionality, it allocates a small amount of memory as scratch space. If syslog() is suspended by a signal call and the signal handler calls syslog(), the memory used by both of these functions enters an undefined, and possibly, exploitable state. Implementations of malloc() and free() manage metadata in global structures in order to track which memory is allocated versus which memory is available, but they are non-reentrant. Simultaneous calls to these functions can cause corruption of the metadata.","::NATURE:ChildOf:CWE ID:828:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:828:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:663:VIEW ID:1000::NATURE:ChildOf:CWE ID:663:VIEW ID:699::NATURE:CanPrecede:CWE ID:123:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands It may be possible to execute arbitrary code through the use of a write-what-where condition.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data Signal race conditions often result in data corruption.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Require languages or libraries that provide reentrant functionality, or otherwise make it easier to avoid this weakness.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Design signal handlers to only set flags rather than perform complex functionality.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that non-reentrant functions are not found in signal handlers.::PHASE:Implementation:STRATEGY::EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use sanity checks to reduce the timing window for exploitation of race conditions. This is only a partial solution, since many attacks might fail, but other attacks still might work within the narrower window, even accidentally.::","::REFERENCE:CVE-2005-0893:DESCRIPTION:signal handler calls function that ultimately uses malloc():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0893REFERENCE:CVE-2004-2259:DESCRIPTION:SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259","","System Process::","TAXONOMY NAME:CLASP:ENTRY NAME:Unsafe function call from a signal handler::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:SIG30-C:ENTRY NAME:Call only asynchronous-safe functions within signal handlers:MAPPING FIT:Exact::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:SIG34-C:ENTRY NAME:Do not call signal() from within interruptible signal handlers::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:EXP01-J:ENTRY NAME:Never dereference null pointers::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  373. 48,"Path Equivalence: 'file name' (Internal Whitespace)",Variant,Incomplete,"A software system that accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","::REFERENCE:CVE-2000-0293:DESCRIPTION:Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0293REFERENCE:CVE-2001-1567:DESCRIPTION:+ characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1567","","","TAXONOMY NAME:PLOVER:ENTRY NAME:file(SPACE)name (internal space)::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","TYPE:Relationship:NOTE:This weakness is likely to overlap quoting problems, e.g. the Program Files unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.::::TYPE:Relationship:NOTE:Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).::",
  374. 480,"Use of Incorrect Operator",Base,Draft,"The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways.","These types of errors are generally the result of a typo.","::NATURE:ChildOf:CWE ID:670:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Sometimes:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic:NOTE:Other Alter Execution Logic This weakness can cause unintended logic to be executed and other unexpected application behavior.::","::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::METHOD:Manual Static Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::","","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Using the wrong operator::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP45-C:ENTRY NAME:Do not perform assignments in selection statements:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP46-C:ENTRY NAME:Do not use a bitwise operator with a Boolean-like operand:MAPPING FIT:CWE More Abstract::","","",
  375. 481,"Assigning instead of Comparing",Variant,Draft,"The code uses an operator for assignment when the intention was to perform a comparison.","In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If the comparison is in an if statement, the if statement will usually evaluate the value of the right-hand side of the predicate.","::NATURE:ChildOf:CWE ID:480:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:480:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:697:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Many IDEs and static analysis products will detect this problem.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Place constants on the left. If one attempts to assign a constant with a variable, the compiler will of course produce an error.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Assigning instead of comparing::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP45-C:ENTRY NAME:Do not perform assignments in selection statements:MAPPING FIT:CWE More Abstract::","","",
  376. 482,"Comparing instead of Assigning",Variant,Draft,"The code uses an operator for comparison when the intention was to perform an assignment.","In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.","::NATURE:ChildOf:CWE ID:480:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:480:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State:NOTE:Availability Integrity Unexpected State The assignment will not take place, which should cause obvious program execution problems.::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Many IDEs and static analysis products will detect this problem.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Comparing instead of assigning::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP2:ENTRY NAME:Unused Entities::","","",
  377. 483,"Incorrect Block Delimitation",Variant,Draft,"The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.","In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in a block but is not. In some cases, the logic error can have security implications.","::NATURE:ChildOf:CWE ID:670:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Sometimes::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Alter Execution Logic:NOTE:Confidentiality Integrity Availability Alter Execution Logic This is a general logic error which will often lead to obviously-incorrect behaviors that are quickly noticed and fixed. In lightly tested or untested code, this error may be introduced it into a production environment and provide additional attack vectors by creating a control flow path leading to an unexpected state in the application. The consequences will depend on the types of behaviors that are being incorrectly executed.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always use explicit block delimitation and use static-analysis technologies to enforce this practice.::","::REFERENCE:CVE-2014-1266:DESCRIPTION:incorrect indentation of goto statement makes it more difficult to detect an incorrect goto (Apple's goto fail):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266","","","TAXONOMY NAME:CLASP:ENTRY NAME:Incorrect block delimitation::","","",
  378. 484,"Omitted Break Statement in Switch",Base,Draft,"The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.","This can lead to critical code executing in situations where it should not.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000::NATURE:ChildOf:CWE ID:670:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic:NOTE:Other Alter Execution Logic This weakness can cause unintended logic to be executed and other unexpected application behavior.::","::METHOD:White Box:EFFECTIVENESS::DESCRIPTION:Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected program behavior is required to interpret whether the code is correct.::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior.::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should be avoided. If you need to use fall-through capabilities, make sure that you have clearly documented this within the switch statement, and ensure that you have examined all the logical possibilities.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:The functionality of omitting a break statement could be clarified with an if statement. This method is much safer.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Omitted break statement::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","","",
  379. 486,"Comparison of Classes by Name",Variant,Draft,"The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.","If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.","::NATURE:ChildOf:CWE ID:1025:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands If a program relies solely on the name of an object to determine identity, it may execute the incorrect or unintended code.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Comparing Classes by Name::::TAXONOMY NAME:CLASP:ENTRY NAME:Comparing classes by name::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ09-J:ENTRY NAME:Compare classes and not class names::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  380. 487,"Reliance on Package-level Scope",Variant,Incomplete,"Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.","The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Any data in a Java package can be accessed outside of the Java framework if the package is distributed.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Relying on package-level scope::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MET04-J:ENTRY NAME:Do not increase the accessibility of overridden or hidden methods::","","",
  381. 488,"Exposure of Data Element to Wrong Session",Variant,Draft,"The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.","Data can bleed from one session to another through member variables of singleton objects, such as Servlets, and objects from a shared pool. In the case of Servlets, developers sometimes do not understand that, unless a Servlet implements the SingleThreadModel interface, the Servlet is a singleton; there is only one instance of the Servlet, and that single instance is used and re-used to handle multiple requests that are processed simultaneously by different threads. A common result is that developers use Servlet member fields in such a way that one user may inadvertently see another user's data. In other words, storing user data in Servlet member fields introduces a data access race condition.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:269:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect the application's sessions from information leakage. Make sure that a session's data is not used or visible by other sessions.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Data Leaking Between Users::","::59::60::","",
  382. 489,"Leftover Debug Code",Base,Draft,"The application can be deployed with active debugging code that can create unintended entry points.","A common development practice is to add back door code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Build and Compilation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Read Application Data Gain Privileges or Assume Identity Varies by Context:NOTE:Confidentiality Integrity Availability Access Control Other Bypass Protection Mechanism Read Application Data Gain Privileges or Assume Identity Varies by Context The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.::","","::PHASE:Build and Compilation Distribution:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove debug code before deploying the application.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Leftover Debug Code::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A10:ENTRY NAME:Insecure Configuration Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","TYPE:Other:NOTE:In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.::",
  383. 49,"Path Equivalence: 'filename/' (Trailing Slash)",Variant,Incomplete,"A software system that accepts path input in the form of trailing slash ('filedir/') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:162:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","::REFERENCE:CVE-2002-0253:DESCRIPTION:Overlaps infoleak:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0253REFERENCE:CVE-2001-0446:DESCRIPTION:Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0446REFERENCE:CVE-2004-0334:DESCRIPTION:Bypass Basic Authentication for files using trailing /:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0334REFERENCE:CVE-2001-0893:DESCRIPTION:Read sensitive files with trailing /:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0893REFERENCE:CVE-2001-0892:DESCRIPTION:Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0892REFERENCE:CVE-2004-1814:DESCRIPTION:Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1814REFERENCE:BID:3518:DESCRIPTION:Source code disclosure:LINK:http://www.securityfocus.com/bid/3518","","","TAXONOMY NAME:PLOVER:ENTRY NAME:filedir/ (trailing slash, trailing /)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  384. 491,"Public cloneable() Method Without Final ('Object Hijack')",Variant,Draft,"A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.","","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Unexpected State Varies by Context::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make the cloneable() method final.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Mobile Code: Object Hijack::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ07-J:ENTRY NAME:Sensitive classes must not let themselves be copied::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","",
  385. 492,"Use of Inner Class Containing Sensitive Data",Variant,Draft,"Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.","Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be declared to be accessible only by the enclosing class, but Java bytecode has no concept of an inner class, so the compiler must transform an inner class declaration into a peer class with package level access to the original outer class. More insidiously, since an inner class can access private fields in their enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Inner Classes data confidentiality aspects can often be overcome.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Inner Classes do not provide security. Warning: Never reduce the security of the object from an outer class, going to an inner class. If an outer class is final or private, ensure that its inner class is private as well.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Mobile Code: Use of Inner Class::::TAXONOMY NAME:CLASP:ENTRY NAME:Publicizing of private data when using inner classes::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ08-J:ENTRY NAME:Do not expose private members of an outer class from within a nested class::","","TYPE:Other:NOTE:Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::",
  386. 493,"Critical Public Variable Without Final Modifier",Variant,Draft,"The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.","If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:216:VIEW ID:1000::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","::Mobile code, such as a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::Final provides security by only allowing non-mutable objects to be changed after being set. However, only objects which are not extended can be made final.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data The object could potentially be tampered with.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The object could potentially allow the object to be read.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Mobile Code: Non-Final Public Field::::TAXONOMY NAME:CLASP:ENTRY NAME:Failure to provide confidentiality for stored data::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ10-J:ENTRY NAME:Do not use public static nonfinal variables::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","",
  387. 494,"Download of Code Without Integrity Check",Base,Draft,"The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.","An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.","::NATURE:ChildOf:CWE ID:669:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:79:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Alter Execution Logic Other:NOTE:Integrity Availability Confidentiality Other Execute Unauthorized Code or Commands Alter Execution Logic Other Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users.::","::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform proper forward and reverse DNS lookups to detect DNS spoofing.::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Encrypt the code with a reliable encryption scheme before transmitting. This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code. When providing the code that is to be downloaded, such as for automatic updates of the software, then use cryptographic signatures for the code and modify the download clients to verify the signatures. Ensure that the implementation does not contain CWE-295, CWE-320, CWE-347, and related weaknesses. Use code signing technologies such as Authenticode. See references [REF-454] [REF-455] [REF-456].::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::","::REFERENCE:CVE-2008-3438:DESCRIPTION:OS does not verify authenticity of its own updates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3438REFERENCE:CVE-2008-3324:DESCRIPTION:online poker client does not verify authenticity of its own updates.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3324REFERENCE:CVE-2001-1125:DESCRIPTION:anti-virus product does not verify automatic updates for itself.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1125REFERENCE:CVE-2002-0671:DESCRIPTION:VOIP phone downloads applications from web sites without verifying integrity.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0671","","","TAXONOMY NAME:CLASP:ENTRY NAME:Invoking untrusted mobile code::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC06-J:ENTRY NAME:Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP27:ENTRY NAME:Tainted input to environment::","::184::185::186::187::","TYPE:Research Gap:NOTE:This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.::",
  388. 495,"Private Array-Typed Field Returned From A Public Method",Variant,Draft,"The product has a method that is declared public, but returns a reference to a private array, which could then be modified in unexpected ways.","","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data The contents of the array can be modified from outside the intended scope.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Declare the method private.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Clone the member data and keep an unmodified version of the data private to the object.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use public setter methods that govern how a member can be modified.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Private Array-Typed Field Returned From A Public Method::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  389. 496,"Public Data Assigned to Private Array-Typed Field",Variant,Incomplete,"Assigning public data to a private array is equivalent to giving public access to the array.","","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data The contents of the array can be modified from outside the intended scope.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not allow objects to modify private members of a class.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Public Data Assigned to Private Array-Typed Field::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP25:ENTRY NAME:Tainted input to variable::","","",
  390. 497,"Exposure of System Data to an Unauthorized Control Sphere",Variant,Incomplete,"Exposing system data or debugging information helps an adversary learn about the system and form an attack plan.","An information exposure occurs when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. An attacker can also cause errors to occur by submitting unusual requests to the web application. The response to these errors can reveal detailed system information, deny service, cause security mechanisms to fail, and crash the server. An attacker can use error messages that reveal technologies, operating systems, and product versions to tune the attack against known vulnerabilities in these technologies. An application may use diagnostic methods that provide significant implementation details such as stack traces as part of its error handling mechanism.","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:System Information Leak::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR01-J:ENTRY NAME:Do not allow exceptions to expose sensitive information::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  391. 498,"Cloneable Class Containing Sensitive Information",Variant,Draft,"The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.","Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running the constructor.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:200:VIEW ID:1000::NATURE:CanPrecede:CWE ID:200:VIEW ID:699::","","::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism A class that can be cloned can be produced without executing the constructor. This is dangerous since the constructor may perform security-related checks. By allowing the object to be cloned, those checks may be bypassed.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If you do make your classes clonable, ensure that your clone method is final and throw super.clone().::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Information leak through class cloning::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ07-J:ENTRY NAME:Sensitive classes must not let themselves be copied::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  392. 499,"Serializable Class Containing Sensitive Data",Variant,Draft,"The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.","Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:200:VIEW ID:1000::NATURE:CanPrecede:CWE ID:200:VIEW ID:699::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data an attacker can write out the class to a byte stream, then extract the important data from it.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make sure to prevent serialization of your objects.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Information leak through serialization::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER03-J:ENTRY NAME:Do not serialize unencrypted, sensitive data::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER05-J:ENTRY NAME:Do not serialize instances of inner classes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  393. 5,"J2EE Misconfiguration: Data Transmission Without Encryption",Variant,Draft,"Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.","","::NATURE:ChildOf:CWE ID:319:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:The application configuration should ensure that SSL or an encryption mechanism of equivalent strength and vetted reputation is used for all access-controlled pages.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Misconfiguration: Insecure Transport::","","TYPE:Other:NOTE:If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: A user manually enters URL and types HTTP rather than HTTPS. Attackers intentionally send a user to an insecure URL. A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)::",
  394. 50,"Path Equivalence: '//multiple/leading/slash'",Variant,Incomplete,"A software system that accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:161:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","::REFERENCE:CVE-2002-1483:DESCRIPTION:Read files with full pathname using multiple internal slash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483REFERENCE:CVE-1999-1456:DESCRIPTION:Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1456REFERENCE:CVE-2004-0578:DESCRIPTION:Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0578REFERENCE:CVE-2002-0275:DESCRIPTION:Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0275REFERENCE:CVE-2004-1032:DESCRIPTION:Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1032REFERENCE:CVE-2002-1238:DESCRIPTION:Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1238REFERENCE:CVE-2004-1878:DESCRIPTION:Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1878REFERENCE:CVE-2005-1365:DESCRIPTION:Server allows remote attackers to execute arbitrary commands via a URL with multiple leading / (slash) characters and .. sequences.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1365REFERENCE:CVE-2000-1050:DESCRIPTION:Access directory using multiple leading slash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1050REFERENCE:CVE-2001-1072:DESCRIPTION:Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1072REFERENCE:CVE-2004-0235:DESCRIPTION:Archive extracts to arbitrary files using multiple leading slash in filenames in the archive.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0235","","","TAXONOMY NAME:PLOVER:ENTRY NAME://multiple/leading/slash ('multiple leading slash')::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  395. 500,"Public Static Field Not Marked Final",Variant,Draft,"An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.","Public static variables can be read without an accessor and changed without a mutator by any classes in the application.","::NATURE:ChildOf:CWE ID:493:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:493:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","::When a field is declared public but not final, the field can be read and written to by arbitrary Java code.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data The object could potentially be tampered with.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The object could potentially allow the object to be read.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Clearly identify the scope for all critical data elements, including whether they should be regarded as static.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make any static fields private and constant. A constant field is denoted by the keyword 'const' in C/C++ and ' final' in Java::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Overflow of static internal buffer::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ10-J:ENTRY NAME:Do not use public static nonfinal variables::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","",
  396. 501,"Trust Boundary Violation",Base,Draft,"The product mixes trusted and untrusted data in the same data structure or structured message.","A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Trust Boundary Violation::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  397. 502,"Deserialization of Untrusted Data",Variant,Draft,"The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.","It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security -- which is a dangerous security assumption. Data that is untrusted can not be trusted to be well-formed. When developers place no restrictions on gadget chains, or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell.","::NATURE:ChildOf:CWE ID:913:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:913:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:913:VIEW ID:1003:ORDINAL:Primary::NATURE:PeerOf:CWE ID:915:VIEW ID:1000::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Ruby:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Python:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:JavaScript:LANGUAGE PREVALENCE:Undetermined::","::Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred (serialization), then extracting the serialized data to reconstruct the original object (deserialization).::","::TERM:Marshaling, Unmarshaling:DESCRIPTION:Marshaling and unmarshaling are effectively synonyms for serialization and deserialization, respectively.::TERM:Pickling, Unpickling:DESCRIPTION:In Python, the pickle functionality is used to perform serialization and deserialization.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data Unexpected State:NOTE:Integrity Modify Application Data Unexpected State Attackers can modify unexpected objects or data that was assumed to be safe from modification.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU):NOTE:Availability DoS: Resource Consumption (CPU) If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate.::SCOPE:Other:TECHNICAL IMPACT:Varies by Context:NOTE:Other Varies by Context The consequences can vary widely, because it depends on which objects or methods are being deserialized, and how they are used. Making an assumption that the code in the deserialized object is valid is dangerous and can enable exploitation.::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Explicitly define a final object() to prevent deserialization.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make fields transient to protect them from deserialization. An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Whitelist acceptable classes. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.::","::REFERENCE:CVE-2015-8103:DESCRIPTION:Deserialization issue in commonly-used Java library allows remote execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103REFERENCE:CVE-2015-4852:DESCRIPTION:Deserialization issue in commonly-used Java library allows remote execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852REFERENCE:CVE-2013-1465:DESCRIPTION:Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1465REFERENCE:CVE-2012-3527:DESCRIPTION:Use of PHP unserialize function on untrusted input in content management system might allow code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3527REFERENCE:CVE-2012-0911:DESCRIPTION:Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911REFERENCE:CVE-2012-0911:DESCRIPTION:Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911REFERENCE:CVE-2011-2520:DESCRIPTION:Python script allows local users to execute code via pickled data.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2520REFERENCE:CVE-2012-4406:DESCRIPTION:Unsafe deserialization using pickle in a Python script.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4406REFERENCE:CVE-2003-0791:DESCRIPTION:Web browser allows execution of native methods via a crafted string to a JavaScript function that deserializes the string.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0791","","","TAXONOMY NAME:CLASP:ENTRY NAME:Deserialization of untrusted data::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER01-J:ENTRY NAME:Do not deviate from the proper signatures of serialization methods::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER03-J:ENTRY NAME:Do not serialize unencrypted, sensitive data::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER06-J:ENTRY NAME:Make defensive copies of private mutable components during deserialization::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER08-J:ENTRY NAME:Do not use the default serialized form for implementation defined invariants::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP25:ENTRY NAME:Tainted input to variable::","","TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",
  398. 506,"Embedded Malicious Code",Class,Incomplete,"The application contains code that appears to be malicious in nature.","Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.","::NATURE:ChildOf:CWE ID:912:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis::","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.::","","","","TAXONOMY NAME:Landwehr:ENTRY NAME:Malicious::","","TYPE:Terminology:NOTE:The term Trojan horse was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].::",
  399. 507,"Trojan Horse",Base,Incomplete,"The software appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.","","::NATURE:ChildOf:CWE ID:506:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:506:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Most antivirus software scans for Trojan Horses.::PHASE:Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Verify the integrity of the software that is being installed.::","","","","TAXONOMY NAME:Landwehr:ENTRY NAME:Trojan Horse::","","TYPE:Other:NOTE:Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications.::::TYPE:Terminology:NOTE:Definitions of Trojan horse and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur.::",
  400. 508,"Non-Replicating Malicious Code",Base,Incomplete,"Non-replicating malicious code only resides on the target system or software that is attacked; it does not attempt to spread to other systems.","","::NATURE:ChildOf:CWE ID:507:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:507:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Antivirus software can help mitigate known malicious code.::PHASE:Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Verify the integrity of the software that is being installed.::","","","","TAXONOMY NAME:Landwehr:ENTRY NAME:Non-Replicating::","","",
  401. 509,"Replicating Malicious Code (Virus or Worm)",Base,Incomplete,"Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or software.","","::NATURE:ChildOf:CWE ID:507:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:507:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Antivirus software scans for viruses or worms.::PHASE:Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always verify the integrity of the software that is being installed.::","","","","TAXONOMY NAME:Landwehr:ENTRY NAME:Replicating (virus)::","","",
  402. 51,"Path Equivalence: '/multiple//internal/slash'",Variant,Incomplete,"A software system that accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-1483:DESCRIPTION:Read files with full pathname using multiple internal slash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1483","","","TAXONOMY NAME:PLOVER:ENTRY NAME:/multiple//internal/slash ('multiple internal slash')::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  403. 510,"Trapdoor",Base,Incomplete,"A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.","","::NATURE:ChildOf:CWE ID:506:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:506:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis Binary / Bytecode simple extractor – strings, ELF readers, etc.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Forced Path Execution Debugger Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Cost effective for partial coverage: Formal Methods / Correct-By-Construction::","::PHASE:Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always verify the integrity of the software that is being installed.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Identify and closely inspect the conditions for entering privileged areas of the code, especially those related to authentication, process invocation, and network communications.::","","","","TAXONOMY NAME:Landwehr:ENTRY NAME:Trapdoor::","","",
  404. 511,"Logic/Time Bomb",Base,Incomplete,"The software contains code that is designed to disrupt the legitimate operation of the software (or its environment) when a certain time passes, or when a certain logical condition is met.","When the time bomb or logic bomb is detonated, it may perform a denial of service such as crashing the system, deleting critical data, or degrading system response time. This bomb might be placed within either a replicating or non-replicating Trojan horse.","::NATURE:ChildOf:CWE ID:506:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:506:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:SCOPE:Integrity:TECHNICAL IMPACT:Varies by Context Alter Execution Logic::","","::PHASE:Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always verify the integrity of the software that is being installed.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered.::","","","","TAXONOMY NAME:Landwehr:ENTRY NAME:Logic/Time Bomb::","","",
  405. 512,"Spyware",Base,Incomplete,"The software collects personally identifiable information about a human user or the user's activities, but the software accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the software.","Spyware is a commonly used term with many definitions and interpretations. In general, it is meant to software that collects information or installs functionality that human users might not allow if they were fully aware of the actions being taken by the software. For example, a user might expect that tax software would collect a social security number and include it when filing a tax return, but that same user would not expect gaming software to obtain the social security number from that tax software's data.","::NATURE:ChildOf:CWE ID:506:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:506:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use spyware detection and removal software.::PHASE:Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always verify the integrity of the software that is being installed.::","","","","","","",
  406. 514,"Covert Channel",Class,Incomplete,"A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.","Typically the system has not given authorization for the transmission and has no knowledge of its occurrence.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:912:VIEW ID:699::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Bypass Protection Mechanism::","::METHOD:Architecture or Design Review:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","","","","","TAXONOMY NAME:Landwehr:ENTRY NAME:Covert Channel::","::463::","TYPE:Theoretical:NOTE:A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.::",
  407. 515,"Covert Storage Channel",Base,Incomplete,"A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.","Covert storage channels occur when out-of-band data is stored in messages for the purpose of memory reuse. Covert channels are frequently classified as either storage or timing channels. Examples would include using a file intended to hold only audit information to convey user passwords--using the name of a file or perhaps status bits associated with it that can be read by all users to signal the contents of the file. Steganography, concealing information in such a manner that no one but the intended recipient knows of the existence of the message, is a good example of a covert storage channel.","::NATURE:ChildOf:CWE ID:514:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:514:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Covert storage channels may provide attackers with important information about the system in question.::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Integrity Confidentiality Read Application Data If these messages or packets are sent with unnecessary data contained within, it may tip off malicious listeners as to the process that created the message. With this information, attackers may learn any number of things, including the hardware platform, operating system, or algorithms used by the sender. This information can be of significant value to the user in launching further attacks.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that all reserved fields are set to zero before messages are sent and that no unnecessary information is included.::","","","","TAXONOMY NAME:Landwehr:ENTRY NAME:Storage::::TAXONOMY NAME:CLASP:ENTRY NAME:Covert storage channel::","","",
  408. 52,"Path Equivalence: '/multiple/trailing/slash//'",Variant,Incomplete,"A software system that accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:163:VIEW ID:1000::NATURE:CanPrecede:CWE ID:289:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2002-1078:DESCRIPTION:Directory listings in web server using multiple trailing slash:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1078","","","TAXONOMY NAME:PLOVER:ENTRY NAME:/multiple/trailing/slash// ('multiple trailing slash')::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  409. 520,".NET Misconfiguration: Use of Impersonation",Variant,Incomplete,"Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.",".NET server applications can optionally execute using the identity of the user authenticated to the client. The intention of this functionality is to bypass authentication and access control checks within the .NET application code. Authentication is done by the underlying web server (Microsoft Internet Information Service IIS), which passes the authenticated token, or unauthenticated anonymous token, to the .NET application. Using the token to impersonate the client, the application then relies on the settings within the NTFS directories and files to control access. Impersonation enables the application, on the server running the .NET application, to both execute code and access resources in the context of the authenticated and authorized user.","::NATURE:ChildOf:CWE ID:266:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Run the application with limited privilege to the underlying operating and file system.::","","","","","","",
  410. 521,"Weak Password Requirements",Base,Draft,"The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.","An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity An attacker could easily guess user passwords and gain access user accounts.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Enforce usage of strong passwords. A password strength policy should contain the following attributes: Minimum and maximum length; Require mixed character sets (alpha, numeric, special, mixed case); Do not contain user name; Expiration; No password reuse.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Authentication mechanisms should always require sufficiently complex passwords and require that they be periodically changed.::","","","","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A3:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::","::112::16::49::55::70::","",
  411. 522,"Insufficiently Protected Credentials",Base,Incomplete,"This weakness occurs when the application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval.","","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1000::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity An attacker could gain access to user accounts and access sensitive data used by the user accounts.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an appropriate security mechanism to protect the credentials.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make appropriate use of cryptography to protect the credentials.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).::","::REFERENCE:CVE-2007-0681:DESCRIPTION:Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0681REFERENCE:CVE-2000-0944:DESCRIPTION:Web application password change utility doesn't check the original password.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0944REFERENCE:CVE-2005-3435:DESCRIPTION:product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435REFERENCE:CVE-2005-0408:DESCRIPTION:chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0408","","","TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A7:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A3:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::","::102::50::","",
  412. 523,"Unprotected Transport of Credentials",Variant,Incomplete,"Login pages not using adequate measures to protect the user name and password while they are in transit from the client to the server.","","::NATURE:ChildOf:CWE ID:522:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:522:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:312:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:312:VIEW ID:1000::","","","::SSL (Secure Socket Layer) provides data confidentiality and integrity to HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping or altering message contents.::","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:Operation System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Enforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to help prevent phishing attacks, make sure that SSL serves the login page. SSL allows the user to verify the identity of the server to which they are connecting. If the SSL serves login page, the user can be certain they are talking to the proper end system. A phishing attack would typically redirect a user to a site that does not have a valid trusted server certificate issued from an authorized supplier.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::102::","",
  413. 524,"Information Exposure Through Caching",Variant,Incomplete,"The application uses a cache to maintain a pool of objects, threads, connections, pages, or passwords to minimize the time it takes to access them or the resources to which they connect. If implemented improperly, these caches can allow access to unauthorized information or cause a denial of service vulnerability.","","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect information stored in cache.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not store unnecessarily sensitive information in the cache.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider using encryption in the cache.::","","","","","::204::","",
  414. 525,"Information Exposure Through Browser Caching",Variant,Incomplete,"For each web page, the application should have an appropriate caching policy specifying the extent to which the page and its form fields should be cached.","","::NATURE:ChildOf:CWE ID:524:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:524:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Internet cafes.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect information stored in cache.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a restrictive caching policy for forms and web pages that potentially contain sensitive information.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not store unnecessarily sensitive information in the cache.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider using encryption in the cache.::","","","","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A2:ENTRY NAME:Broken Access Control:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A3:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::","::37::","",
  415. 526,"Information Exposure Through Environmental Variables",Variant,Incomplete,"Environmental variables may contain sensitive information about a remote server.","","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect information stored in environment variable from being exposed to the user.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  416. 527,"Exposure of CVS Repository to an Unauthorized Control Sphere",Variant,Incomplete,"The product stores a CVS repository in a directory or other container that is accessible to actors outside of the intended control sphere.","Information contained within a CVS subdirectory on a web server or other server could be recovered by an attacker and used for malicious purposes. This information may include usernames, filenames, path root, and IP addresses.","::NATURE:ChildOf:CWE ID:538:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:552:VIEW ID:1000::NATURE:ChildOf:CWE ID:552:VIEW ID:699::","","","","",":::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Files or Directories::","","::PHASE:Operation Distribution System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Recommendations include removing any CVS directories and repositories from the production server, disabling the use of remote CVS repositories, and ensuring that the latest CVS patches and version updates have been performed.::","","","","","","",
  417. 528,"Exposure of Core Dump File to an Unauthorized Control Sphere",Variant,Draft,"The product generates a core dump file in a directory that is accessible to actors outside of the intended control sphere.","","::NATURE:ChildOf:CWE ID:538:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:552:VIEW ID:1000::NATURE:ChildOf:CWE ID:552:VIEW ID:699::","","","","",":::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Files or Directories::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect the core dump files from unauthorized access.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM06-C:ENTRY NAME:Ensure that sensitive data is not written out to disk::","","",
  418. 529,"Exposure of Access Control List Files to an Unauthorized Control Sphere",Variant,Incomplete,"The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.","Exposure of these access control list files may give the attacker information about the configuration of the site or system. This information may then be used to bypass the intended security policy or identify trusted systems from which an attack can be launched.","::NATURE:ChildOf:CWE ID:538:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:552:VIEW ID:1000::NATURE:ChildOf:CWE ID:552:VIEW ID:699::","","","","",":::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Bypass Protection Mechanism::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect access control list files.::","","","","","","",
  419. 53,"Path Equivalence: 'multipleinternalbackslash'",Variant,Incomplete,"A software system that accepts path input in the form of multiple internal backslash ('multipletrailingslash') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:165:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:\multiple\\internal\backslash::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  420. 530,"Exposure of Backup File to an Unauthorized Control Sphere",Variant,Incomplete,"A backup file is stored in a directory that is accessible to actors outside of the intended control sphere.","Often, old files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.","::NATURE:ChildOf:CWE ID:538:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:552:VIEW ID:1000::","","","","",":::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site.::","","::PHASE:Policy:STRATEGY::EFFECTIVENESS::DESCRIPTION:Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.::","","","","","","",
  421. 531,"Information Exposure Through Test Code",Variant,Incomplete,"Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.","","::NATURE:ChildOf:CWE ID:540:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:540:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Distribution Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove test code before deploying the application into production.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","",
  422. 532,"Information Exposure Through Log Files",Variant,Incomplete,"Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.","While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: Server log files (e.g. server.log). This can give information on whatever application left the file. Usually this can give full path names and system information, and sometimes usernames and passwords. log files that are used for debugging","::NATURE:ChildOf:CWE ID:538:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:1003:ORDINAL:Primary::NATURE:ChildOf:CWE ID:552:VIEW ID:1000::NATURE:ChildOf:CWE ID:552:VIEW ID:699::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Logging sensitive user data often provides attackers with an additional, less-protected path to acquiring the information.::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.::PHASE:Distribution:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove debug log files before deploying the application into production.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect log files against unauthorized read/write.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Adjust configurations appropriately when software is transitioned from a debug state to production.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO13-J:ENTRY NAME:Do not log sensitive information outside a trust boundary::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::215::","",
  423. 535,"Information Exposure Through Shell Error Message",Variant,Incomplete,"A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.","","::NATURE:ChildOf:CWE ID:210:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:210:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","","","","","","",
  424. 536,"Information Exposure Through Servlet Runtime Error Message",Variant,Incomplete,"A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.","","::NATURE:ChildOf:CWE ID:210:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:210:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The error message may contain the location of the file in which the offending function is located. This may disclose the web root's absolute path as well as give the attacker the location of application files or configuration information. It may even disclose the portion of code that failed. In many cases, an attacker can use the data to launch further attacks against the system.::","","","","","","","","",
  425. 537,"Information Exposure Through Java Runtime Error Message",Variant,Incomplete,"In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.","","::NATURE:ChildOf:CWE ID:210:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:210:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not expose sensitive error information to the user.::","","","","","","",
  426. 538,"File and Directory Information Exposure",Base,Draft,"The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere.","","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories::","","::PHASE:Architecture and Design Operation System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not expose file and directory information to the user.::","","","","","::95::","TYPE:Maintenance:NOTE:Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.::::TYPE:Maintenance:NOTE:There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.::",
  427. 539,"Information Exposure Through Persistent Cookies",Variant,Incomplete,"Persistent cookies are cookies that are stored on the browser's hard drive. This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed.","Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is stored in a cookie and how it is used. Typical types of information stored in cookies are session Identifiers, personalization and customization information, and in rare cases even usernames to enable automated logins. There are two different types of cookies: session cookies and persistent cookies. Session cookies just live in the browser's memory, and are not stored anywhere, but persistent cookies are stored on the browser's hard drive.","::NATURE:ChildOf:CWE ID:538:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not store sensitive information in persistent cookies.::","","","","","::21::31::39::59::60::","",
  428. 54,"Path Equivalence: 'filedir' (Trailing Backslash)",Variant,Incomplete,"A software system that accepts path input in the form of trailing backslash ('filedir') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:162:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2004-0847:DESCRIPTION:ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) (backslash) or (2) %5C (encoded backslash), aka Path Validation Vulnerability.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0847","","","TAXONOMY NAME:PLOVER:ENTRY NAME:filedir\ (trailing backslash)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  429. 540,"Information Exposure Through Source Code",Variant,Incomplete,"Source code on a web server often contains sensitive information and should generally not be accessible to users.","There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.","::NATURE:ChildOf:CWE ID:538:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:552:VIEW ID:1000::NATURE:ChildOf:CWE ID:552:VIEW ID:699::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Architecture and Design System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.::","","","","","","",
  430. 541,"Information Exposure Through Include Source Code",Variant,Incomplete,"If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.","","::NATURE:ChildOf:CWE ID:540:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:540:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not store sensitive information in include files.::PHASE:Architecture and Design System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect include files from being exposed.::","","","","","","",
  431. 543,"Use of Singleton Pattern Without Synchronization in a Multithreaded Context",Variant,Incomplete,"The software uses the singleton pattern when creating a resource within a multithreaded environment.","The use of a singleton pattern may not be thread-safe.","::NATURE:ChildOf:CWE ID:820:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:820:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:SCOPE:Integrity:TECHNICAL IMPACT:Other Modify Application Data::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the Thread-Specific Storage Pattern. See References.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use member fields to store information in the Servlet. In multithreading environments, storing user data in Servlet member fields introduces a data access race condition.::PHASE:Implementation:STRATEGY::EFFECTIVENESS:Limited:DESCRIPTION:Avoid using the double-checked locking pattern in language versions that cannot guarantee thread safety. This pattern may be used to avoid the overhead of a synchronized call, but in certain versions of Java (for example), this has been shown to be unsafe because it still introduces a race condition (CWE-209).::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC07-J:ENTRY NAME:Prevent multiple instantiations of singleton objects::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","","",
  432. 544,"Missing Standardized Error Handling Mechanism",Base,Draft,"The software does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.","If the application handles error messages individually, on a one-by-one basis, this is likely to result in inconsistent error handling. The causes of errors may be lost. Also, detailed information about the causes of an error may be unintentionally returned to the user.","::NATURE:ChildOf:CWE ID:755:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Unexpected State Varies by Context::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:define a strategy for handling errors of different severities, such as fatal errors versus basic log events. Use or create built-in language features, or an external package, that provides an easy-to-use API and define coding standards for the detection and handling of errors.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR00-C:ENTRY NAME:Adopt and implement a consistent and comprehensive error-handling policy::","","",
  433. 546,"Suspicious Comment",Variant,Draft,"The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.","Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures, and performance issues.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation:NOTE:Other Quality Degradation Suspicious comments could be an indication that there are problems in the source code that may need to be fixed and is an indication of poor quality. This could lead to further bugs and the introduction of weaknesses.::","","::PHASE:Documentation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove comments that suggest the presence of bugs, incomplete functionality, or weaknesses, before deploying the application.::","","","","","","",
  434. 547,"Use of Hard-coded, Security-relevant Constants",Variant,Draft,"The program uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.","If the developer does not find all occurrences of the hard-coded constants, an incorrect policy decision may be made if one of the constants is not changed. Making changes to these values will require code changes that may be difficult or impossible once the system is released to the field. In addition, these hard-coded values may become available to attackers if the code is ever disclosed.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context Quality Degradation:NOTE:Other Varies by Context Quality Degradation The existence of hardcoded constants could cause unexpected behavior and the introduction of weaknesses during code maintenance or when making changes to the code if all occurrences are not modified. The use of hardcoded constants is an indication of poor quality.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid using hard-coded constants. Configuration files offer a more flexible solution.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:DCL06-C:ENTRY NAME:Use meaningful symbolic constants to represent literal values in program logic::","","",
  435. 548,"Information Exposure Through Directory Listing",Variant,Draft,"A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.","A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.","::NATURE:ChildOf:CWE ID:538:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:552:VIEW ID:1000::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories:NOTE:Confidentiality Read Files or Directories Exposing the contents of a directory can lead to an attacker gaining access to source code or providing useful information for the attacker to devise exploits, such as creation times of files or any information that may be encoded in file names. The directory listing may also compromise private or confidential data.::","","::PHASE:Architecture and Design System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.::","","","","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A10:ENTRY NAME:Insecure Configuration Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:16:ENTRY NAME:Directory Indexing::","","",
  436. 549,"Missing Password Field Masking",Variant,Draft,"The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.","","::NATURE:ChildOf:CWE ID:522:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Implementation Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.::","","","","","","",
  437. 55,"Path Equivalence: '/./' (Single Dot Directory)",Variant,Incomplete,"A software system that accepts path input in the form of single dot directory exploit ('/./') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2000-0004:DESCRIPTION:Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0004REFERENCE:CVE-2002-0304:DESCRIPTION:Server allows remote attackers to read password-protected files via a /./ in the HTTP request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0304REFERENCE:BID:6042:DESCRIPTION:Input Validation error:LINK:http://www.securityfocus.com/bid/6042REFERENCE:CVE-1999-1083:DESCRIPTION:Possibly (could be a cleansing error):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1083REFERENCE:CVE-2004-0815:DESCRIPTION:/./////etc cleansed to .///etc then /etc:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0815REFERENCE:CVE-2002-0112:DESCRIPTION:Server allows remote attackers to view password protected files via /./ in the URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0112","","","TAXONOMY NAME:PLOVER:ENTRY NAME:/./ (single dot directory)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  438. 550,"Information Exposure Through Server Error Message",Variant,Incomplete,"Certain conditions, such as network failure, will cause a server error message to be displayed.","While error messages in and of themselves are not dangerous, per se, it is what an attacker can glean from them that might cause eventual problems.","::NATURE:ChildOf:CWE ID:209:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:209:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Architecture and Design System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Recommendations include designing and adding consistent error handling mechanisms which are capable of handling any user input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from being displayed.::","","","","","","",
  439. 551,"Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",Base,Incomplete,"If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.","For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.","::NATURE:ChildOf:CWE ID:863:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:863:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:696:VIEW ID:1000::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked.::","","","","","","",
  440. 552,"Files or Directories Accessible to External Parties",Base,Draft,"Files or directories are accessible in the environment that should not be.","","::NATURE:ChildOf:CWE ID:668:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1003:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","","","File or Directory::","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A10:ENTRY NAME:Insecure Configuration Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO15-C:ENTRY NAME:Ensure that file operations are performed in a secure directory::","","",
  441. 553,"Command Shell in Externally Accessible Directory",Variant,Incomplete,"A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.","","::NATURE:ChildOf:CWE ID:552:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:552:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Installation System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove any Shells accessible under the web root folder and children directories.::","","","","","","",
  442. 554,"ASP.NET Misconfiguration: Not Using Input Validation Framework",Variant,Draft,"The ASP.NET application does not use an input validation framework.","","::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:ASP.NET:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State:NOTE:Integrity Unexpected State Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the ASP.NET validation framework to check all program input before it is processed by the application. Example uses of the validation framework include checking to ensure that: Phone number fields contain only valid characters in phone numbers Boolean values are only T or F Free-form strings are of a reasonable length and composition::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  443. 555,"J2EE Misconfiguration: Plaintext Password in Configuration File",Variant,Draft,"The J2EE application stores a plaintext password in a configuration file.","Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.","::NATURE:ChildOf:CWE ID:522:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not hardwire passwords into your software.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use industry standard libraries to encrypt passwords before storage in configuration files.::","","","","","","",
  444. 556,"ASP.NET Misconfiguration: Use of Identity Impersonation",Variant,Incomplete,"Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.","The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration.","::NATURE:ChildOf:CWE ID:266:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the least privilege principle.::","","","","","","",
  445. 558,"Use of getlogin() in Multithreaded Application",Variant,Draft,"The application uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.","The getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process, the contents are not locked out and the value of the string can be changed by another process. This makes it very risky to use because the username can be changed by other processes, so the results of the function cannot be trusted.","::NATURE:ChildOf:CWE ID:663:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Bypass Protection Mechanism Other::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Using names for security purposes is not advised. Names are easy to forge and can have overlapping user IDs, potentially causing confusion or impersonation.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use getlogin_r() instead, which is reentrant, meaning that other processes are locked out from changing the username.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Often Misused: Authentication::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  446. 56,"Path Equivalence: 'filedir*' (Wildcard)",Variant,Incomplete,"A software system that accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:155:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2004-0696:DESCRIPTION:List directories using desired path and *:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0696REFERENCE:CVE-2002-0433:DESCRIPTION:List files in web server using *.ext:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0433","","","TAXONOMY NAME:PLOVER:ENTRY NAME:filedir* (asterisk / wildcard)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  447. 560,"Use of umask() with chmod-style Argument",Variant,Draft,"The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().","","::NATURE:ChildOf:CWE ID:687:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Access Control:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories Bypass Protection Mechanism::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use umask() with the correct argument.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:If you suspect misuse of umask(), you can use grep to spot call instances of umask().::","","","","","","TYPE:Other:NOTE:The umask() man page begins with the false statement: umask sets the umask to mask & 0777 Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The umask() man page goes on to describe the correct usage of umask(): The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666).::",
  448. 561,"Dead Code",Variant,Draft,"The software contains dead code, which can never be executed.","Dead code is source code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation:NOTE:Other Quality Degradation Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality.::","::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove dead code before deploying the application.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a static analysis tool to spot dead code.::","::REFERENCE:CVE-2014-1266:DESCRIPTION:chain: incorrect goto in Apple SSL product bypasses certificate validation, allowing man-in-the-middle attack (Apple goto fail bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint ('Man-in-the-Middle')).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC07-C:ENTRY NAME:Detect and remove dead code::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:MSC00-PL:ENTRY NAME:Detect and remove dead code:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP2:ENTRY NAME:Unused Entities::","","",
  449. 562,"Return of Stack Variable Address",Base,Draft,"A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.","Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000::NATURE:ChildOf:CWE ID:672:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:825:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use static analysis tools to spot return of the address of a stack variable.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:DCL30-C:ENTRY NAME:Declare objects with appropriate storage durations:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS34-C:ENTRY NAME:Do not call putenv() with a pointer to an automatic variable as the argument::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  450. 563,"Assignment to Variable without Use",Variant,Draft,"The variable's value is assigned but never used, making it a dead store.","After the assignment, the variable is either assigned another value or goes out of scope. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","::TERM:Unused Variable:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context:NOTE:Other Quality Degradation Varies by Context This weakness could be an indication of a bug in the program or a deprecated variable that was not removed and is an indication of poor quality. This could lead to further bugs and the introduction of weaknesses.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove unused variables from the code.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC00-C:ENTRY NAME:Compile cleanly at high warning levels::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:MSC01-PL:ENTRY NAME:Detect and remove unused variables:MAPPING FIT:Imprecise::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP2:ENTRY NAME:Unused Entities::","","",
  451. 564,"SQL Injection: Hibernate",Variant,Incomplete,"Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.","","::NATURE:ChildOf:CWE ID:89:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:89:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:89:VIEW ID:928:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:A non-SQL style database which is not subject to this flaw may be chosen.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use vigorous whitelist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::109::","",
  452. 565,"Reliance on Cookies without Validation and Integrity Checking",Base,Incomplete,"The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.","Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site scripting, or otherwise modify inputs in unexpected ways.","::NATURE:ChildOf:CWE ID:642:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:602:VIEW ID:1000::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to escalate an attacker's privileges to an administrative level.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid using cookie data for a security-related decision.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Add integrity checks to detect tampering.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP29:ENTRY NAME:Faulty endpoint authentication::","::31::39::","TYPE:Relationship:NOTE:This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..::",
  453. 566,"Authorization Bypass Through User-Controlled SQL Primary Key",Variant,Incomplete,"The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.","When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records. Database access control errors occur when: Data enters a program from an untrusted source. The data is used to specify the value of a primary key in a SQL query. The untrusted source does not have the permissions to be able to access all rows in the associated table.","::NATURE:ChildOf:CWE ID:639:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:639:VIEW ID:699:ORDINAL:Primary::","","::TECHNOLOGY NAME:Database Server:TECHNOLOGY PREVALENCE:Often::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Access Control:TECHNICAL IMPACT:Read Application Data Modify Application Data Bypass Protection Mechanism::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an accept known good validation strategy.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP25:ENTRY NAME:Tainted input to variable::","","",
  454. 567,"Unsynchronized Access to Shared Data in a Multithreaded Context",Base,Draft,"The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.","Within servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable. Note that this weakness is not unique to servlets.","::NATURE:ChildOf:CWE ID:820:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:488:VIEW ID:1000::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data Modify Application Data DoS: Instability DoS: Crash, Exit, or Restart:NOTE:Confidentiality Integrity Availability Read Application Data Modify Application Data DoS: Instability DoS: Crash, Exit, or Restart If the shared variable contains sensitive data, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA00-J:ENTRY NAME:Ensure visibility when accessing shared primitive variables::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA02-J:ENTRY NAME:Ensure that compound operations on shared variables are atomic::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","::25::","",
  455. 568,"finalize() Method Without super.finalize()",Variant,Draft,"The software contains a finalize() method that does not call super.finalize().","The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize().","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000::NATURE:ChildOf:CWE ID:459:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Call the super.finalize() method.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use static analysis tools to spot such issues in your code.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MET12-J:ENTRY NAME:Do not use finalizers::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","",
  456. 57,"Path Equivalence: 'fakedir/../realdir/filename'",Variant,Incomplete,"The software contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.","","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.::","::REFERENCE:CVE-2001-1152:DESCRIPTION:Proxy allows remote attackers to bypass blacklist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1152REFERENCE:CVE-2000-0191:DESCRIPTION:application check access for restricted URL before canonicalization:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0191REFERENCE:CVE-2005-1366:DESCRIPTION:CGI source disclosure using dirname/../cgi-bin:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1366","","","TAXONOMY NAME:PLOVER:ENTRY NAME:dirname/fakechild/../realchild/filename::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","TYPE:Theoretical:NOTE:This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).::",
  457. 570,"Expression is Always False",Variant,Draft,"The software contains an expression that will always evaluate to false.","","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:561:VIEW ID:1000::NATURE:CanPrecede:CWE ID:561:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use Static Analysis tools to spot such conditions.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC00-C:ENTRY NAME:Compile cleanly at high warning levels::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  458. 571,"Expression is Always True",Variant,Draft,"The software contains an expression that will always evaluate to true.","","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:561:VIEW ID:1000::NATURE:CanPrecede:CWE ID:561:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use Static Analysis tools to spot such conditions.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC00-C:ENTRY NAME:Compile cleanly at high warning levels::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  459. 572,"Call to Thread run() instead of start()",Variant,Draft,"The program calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.","In most cases a direct call to a Thread object's run() method is a bug. The programmer intended to begin a new thread of control, but accidentally called run() instead of start(), so the run() method will execute in the caller's thread of control.","::NATURE:ChildOf:CWE ID:821:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:821:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the start() method instead of the run() method.::","","","System Process::","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:THI00-J:ENTRY NAME:Do not invoke Thread.run()::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  460. 573,"Improper Following of Specification by Caller",Class,Draft,"The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.","When leveraging external functionality, such as an API, it is important that the caller does so in accordance with the requirements of the external functionality or else unintended behaviors may result, possibly leaving the system vulnerable to any number of exploits.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation Varies by Context::","","","::REFERENCE:CVE-2006-7140:DESCRIPTION:Crypto implementation removes padding when it shouldn't, allowing forged signatures:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7140REFERENCE:CVE-2006-4339:DESCRIPTION:Crypto implementation removes padding when it shouldn't, allowing forged signatures:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MET10-J:ENTRY NAME:Follow the general contract when implementing the compareTo() method::","","",
  461. 574,"EJB Bad Practices: Use of Synchronization Primitives",Variant,Draft,"The program violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.","The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: An enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances. The specification justifies this requirement in the following way: This rule is required to ensure consistent runtime semantics because while some EJB containers may use a single JVM to execute all enterprise bean's instances, others may distribute the instances across multiple JVMs.","::NATURE:ChildOf:CWE ID:695:VIEW ID:1000::NATURE:ChildOf:CWE ID:695:VIEW ID:699::NATURE:ChildOf:CWE ID:821:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:821:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use Synchronization Primitives when writing EJBs.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  462. 575,"EJB Bad Practices: Use of AWT Swing",Variant,Draft,"The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.","The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard. The specification justifies this requirement in the following way: Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system.","::NATURE:ChildOf:CWE ID:695:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:695:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use AWT/Swing when writing EJBs.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  463. 576,"EJB Bad Practices: Use of Java I/O",Variant,Draft,"The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package.","The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: An enterprise bean must not use the java.io package to attempt to access files and directories in the file system. The specification justifies this requirement in the following way: The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data.","::NATURE:ChildOf:CWE ID:695:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:695:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use Java I/O when writing EJBs.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  464. 577,"EJB Bad Practices: Use of Sockets",Variant,Draft,"The program violates the Enterprise JavaBeans (EJB) specification by using sockets.","The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast. The specification justifies this requirement in the following way: The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean-- to serve the EJB clients.","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use Sockets when writing EJBs.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  465. 578,"EJB Bad Practices: Use of Class Loader",Variant,Draft,"The program violates the Enterprise JavaBeans (EJB) specification by using the class loader.","The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: The enterprise bean must not attempt to create a class loader; obtain the current class loader; set the context class loader; set security manager; create a new security manager; stop the JVM; or change the input, output, and error streams. The specification justifies this requirement in the following way: These functions are reserved for the EJB container. Allowing the enterprise bean to use these functions could compromise security and decrease the container's ability to properly manage the runtime environment.","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Varies by Context::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use the Class Loader when writing EJBs.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  466. 579,"J2EE Bad Practices: Non-serializable Object Stored in Session",Variant,Draft,"The application stores a non-serializable object as an HttpSession attribute, which can hurt reliability.","A J2EE application can make use of multiple JVMs in order to improve application reliability and performance. In order to make the multiple JVMs appear as a single application to the end user, the J2EE container can replicate an HttpSession object across multiple JVMs so that if one JVM becomes unavailable another can step in and take its place without disrupting the flow of the application. This is only possible if all session data is serializable, allowing the session to be duplicated between the JVMs.","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:In order for session replication to work, the values the application stores as attributes in the session must implement the Serializable interface.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  467. 58,"Path Equivalence: Windows 8.3 Filename",Variant,Incomplete,"The software contains a protection mechanism that restricts access to a long filename on a Windows operating system, but the software does not properly restrict access to the equivalent short 8.3 filename.","On later Windows operating systems, a file can have a long name and a short name that is compatible with older Windows file systems, with up to 8 characters in the filename and 3 characters for the extension. These 8.3 filenames, therefore, act as an alternate name for files with long names, so they are useful pathname equivalence manipulations.","::NATURE:ChildOf:CWE ID:41:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:41:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Disable Windows from supporting 8.3 filenames by editing the Windows registry. Preventing 8.3 filenames will not remove previously generated 8.3 filenames.::","::REFERENCE:CVE-1999-0012:DESCRIPTION:Multiple web servers allow restriction bypass using 8.3 names instead of long names:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0012REFERENCE:CVE-2001-0795:DESCRIPTION:Source code disclosure using 8.3 file name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0795REFERENCE:CVE-2005-0471:DESCRIPTION:Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0471","::File Processing","","TAXONOMY NAME:PLOVER:ENTRY NAME:Windows 8.3 Filename::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","TYPE:Research Gap:NOTE:Probably under-studied::",
  468. 580,"clone() Method Without super.clone()",Variant,Draft,"The software contains a clone() method that does not call super.clone() to obtain the new object.","All implementations of clone() should obtain the new object by calling super.clone(). If a class does not follow this convention, a subclass's clone() method will return an object of the wrong type.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:1000::NATURE:ChildOf:CWE ID:573:VIEW ID:699::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Unexpected State Quality Degradation::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Call super.clone() within your clone() method, when obtaining a new object.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:In some cases, you can eliminate the clone method altogether and use copy constructors.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","",
  469. 581,"Object Model Violation: Just One of Equals and Hashcode Defined",Base,Draft,"The software does not maintain equal hashcodes for equal objects.","Java objects are expected to obey a number of invariants related to equality. One of these invariants is that equal objects must have equal hashcodes. In other words, if a.equals(b) == true then a.hashCode() == b.hashCode().","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:697:VIEW ID:1000::NATURE:ChildOf:CWE ID:573:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other If this invariant is not upheld, it is likely to cause trouble if objects of this class are stored in a collection. If the objects of the class in question are used as a key in a Hashtable or if they are inserted into a Map or Set, it is critical that equal objects have equal hashcodes.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Both Equals() and Hashcode() should be defined.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MET09-J:ENTRY NAME:Classes that define an equals() method must also define a hashCode() method::","","",
  470. 582,"Array Declared Public, Final, and Static",Variant,Draft,"The program declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.","Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","::Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:In most situations the array should be made private.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ10-J:ENTRY NAME:Do not use public static nonfinal variables::","","",
  471. 583,"finalize() Method Declared Public",Variant,Incomplete,"The program violates secure coding principles for mobile code by declaring a finalize() method public.","A program should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke one of your finalize() methods because it is declared with public access.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Alter Execution Logic Execute Unauthorized Code or Commands Modify Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MET12-J:ENTRY NAME:Do not use finalizers::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","",
  472. 584,"Return Inside Finally Block",Base,Draft,"The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.","","::NATURE:ChildOf:CWE ID:705:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use a return statement inside the finally block. The finally block should have cleanup code.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR04-J:ENTRY NAME:Do not complete abruptly from a finally block::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR05-J:ENTRY NAME:Do not let checked exceptions escape from a finally block::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP6:ENTRY NAME:Incorrect Exception Behavior::","","",
  473. 585,"Empty Synchronized Block",Variant,Draft,"The software contains an empty synchronized block.","An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Other Other An empty synchronized block will wait until nobody else is using the synchronizer being specified. While this may be part of the desired behavior, because you haven't protected the subsequent code by placing it inside the synchronized block, nothing is stopping somebody else from modifying whatever it was you were waiting for while you run the subsequent code.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When you come across an empty synchronized statement, or a synchronized statement in which the code has been commented out, try to determine what the original intentions were and whether or not the synchronized block is still necessary.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP21:ENTRY NAME:Multiple locks/unlocks::","","",
  474. 586,"Explicit Call to Finalize()",Variant,Draft,"The software makes an explicit call to the finalize() method from outside the finalizer.","While the Java Language Specification allows an object's finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first time will be the explicit call and the last time will be the call that is made after the object is garbage collected.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Unexpected State Quality Degradation::","","::PHASE:Implementation Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not make explicit calls to finalize(). Use static analysis tools to spot such instances.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MET12-J:ENTRY NAME:Do not use finalizers::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  475. 587,"Assignment of a Fixed Address to a Pointer",Base,Draft,"The software sets a pointer to a specific address other than NULL or 0.","Using a fixed address is not portable because that address will probably not be valid in all environments or platforms.","::NATURE:ChildOf:CWE ID:344:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:758:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined:::LANGUAGE CLASS:Assembly:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands If one executes code at a known location, an attacker might be able to inject code there beforehand.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart If the code is ported to another platform or environment, the pointer is likely to be invalid and cause a crash.::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Memory Modify Memory:NOTE:Confidentiality Integrity Read Memory Modify Memory The data at a known pointer location can be easily read or influenced by an attacker.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Never set a pointer to a fixed address.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT36-C:ENTRY NAME:Converting a pointer to integer or integer to pointer:MAPPING FIT:Imprecise::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  476. 588,"Attempt to Access Child of a Non-structure Pointer",Variant,Incomplete,"Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.","","::NATURE:ChildOf:CWE ID:704:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:758:VIEW ID:1000::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory:NOTE:Integrity Modify Memory Adjacent variables in memory may be corrupted by assignments performed on fields after the cast.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart Execution may end due to a memory access error.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:The choice could be made to use a language that is not susceptible to these issues.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Review of type casting operations can identify locations where incompatible types are cast.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP7:ENTRY NAME:Faulty Pointer Use::","","",
  477. 589,"Call to Non-ubiquitous API",Variant,Incomplete,"The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.","Some functions that offer security features supported by the OS are not available on all versions of the OS in common use. Likewise, functions are often deprecated or made obsolete for security reasons and should not be used.","::NATURE:ChildOf:CWE ID:474:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always test your code on any platform on which it is targeted to run on.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Test your code on the newest and oldest platform on which it is targeted to run on.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Develop a system to test for API functions that are not portable.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MET02-J:ENTRY NAME:Do not use deprecated or obsolete classes or methods::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER00-J:ENTRY NAME:Maintain serialization compatibility during class evolution::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","::96::","",
  478. 59,"Improper Link Resolution Before File Access ('Link Following')",Base,Draft,"The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.","","::NATURE:ChildOf:CWE ID:706:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Sometimes:::OPERATING SYSTEM CLASS:Unix:OPERATING SYSTEM PREVALENCE:Often::","::Soft links are a UNIX term that is synonymous with simple shortcuts on windows based platforms.::","::TERM:insecure temporary file:DESCRIPTION:Some people use the phrase insecure temporary file when referring to a link following weakness, but other weaknesses can produce insecure temporary files without any symlink involvement at all.::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Access Control:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories Bypass Protection Mechanism:NOTE:Confidentiality Integrity Access Control Read Files or Directories Modify Files or Directories Bypass Protection Mechanism An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.::SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Other Execute Unauthorized Code or Commands Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a .LNK file can be uploaded like a normal file. This can enable remote execution.::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.::","::REFERENCE:CVE-1999-1386:DESCRIPTION:Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1386REFERENCE:CVE-2000-1178:DESCRIPTION:Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1178REFERENCE:CVE-2004-0217:DESCRIPTION:Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0217REFERENCE:CVE-2003-0517:DESCRIPTION:Symlink attack allows local users to overwrite files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0517REFERENCE:CVE-2004-0689:DESCRIPTION:Window manager does not properly handle when certain symbolic links point to stale locations, which could allow local users to create or truncate arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0689REFERENCE:CVE-2005-1879:DESCRIPTION:Second-order symlink vulnerabilities:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1879REFERENCE:CVE-2005-1880:DESCRIPTION:Second-order symlink vulnerabilities:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1880REFERENCE:CVE-2005-1916:DESCRIPTION:Symlink in Python program:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1916REFERENCE:CVE-2000-0972:DESCRIPTION:Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0972REFERENCE:CVE-2005-0824:DESCRIPTION:Signal causes a dump that follows symlinks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0824REFERENCE:CVE-2001-1494:DESCRIPTION:Hard link attack, file overwrite; interesting because program checks against soft links:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1494REFERENCE:CVE-2002-0793:DESCRIPTION:Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0793REFERENCE:CVE-2003-0578:DESCRIPTION:Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0578REFERENCE:CVE-1999-0783:DESCRIPTION:Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0783REFERENCE:CVE-2004-1603:DESCRIPTION:Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1603REFERENCE:CVE-2004-1901:DESCRIPTION:Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1901REFERENCE:CVE-2005-1111:DESCRIPTION:Hard link race condition:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111REFERENCE:CVE-2000-0342:DESCRIPTION:Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka Stealth Attachment.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0342REFERENCE:CVE-2001-1042:DESCRIPTION:FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1042REFERENCE:CVE-2001-1043:DESCRIPTION:FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1043REFERENCE:CVE-2005-0587:DESCRIPTION:Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0587REFERENCE:CVE-2001-1386:DESCRIPTION:.LNK. - .LNK with trailing dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386REFERENCE:CVE-2003-1233:DESCRIPTION:Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1233REFERENCE:CVE-2002-0725:DESCRIPTION:File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0725REFERENCE:CVE-2003-0844:DESCRIPTION:Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0844","::File Processing","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Link Following::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO02-C:ENTRY NAME:Canonicalize path names originating from untrusted sources::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS01-C:ENTRY NAME:Check for the existence of links when dealing with files::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:FIO01-PL:ENTRY NAME:Do not operate on files that can be modified by untrusted users:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP18:ENTRY NAME:Link in resource name resolution::","::132::17::35::76::","TYPE:Relationship:NOTE:Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.::::TYPE:Research Gap:NOTE:UNIX hard links, and Windows hard/soft links are under-studied and under-reported.::",
  479. 590,"Free of Memory not on the Heap",Variant,Incomplete,"The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().","When free() is called on an invalid pointer, the program's memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an attacker may be able to cause free() to operate on controllable memory locations to modify critical program variables or execute code.","::NATURE:ChildOf:CWE ID:762:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:123:VIEW ID:1000::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Modify Memory:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Modify Memory There is the potential for arbitrary code execution with privileges of the vulnerable program via a write, what where primitive. If pointers to memory which hold user information are freed, a malicious user will be able to write 4 bytes anywhere in memory.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Only free pointers that you have called malloc on previously. This is the recommended solution. Keep track of which pointers point at the beginning of valid chunks and free them only once.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Before freeing a pointer, the programmer should make sure that the pointer was previously allocated on the heap and that the memory belongs to the programmer. Freeing an unallocated pointer will cause undefined behavior in the program.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, glibc in Linux provides protection against free of invalid pointers.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a language that provides abstractions for memory allocation and deallocation.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a tool that dynamically detects memory management problems, such as valgrind.::","","","Memory::","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM34-C:ENTRY NAME:Only free memory allocated dynamically:MAPPING FIT:Exact::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:WIN30-C:ENTRY NAME:Properly pair allocation and deallocation functions:MAPPING FIT:Imprecise::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP12:ENTRY NAME:Faulty Memory Release::","","TYPE:Maintenance:NOTE:In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective.::",
  480. 591,"Sensitive Data Storage in Improperly Locked Memory",Variant,Draft,"The application stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.","On Windows systems the VirtualLock function can lock a page of memory to ensure that it will remain present in memory and not be swapped to disk. However, on older versions of Windows, such as 95, 98, or Me, the VirtualLock() function is only a stub and provides no protection. On POSIX systems the mlock() call ensures that a page will stay resident in memory but does not guarantee that the page will not appear in the swap. Therefore, it is unsuitable for use as a protection mechanism for sensitive data. Some platforms, in particular Linux, do make the guarantee that the page will not be swapped, but this is non-standard and is not portable. Calls to mlock() also require supervisor privilege. Return values for both of these calls must be checked to ensure that the lock operation was actually successful.","::NATURE:ChildOf:CWE ID:413:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:413:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Memory:NOTE:Confidentiality Read Application Data Read Memory Sensitive data that is written to a swap file may be exposed.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Identify data that needs to be protected from swapping and choose platform-appropriate protection mechanisms.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Check return values to ensure locking operations are successful.::","","","Memory::","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A8:ENTRY NAME:Insecure Storage:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM06-C:ENTRY NAME:Ensure that sensitive data is not written out to disk::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  481. 593,"Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",Variant,Draft,"The software modifies the SSL context after connection creation has begun.","If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change.","::NATURE:ChildOf:CWE ID:666:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:1000::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism No authentication takes place in this process, bypassing an assumed protection of encryption.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The encrypted communication between a user and a trusted host may be subject to a man in the middle sniffing attack.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a language or a library that provides a cryptography framework at a higher level of abstraction.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Most SSL_CTX functions have SSL counterparts that act on SSL-type objects.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Applications should set up an SSL_CTX completely, before creating SSL objects from it.::","","","","","::94::","",
  482. 594,"J2EE Framework: Saving Unserializable Objects to Disk",Variant,Incomplete,"When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.","In heavy load conditions, most J2EE application frameworks flush objects to disk to manage memory requirements of incoming requests. For example, session scoped objects, and even application scoped objects, are written to disk when required. While these application frameworks do the real work of writing objects to disk, they do not enforce that those objects be serializable, thus leaving the web application vulnerable to crashes induced by serialization failure. An attacker may be able to mount a denial of service attack by sending enough requests to the server to force the web application to save objects to disk.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data Data represented by unserializable objects can be corrupted.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart Non-serializability of objects can lead to system crash.::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:All objects that become part of session and application scope must implement the java.io.Serializable interface to ensure serializability of containing objects.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  483. 595,"Comparison of Object References Instead of Object Contents",Variant,Incomplete,"The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.","For example, in Java, comparing objects using == usually produces deceptive results, since the == operator compares object references rather than values; often, this means that using == for strings is actually comparing the strings' references, not their values.","::NATURE:ChildOf:CWE ID:1025:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:JavaScript:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context:NOTE:Other Varies by Context This weakness can lead to erroneous results that can cause unexpected application behaviors.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:In Java, use the equals() method to compare objects instead of the == operator. If using ==, it is important for performance reasons that your objects are created by a static factory, not by a constructor.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:EXP02-J:ENTRY NAME:Use the two-argument Arrays.equals() method to compare the contents of arrays::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:EXP02-J:ENTRY NAME:Use the two-argument Arrays.equals() method to compare the contents of arrays::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:EXP03-J:ENTRY NAME:Do not use the equality operators when comparing values of boxed primitives::","","",
  484. 597,"Use of Wrong Operator in String Comparison",Variant,Draft,"The product uses the wrong operator when comparing a string, such as using == when the equals() method should be used instead.","In Java, using == or != to compare two strings for equality actually compares two objects for equality, not their values. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, it could be leveraged to affect program security.","::NATURE:ChildOf:CWE ID:595:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:595:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:480:VIEW ID:1000::NATURE:ChildOf:CWE ID:480:VIEW ID:699::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Use equals() to compare strings.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:EXP03-J:ENTRY NAME:Do not use the equality operators when comparing values of boxed primitives::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:EXP03-J:ENTRY NAME:Do not use the equality operators when comparing values of boxed primitives::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP35-PL:ENTRY NAME:Use the correct operator type for comparing values:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  485. 598,"Information Exposure Through Query Strings in GET Request",Variant,Draft,"The web application uses the GET method to process requests that contain sensitive information, which can expose that information through the browser's history, Referers, web logs, and other sources.","","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When sensitive information is sent, use of the POST method is recommended (e.g. registration form).::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  486. 599,"Missing Validation of OpenSSL Certificate",Variant,Incomplete,"The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.","This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated.","::NATURE:ChildOf:CWE ID:295:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:295:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The data read may not be properly secured, it might be viewed by an attacker.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity Trust afforded to the system in question may allow for spoofing or redirection attacks.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a different site. In order to ensure data integrity, we must check that the certificate is valid, and that it pertains to the site we wish to access.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that proper authentication is included in the system design.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.::","","","","","","TYPE:Relationship:NOTE:CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources (OpenSSL certificate as a child of any certificate) and types of behaviors (not validating expiration as a child of improper validation).::",
  487. 6,"J2EE Misconfiguration: Insufficient Session-ID Length",Variant,Incomplete,"The J2EE application is configured to use an insufficient session ID length.","If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.","::NATURE:ChildOf:CWE ID:334:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","::Session ID's can be used to identify communicating parties in a web environment. The expected number of seconds required to guess a valid session identifier is given by the equation: (2^B+1)/(2*A*S) Where: - B is the number of bits of entropy in the session identifier. - A is the number of guesses an attacker can try each second. - S is the number of valid session identifiers that are valid and available to be guessed at any given time. The number of bits of entropy in the session identifier is always less than the total number of bits in the session identifier. For example, if session identifiers were provided in ascending order, there would be close to zero bits of entropy in the session identifier no matter the identifier's length. Assuming that the session identifiers are being generated using a good source of random numbers, we will estimate the number of bits of entropy in a session identifier to be half the total number of bits in the session identifier. For realistic identifier lengths this is possible, though perhaps optimistic.::","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity If an attacker can guess an authenticated user's session identifier, they can take over the user's session.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Misconfiguration: Insufficient Session-ID Length::","::21::59::","",
  488. 600,"Uncaught Exception in Servlet ",Base,Draft,"The Servlet does not catch all exceptions, which may reveal sensitive debugging information.","When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.","::NATURE:ChildOf:CWE ID:248:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:209:VIEW ID:1000::NATURE:PeerOf:CWE ID:390:VIEW ID:1000::","","","","::TERM:Missing Catch Block:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data DoS: Crash, Exit, or Restart::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement Exception blocks to handle all types of Exceptions.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR01-J:ENTRY NAME:Do not allow exceptions to expose sensitive information::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","","TYPE:Maintenance:NOTE:The Missing Catch Block concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.::",
  489. 601,"URL Redirection to Untrusted Site ('Open Redirect')",Variant,Draft,"A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.","An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.","::NATURE:ChildOf:CWE ID:610:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Undetermined::","::Phishing is a general term for deceptive attempts to coerce private information from users that will be used for identity theft.::","::TERM:Open Redirect:DESCRIPTION:::TERM:Cross-site Redirect:DESCRIPTION:::TERM:Cross-domain Redirect:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.::SCOPE:Access Control:SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity Other:NOTE:Access Control Confidentiality Other Bypass Protection Mechanism Gain Privileges or Assume Identity Other The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site.::","::METHOD:Manual Static Analysis:EFFECTIVENESS:High:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.::METHOD:Other:EFFECTIVENESS::DESCRIPTION:Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. Use a whitelist of approved URLs or domains to be used for redirection.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.::PHASE:Architecture and Design:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to /login.asp and ID 2 could map to http://www.example.com/. Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).::PHASE:Architecture and Design Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.::PHASE:Operation:STRATEGY:Firewall:EFFECTIVENESS:Moderate:DESCRIPTION:Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.::","::REFERENCE:CVE-2005-4206:DESCRIPTION:URL parameter loads the URL into a frame and causes it to appear to be part of a valid page.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4206REFERENCE:CVE-2008-2951:DESCRIPTION:An open redirect vulnerability in the search script in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL as a parameter to the proper function.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2951REFERENCE:CVE-2008-2052:DESCRIPTION:Open redirect vulnerability in the software allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the proper parameter.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2052","","","TAXONOMY NAME:WASC:ENTRY ID:38:ENTRY NAME:URl Redirector Abuse::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::194::","",
  490. 602,"Client-Side Enforcement of Server-Side Security",Base,Draft,"The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.","When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.","::NATURE:ChildOf:CWE ID:669:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1000::NATURE:CanPrecede:CWE ID:471:VIEW ID:1000::NATURE:PeerOf:CWE ID:290:VIEW ID:1000::NATURE:PeerOf:CWE ID:300:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Client Server:PARADIGN PREVALENCE:Sometimes::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Availability:TECHNICAL IMPACT:Bypass Protection Mechanism DoS: Crash, Exit, or Restart:NOTE:Access Control Availability Bypass Protection Mechanism DoS: Crash, Exit, or Restart Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:If some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in a single code path.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::","::REFERENCE:CVE-2006-6994:DESCRIPTION:ASP program allows upload of .asp files by bypassing client-side checks.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6994REFERENCE:CVE-2007-0163:DESCRIPTION:steganography products embed password information in the carrier file, which can be extracted from a modified client.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0163REFERENCE:CVE-2007-0164:DESCRIPTION:steganography products embed password information in the carrier file, which can be extracted from a modified client.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0164REFERENCE:CVE-2007-0100:DESCRIPTION:client allows server to modify client's configuration and overwrite arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0100","","","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::","::122::162::202::207::208::21::31::383::384::385::386::387::388::389::","TYPE:Research Gap:NOTE:Server-side enforcement of client-side security is conceptually likely to occur, but some architectures might have these strong dependencies as part of legitimate behavior, such as thin clients.::",
  491. 603,"Use of Client-Side Authentication",Base,Draft,"A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.","Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.","::NATURE:ChildOf:CWE ID:602:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:1000::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:300:VIEW ID:1000::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not rely on client side data. Always perform server side authentication.::","::REFERENCE:CVE-2006-0230:DESCRIPTION:Client-side check for a password allows access to a server using crafted XML requests from a modified client.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0230","","","","","TYPE:Maintenance:NOTE:Note that there is a close relationship between this weakness and CWE-656 (Reliance on Security through Obscurity). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",
  492. 605,"Multiple Binds to the Same Port",Base,Draft,"When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.","On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound with INADDR_ANY. This allows a user to bind to the specific address of a server bound to INADDR_ANY on an unprivileged port, and steal its UDP packets/TCP connection.","::NATURE:ChildOf:CWE ID:675:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:666:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Integrity Read Application Data Packets from a variety of network services may be stolen or the services spoofed.::","","::PHASE:Policy:STRATEGY::EFFECTIVENESS::DESCRIPTION:Restrict server socket address to known local addresses.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP32:ENTRY NAME:Multiple binds to the same port::","","",
  493. 606,"Unchecked Input for Loop Condition",Base,Draft,"The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service because of excessive looping.","","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:834:VIEW ID:1000::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU)::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use user-controlled data for loop conditions.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform input validation.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP25:ENTRY NAME:Tainted input to variable::","","",
  494. 607,"Public Static Final Field References Mutable Object",Variant,Draft,"A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.","","::NATURE:ChildOf:CWE ID:471:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:471:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect mutable objects by making them private. Restrict access to the getter and setter as well.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","",
  495. 608,"Struts: Non-private Field in ActionForm Class",Variant,Draft,"An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.","","::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Application Data Read Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","",
  496. 609,"Double-Checked Locking",Base,Draft,"The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.","Double-checked locking refers to the situation where a programmer checks to see if a resource has been initialized, grabs a lock, checks again to see if the resource has been initialized, and then performs the initialization if it has not occurred yet. This should not be done, as is not guaranteed to work in all languages and on all architectures. In summary, other threads may not be operating inside the synchronous block and are not guaranteed to see the operations execute in the same order as they would appear inside the synchronous block.","::NATURE:ChildOf:CWE ID:667:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:367:VIEW ID:1000::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Alter Execution Logic::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:While double-checked locking can be achieved in some languages, it is inherently flawed in Java before 1.5, and cannot be achieved without compromising platform independence. Before Java 1.5, only use of the synchronized keyword is known to work. Beginning in Java 1.5, use of the volatile keyword allows double-checked locking to work successfully, although there is some debate as to whether it achieves sufficient performance gains. See references.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:LCK10-J:ENTRY NAME:Do not use incorrect forms of the double-checked locking idiom::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","","",
  497. 61,"UNIX Symbolic Link (Symlink) Following",Compound,Incomplete,"The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.","A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.","::NATURE:ChildOf:CWE ID:59:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:59:VIEW ID:699:ORDINAL:Primary::NATURE:Requires:CWE ID:362:VIEW ID:1000::NATURE:Requires:CWE ID:340:VIEW ID:1000::NATURE:Requires:CWE ID:216:VIEW ID:1000::NATURE:Requires:CWE ID:386:VIEW ID:1000::NATURE:Requires:CWE ID:732:VIEW ID:1000::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Symlink following:DESCRIPTION:::TERM:symlink vulnerability:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.::","::REFERENCE:CVE-1999-1386:DESCRIPTION:Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1386REFERENCE:CVE-2000-1178:DESCRIPTION:Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1178REFERENCE:CVE-2004-0217:DESCRIPTION:Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0217REFERENCE:CVE-2003-0517:DESCRIPTION:Symlink attack allows local users to overwrite files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0517REFERENCE:CVE-2004-0689:DESCRIPTION:Possible interesting example:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0689REFERENCE:CVE-2005-1879:DESCRIPTION:Second-order symlink vulnerabilities:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1879REFERENCE:CVE-2005-1880:DESCRIPTION:Second-order symlink vulnerabilities:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1880REFERENCE:CVE-2005-1916:DESCRIPTION:Symlink in Python program:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1916REFERENCE:CVE-2000-0972:DESCRIPTION:Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0972REFERENCE:CVE-2005-0824:DESCRIPTION:Signal causes a dump that follows symlinks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0824","","","TAXONOMY NAME:PLOVER:ENTRY NAME:UNIX symbolic link following::","::27::","TYPE:Research Gap:NOTE:Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. Second-order symlink vulnerabilities may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used. Reference: [Christey2005]::",
  498. 610,"Externally Controlled Reference to a Resource in Another Sphere",Class,Draft,"The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.","","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:664:VIEW ID:1003:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","","","","","","::219::","TYPE:Relationship:NOTE:This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will follow a symbolic link and use the link's target instead.::::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",
  499. 611,"Improper Restriction of XML External Entity Reference ('XXE')",Variant,Draft,"The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.","XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as file:///c:/winnt/win.ini designates (in Windows) the file C:Winntwin.ini, or file:///etc/passwd designates the password file in Unix-based systems. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents.","::NATURE:ChildOf:CWE ID:610:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:610:VIEW ID:1003:ORDINAL:Primary::NATURE:PeerOf:CWE ID:441:VIEW ID:1000::","","::LANGUAGE NAME:XML:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Undetermined::","","::TERM:XXE:DESCRIPTION:XXE is an acronym used for the term XML eXternal Entities::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Files or Directories:NOTE:Confidentiality Read Application Data Read Files or Directories If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.::SCOPE:Integrity:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Integrity Bypass Protection Mechanism The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) The software could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.::","","::PHASE:Implementation System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Many XML parsers and validators can be configured to disable external entity expansion.::","::REFERENCE:CVE-2005-1306:DESCRIPTION:A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1306REFERENCE:CVE-2012-5656:DESCRIPTION:XXE during SVG image conversion:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5656REFERENCE:CVE-2012-2239:DESCRIPTION:XXE in PHP application allows reading the application's configuration file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2239REFERENCE:CVE-2012-3489:DESCRIPTION:XXE in database server:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489REFERENCE:CVE-2012-4399:DESCRIPTION:XXE in rapid web application development framework allows reading arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4399REFERENCE:CVE-2012-3363:DESCRIPTION:XXE via XML-RPC request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363REFERENCE:CVE-2012-0037:DESCRIPTION:XXE in office document product using RDF.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037REFERENCE:CVE-2011-4107:DESCRIPTION:XXE in web-based administration tool for database.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107REFERENCE:CVE-2010-3322:DESCRIPTION:XXE in product that performs large-scale data analysis.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3322REFERENCE:CVE-2009-1699:DESCRIPTION:XXE in XSL stylesheet functionality in a common library used by some web browsers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1699","","","TAXONOMY NAME:WASC:ENTRY ID:43:ENTRY NAME:XML External Entities::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",
  500. 612,"Information Exposure Through Indexing of Private Data",Variant,Draft,"The product performs an indexing routine against private documents, but does not sufficiently verify that the actors who can access the index also have the privileges to access the private documents.","When an indexing routine is applied against a group of private documents, and that index's results are available to outsiders who do not have access to those documents, then outsiders might be able to obtain sensitive information by conducting targeted searches. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them.","::NATURE:ChildOf:CWE ID:200:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:200:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","","","","","TAXONOMY NAME:WASC:ENTRY ID:48:ENTRY NAME:Insecure Indexing::","","TYPE:Research Gap:NOTE:This weakness is probably under-studied and under-reported::",
  501. 613,"Insufficient Session Expiration",Base,Incomplete,"According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.","","::NATURE:ChildOf:CWE ID:672:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:287:VIEW ID:1000::NATURE:CanPrecede:CWE ID:287:VIEW ID:699::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Set sessions/credentials expiration date.::","","","","TAXONOMY NAME:WASC:ENTRY ID:47:ENTRY NAME:Insufficient Session Expiration::","","TYPE:Other:NOTE:The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.::",
  502. 614,"Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",Variant,Draft,"The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.","","::NATURE:ChildOf:CWE ID:311:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:311:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always set the secure attribute when the cookie should sent via HTTPS only.::","::REFERENCE:CVE-2004-0462:DESCRIPTION:A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0462REFERENCE:CVE-2008-3663:DESCRIPTION:A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3663REFERENCE:CVE-2008-3662:DESCRIPTION:A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3662REFERENCE:CVE-2008-0128:DESCRIPTION:A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128","","","","::102::","",
  503. 615,"Information Exposure Through Comments",Variant,Incomplete,"While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.","An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.","::NATURE:ChildOf:CWE ID:540:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:540:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::","","::PHASE:Distribution:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application.::","::REFERENCE:CVE-2007-6197:DESCRIPTION:Version numbers and internal hostnames leaked in HTML comments.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6197REFERENCE:CVE-2007-4072:DESCRIPTION:CMS places full pathname of server in HTML comment.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4072REFERENCE:CVE-2009-2431:DESCRIPTION:blog software leaks real username in HTML comment.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2431","","","","","",
  504. 616,"Incomplete Identification of Uploaded File Variables (PHP)",Variant,Incomplete,"The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.","These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as /etc/passwd.","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:473:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use PHP 4 or later.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES['userfile']))::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file.::","::REFERENCE:CVE-2002-1460:DESCRIPTION:Forum does not properly verify whether a file was uploaded or if the associated variables were set by POST, allowing remote attackers to read arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1460REFERENCE:CVE-2002-1759:DESCRIPTION:Product doesn't check if the variables for an upload were set by uploading the file, or other methods such as $_POST.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1759REFERENCE:CVE-2002-1710:DESCRIPTION:Product does not distinguish uploaded file from other files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1710","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Incomplete Identification of Uploaded File Variables (PHP)::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP25:ENTRY NAME:Tainted input to variable::","","",
  505. 617,"Reachable Assertion",Variant,Draft,"The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.","While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.","::NATURE:ChildOf:CWE ID:670:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart An attacker that can trigger an assert statement can still lead to a denial of service if the relevant code can be triggered by an attacker, and if the scope of the assert() extends beyond the attacker's own session.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Perform input validation on user data.::","::REFERENCE:CVE-2006-6767:DESCRIPTION:FTP server allows remote attackers to cause a denial of service (daemon abort) via crafted commands which trigger an assertion failure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6767REFERENCE:CVE-2006-6811:DESCRIPTION:Chat client allows remote attackers to cause a denial of service (crash) via a long message string when connecting to a server, which causes an assertion failure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6811REFERENCE:CVE-2006-5779:DESCRIPTION:Product allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779REFERENCE:CVE-2006-4095:DESCRIPTION:Product allows remote attackers to cause a denial of service (crash) via certain queries, which cause an assertion failure.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095REFERENCE:CVE-2006-4574:DESCRIPTION:Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4574","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MET01-J:ENTRY NAME:Never use assertions to validate method arguments::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","",
  506. 618,"Exposed Unsafe ActiveX Method",Base,Incomplete,"An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).","ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to various vulnerabilities, depending on the implemented behaviors of those methods, and whether input validation is performed on the provided arguments. If there is no integrity checking or origin validation, this method could be invoked by attackers.","::NATURE:ChildOf:CWE ID:749:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If you must expose a method, make sure to perform input validation on all arguments, and protect against all possible vulnerabilities.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use code signing, although this does not protect against any weaknesses that are already in the control.::PHASE:Architecture and Design System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Where possible, avoid marking the control as safe for scripting.::","::REFERENCE:CVE-2007-1120:DESCRIPTION:download a file to arbitrary folders.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1120REFERENCE:CVE-2006-6838:DESCRIPTION:control downloads and executes a url in a parameter:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6838REFERENCE:CVE-2007-0321:DESCRIPTION:resultant buffer overflow:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0321","","","","","",
  507. 619,"Dangling Database Cursor ('Cursor Injection')",Base,Incomplete,"If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor dangling.","For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor's role, but SQL injection attacks are commonly possible.","::NATURE:ChildOf:CWE ID:402:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:402:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:This could be primary when the programmer never attempts to close the cursor when finished with it.::ORDINALITY:Resultant:DESCRIPTION:::","::LANGUAGE NAME:SQL:LANGUAGE PREVALENCE:Undetermined::","::A cursor is a feature in Oracle PL/SQL and other languages that provides a handle for executing and accessing the results of SQL queries.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Close cursors immediately after access to them is complete. Ensure that you close cursors if exceptions occur.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  508. 62,"UNIX Hard Link",Variant,Incomplete,"The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.","Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. /etc/passwd). When the process opens the file, the attacker can assume the privileges of that process.","::NATURE:ChildOf:CWE ID:59:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:59:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Unix:OPERATING SYSTEM PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.::","::REFERENCE:CVE-2001-1494:DESCRIPTION:Hard link attack, file overwrite; interesting because program checks against soft links:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1494REFERENCE:CVE-2002-0793:DESCRIPTION:Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0793REFERENCE:CVE-2003-0578:DESCRIPTION:Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0578REFERENCE:CVE-1999-0783:DESCRIPTION:Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0783REFERENCE:CVE-2004-1603:DESCRIPTION:Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1603REFERENCE:CVE-2004-1901:DESCRIPTION:Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1901REFERENCE:CVE-2005-0342:DESCRIPTION:The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0342REFERENCE:CVE-2005-1111:DESCRIPTION:Hard link race condition:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111REFERENCE:BUGTRAQ:20030203 ASA-0001:DESCRIPTION:OpenBSD chpass/chfn/chsh file content leak:LINK:http://www.securityfocus.com/archive/1/309962","","","TAXONOMY NAME:PLOVER:ENTRY NAME:UNIX hard link::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO05-C:ENTRY NAME:Identify files using multiple file attributes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP18:ENTRY NAME:Link in resource name resolution::","","TYPE:Research Gap:NOTE:Under-studied. It is likely that programs that check for symbolic links could be vulnerable to hard links.::",
  509. 620,"Unverified Password Change",Variant,Draft,"When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.","This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:When prompting for a password change, force the user to provide the original password in addition to the new password.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use forgotten password functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.::","::REFERENCE:CVE-2007-0681:DESCRIPTION:Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0681REFERENCE:CVE-2000-0944:DESCRIPTION:Web application password change utility doesn't check the original password.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0944","","","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A3:ENTRY NAME:Broken Authentication and Session Management:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP31:ENTRY NAME:Missing authentication::","","",
  510. 621,"Variable Extraction Error",Base,Incomplete,"The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.","For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. Similar functionality is possible in other interpreted languages, including custom languages.","::NATURE:ChildOf:CWE ID:914:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:914:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:471:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Variable overwrite:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data An attacker could modify sensitive data or program variables.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Use whitelists of variable names that can be extracted.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider refactoring your code to avoid extraction routines altogether.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.::","::REFERENCE:CVE-2006-7135:DESCRIPTION:extract issue enables file inclusion:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7135REFERENCE:CVE-2006-7079:DESCRIPTION:extract used for register_globals compatibility layer, enables path traversal:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7079REFERENCE:CVE-2007-0649:DESCRIPTION:extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0649REFERENCE:CVE-2006-6661:DESCRIPTION:extract() enables static code injection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6661REFERENCE:CVE-2006-2828:DESCRIPTION:import_request_variables() buried in include files makes post-disclosure analysis confusing:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2828","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Research Gap:NOTE:Probably under-reported for PHP. Under-studied for other interpreted languages.::",
  511. 622,"Improper Validation of Function Hook Arguments",Variant,Draft,"A product adds hooks to user-accessible API functions, but does not properly validate the arguments. This could lead to resultant vulnerabilities.","Such hooks can be used in defensive software that runs with privileges, such as anti-virus or firewall, which hooks kernel calls. When the arguments are not validated, they could be used to bypass the protection scheme or attack the product itself.","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that all arguments are verified, as defined by the API you are protecting.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Drop privileges before invoking such functions, if possible.::","::REFERENCE:CVE-2007-0708:DESCRIPTION:DoS in firewall using standard Microsoft functions:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0708REFERENCE:CVE-2006-7160:DESCRIPTION:DoS in firewall using standard Microsoft functions:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7160REFERENCE:CVE-2007-1376:DESCRIPTION:function does not verify that its argument is the proper type, leading to arbitrary memory write:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1376REFERENCE:CVE-2007-1220:DESCRIPTION:invalid syscall arguments bypass code execution limits:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1220REFERENCE:CVE-2006-4541:DESCRIPTION:DoS in IDS via NULL argument:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4541","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP27:ENTRY NAME:Tainted input to environment::","","",
  512. 623,"Unsafe ActiveX Control Marked Safe For Scripting",Variant,Draft,"An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.","This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.","::NATURE:ChildOf:CWE ID:267:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:267:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:691:VIEW ID:1000::NATURE:PeerOf:CWE ID:618:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:During development, do not mark it as safe for scripting.::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.::","::REFERENCE:CVE-2007-0617:DESCRIPTION:add emails to spam whitelist:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0617REFERENCE:CVE-2007-0219:DESCRIPTION:web browser uses certain COM objects as ActiveX:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0219REFERENCE:CVE-2006-6510:DESCRIPTION:kiosk allows bypass to read files:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6510","","","","","TYPE:Research Gap:NOTE:It is suspected that this is under-reported.::",
  513. 624,"Executable Regular Expression Error",Base,Incomplete,"The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.","Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.","::NATURE:ChildOf:CWE ID:77:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:77:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as Q and E in Perl.::","::REFERENCE:CVE-2006-2059:DESCRIPTION:Executable regexp in PHP by inserting e modifier into first argument to preg_replace:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2059REFERENCE:CVE-2005-3420:DESCRIPTION:Executable regexp in PHP by inserting e modifier into first argument to preg_replace:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3420REFERENCE:CVE-2006-2878:DESCRIPTION:Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the /e modifier:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2878REFERENCE:CVE-2006-2908:DESCRIPTION:Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2908","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Research Gap:NOTE:Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.::",
  514. 625,"Permissive Regular Expression",Base,Draft,"The product uses a regular expression that does not sufficiently restrict the set of allowed values.","This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include: not identifying the beginning and end of the target string using wildcards instead of acceptable character ranges others","::NATURE:ChildOf:CWE ID:185:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:185:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:187:VIEW ID:1000::NATURE:PeerOf:CWE ID:184:VIEW ID:1000::NATURE:PeerOf:CWE ID:183:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When applicable, ensure that the regular expression marks beginning and ending string patterns, such as /^string$/ for Perl.::","::REFERENCE:CVE-2006-1895:DESCRIPTION:.* regexp leads to static code injection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1895REFERENCE:CVE-2002-2175:DESCRIPTION:insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2175REFERENCE:CVE-2006-4527:DESCRIPTION:regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4527REFERENCE:CVE-2005-1949:DESCRIPTION:Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1949REFERENCE:CVE-2002-2109:DESCRIPTION:Regexp isn't anchored to the beginning or end, which allows spoofed values that have trusted values as substrings.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2109REFERENCE:CVE-2006-6511:DESCRIPTION:regexp in .htaccess file allows access of files whose names contain certain substrings:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6511REFERENCE:CVE-2006-6629:DESCRIPTION:allow load of macro files whose names contain certain substrings.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6629","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS08-J:ENTRY NAME:Sanitize untrusted data passed to a regex::","","",
  515. 626,"Null Byte Interaction Error (Poison Null Byte)",Variant,Draft,"The product does not properly handle null bytes or NUL characters when passing data between different representations or components.","A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected. The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:436:VIEW ID:1000::NATURE:ChildOf:CWE ID:436:VIEW ID:699::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:ASP.NET:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Remove null bytes from all incoming strings.::","::REFERENCE:CVE-2005-4155:DESCRIPTION:NUL byte bypasses PHP regular expression check:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4155REFERENCE:CVE-2005-3153:DESCRIPTION:inserting SQL after a NUL byte bypasses whitelist regexp, enabling SQL injection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3153","","","","","TYPE:Terminology:NOTE:Current usage of poison null byte is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.::::TYPE:Research Gap:NOTE:There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.::",
  516. 627,"Dynamic Variable Evaluation",Base,Incomplete,"In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.","The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.","::NATURE:ChildOf:CWE ID:914:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:914:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:183:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Undetermined::","::Many interpreted languages support the use of a $$varname construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as variable variables. Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2).::","::TERM:Dynamic evaluation:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Modify Application Data Execute Unauthorized Code or Commands:NOTE:Confidentiality Integrity Availability Modify Application Data Execute Unauthorized Code or Commands An attacker could gain unauthorized access to internal program variables and execute arbitrary code.::","","::PHASE:Implementation:STRATEGY:Refactoring:EFFECTIVENESS::DESCRIPTION:Refactor the code to avoid dynamic variable evaluation whenever possible.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Use only whitelists of acceptable variable or function names.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.::","::REFERENCE:CVE-2009-0422:DESCRIPTION:Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0422REFERENCE:CVE-2007-2431:DESCRIPTION:Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2431REFERENCE:CVE-2006-4904:DESCRIPTION:Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4904REFERENCE:CVE-2006-4019:DESCRIPTION:Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4019","","","","","TYPE:Research Gap:NOTE:Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.::",
  517. 628,"Function Call with Incorrectly Specified Arguments",Base,Draft,"The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.","There are multiple ways in which this weakness can be introduced, including: the wrong variable or reference; an incorrect number of arguments; incorrect order of arguments; wrong type of arguments; or wrong value.","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:This is usually primary to other weaknesses, but it can be resultant if the function's API or function prototype changes.::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:SCOPE:Access Control:TECHNICAL IMPACT:Quality Degradation Gain Privileges or Assume Identity:NOTE:Other Access Control Quality Degradation Gain Privileges or Assume Identity This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.::","::METHOD:Other:EFFECTIVENESS::DESCRIPTION:Since these bugs typically introduce obviously incorrect behavior, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.::","::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make sure your API's are stable before you use them in production code.::","::REFERENCE:CVE-2006-7049:DESCRIPTION:The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7049","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:DCL10-C:ENTRY NAME:Maintain the contract between the writer and caller of variadic functions::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP37-C:ENTRY NAME:Call functions with the correct number and type of arguments:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:DCL00-PL:ENTRY NAME:Do not use subroutine prototypes:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP33-PL:ENTRY NAME:Do not invoke a function in a context for which it is not defined:MAPPING FIT:Imprecise::","","",
  518. 636,"Not Failing Securely ('Failing Open')",Class,Draft,"When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.","By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to fail functional to minimize administration and support costs, instead of failing safe.","::NATURE:ChildOf:CWE ID:657:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:657:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:755:VIEW ID:1000::NATURE:PeerOf:CWE ID:280:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Failing Open:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism Intended access restrictions can be bypassed, which is often contradictory to what the product's administrator expects.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Subdivide and allocate resources and components so that a failure in one part does not affect the entire product.::","::REFERENCE:CVE-2007-5277:DESCRIPTION:The failure of connection attempts in a web browser resets DNS pin restrictions. An attacker can then bypass the same origin policy by rebinding a domain name to a different IP address. This was an attempt to fail functional.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5277REFERENCE:CVE-2006-4407:DESCRIPTION:Incorrect prioritization leads to the selection of a weaker cipher. Although it is not known whether this issue occurred in implementation or design, it is feasible that a poorly designed algorithm could be a factor.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4407","","","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A7:ENTRY NAME:Improper Error Handling:MAPPING FIT:CWE More Specific::","","TYPE:Research Gap:NOTE:Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).::",
  519. 637,"Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",Class,Draft,"The software uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.","Security mechanisms should be as simple as possible. Complex security mechanisms may engender partial implementations and compatibility problems, with resulting mismatches in assumptions and implemented security. A corollary of this principle is that data specifications should be as simple as possible, because complex data specifications result in complex validation code. Complex tasks and systems may also need to be guarded by complex security checks, so simple systems should be preferred.","::NATURE:ChildOf:CWE ID:657:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:657:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Unnecessary Complexity:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid complex security mechanisms when simpler ones would meet requirements. Avoid complex data models, and unnecessarily complex operations. Adopt architectures that provide guarantees, simplify understanding through elegance and abstraction, and that can be implemented similarly. Modularize, isolate and do not trust complex code, and apply other secure programming principles on these modules (e.g., least privilege) to mitigate vulnerabilities.::","::REFERENCE:CVE-2007-6067:DESCRIPTION:Support for complex regular expressions leads to a resultant algorithmic complexity weakness (CWE-407).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6067REFERENCE:CVE-2007-1552:DESCRIPTION:Either a filename extension and a Content-Type header could be used to infer the file type, but the developer only checks the Content-Type, enabling unrestricted file upload (CWE-434).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1552REFERENCE:CVE-2007-6479:DESCRIPTION:In Apache environments, a filename.php.gif can be redirected to the PHP interpreter instead of being sent as an image/gif directly to the user. Not knowing this, the developer only checks the last extension of a submitted filename, enabling arbitrary code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6479REFERENCE:CVE-2005-2148:DESCRIPTION:The developer cleanses the $_REQUEST superglobal array, but PHP also populates $_GET, allowing attackers to bypass the protection mechanism and conduct SQL injection attacks against code that uses $_GET.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2148","","","","","",
  520. 638,"Not Using Complete Mediation",Class,Draft,"The software does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.","","::NATURE:ChildOf:CWE ID:657:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:657:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:862:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Gain Privileges or Assume Identity Execute Unauthorized Code or Commands Bypass Protection Mechanism Read Application Data Other:NOTE:Integrity Confidentiality Availability Access Control Other Gain Privileges or Assume Identity Execute Unauthorized Code or Commands Bypass Protection Mechanism Read Application Data Other A user might retain access to a critical resource even after privileges have been revoked, possibly allowing access to privileged functionality or sensitive information, depending on the role of the resource.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Invalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Identify all possible code paths that might access sensitive resources. If possible, create and use a single interface that performs the access checks, and develop code standards that require use of this interface.::","::REFERENCE:CVE-2007-0408:DESCRIPTION:Server does not properly validate client certificates when reusing cached connections.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0408","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP20:ENTRY NAME:Race Condition Window::","::104::","",
  521. 639,"Authorization Bypass Through User-Controlled Key",Base,Incomplete,"The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.","Retrieval of a user record occurs in the system based on some key value that is under user control. The key would typically identify a user-related record stored in the system and would be used to lookup that record for presentation to the user. It is likely that an attacker would have to be an authenticated user in the system. However, the authorization process would not properly check the data access operation to ensure that the authenticated user performing the operation has sufficient entitlements to perform the requested data access, hence bypassing any other authorization checks present in the system. For example, attackers can look at places where user specific data is retrieved (e.g. search screens) and determine whether the key for the item being looked up is controllable externally. The key may be a hidden field in the HTML form field, might be passed as a URL parameter or as an unencrypted cookie variable, then in each of these cases it will be possible to tamper with the key value. One manifestation of this weakness is when a system uses sequential or otherwise easily-guessable session IDs that would allow one user to easily switch to another user's session and read/modify their data.","::NATURE:ChildOf:CWE ID:862:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:862:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Insecure Direct Object Reference:DESCRIPTION:The Insecure Direct Object Reference term, as described in the OWASP Top Ten, is broader than this CWE because it also covers path traversal (CWE-22). Within the context of vulnerability theory, there is a similarity between the OWASP concept and CWE-706: Use of Incorrectly-Resolved Name or Reference.::TERM:Horizontal Authorization:DESCRIPTION:Horizontal Authorization is used to describe situations in which two users have the same privilege level, but must be prevented from accessing each other's resources. This is fairly common when using key-based access to resources in a multi-user context.::",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism Access control checks for specific user data or functionality can be bypassed.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Horizontal escalation of privilege is possible (one user can view/modify information of another user).::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Vertical escalation of privilege is possible if the user-controlled key is actually a flag that indicates administrator status, allowing the attacker to gain administrative access.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.::","","","","","","",
  522. 64,"Windows Shortcut Following (.LNK)",Variant,Incomplete,"The software, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.","The shortcut (file with the .lnk extension) can permit an attacker to read/write a file that they originally did not have permissions to access.","::NATURE:ChildOf:CWE ID:59:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:59:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","","::TERM:Windows symbolic link following:DESCRIPTION:::TERM:symlink:DESCRIPTION:::",":::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.::","::REFERENCE:CVE-2000-0342:DESCRIPTION:Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka Stealth Attachment.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0342REFERENCE:CVE-2001-1042:DESCRIPTION:FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1042REFERENCE:CVE-2001-1043:DESCRIPTION:FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1043REFERENCE:CVE-2005-0587:DESCRIPTION:Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0587REFERENCE:CVE-2001-1386:DESCRIPTION:.LNK. - .LNK with trailing dot:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386REFERENCE:CVE-2003-1233:DESCRIPTION:Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1233","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Windows Shortcut Following (.LNK)::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO05-C:ENTRY NAME:Identify files using multiple file attributes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP18:ENTRY NAME:Link in resource name resolution::","","TYPE:Research Gap:NOTE:Under-studied. Windows .LNK files are more portable than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.::",
  523. 640,"Weak Password Recovery Mechanism for Forgotten Password",Base,Incomplete,"The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.","It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. Very often the password recovery mechanism is weak, which has the effect of making it more likely that it would be possible for a person other than the legitimate system user to gain access to that user's account. Weak password recovery schemes completely undermine a strong password authentication scheme. This weakness may be that the security question is too easy to guess or find an answer to (e.g. because the question is too common, or the answers can be found using social media). Or there might be an implementation weakness in the password recovery mechanism code that may for instance trick the system into e-mailing the new password to an e-mail account other than that of the user. There might be no throttling done on the rate of password resets so that a legitimate user can be denied service by an attacker if an attacker tries to recover their password in a rapid succession. The system may send the original password to the user rather than generating a new temporary password. In summary, password recovery functionality, if not carefully designed and implemented can often become the system's weakest link that can be misused in a way that would allow an attacker to gain unauthorized access to the system.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity An attacker could gain unauthorized access to the system by retrieving legitimate user's authentication credentials.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) An attacker could deny service to legitimate system users by launching a brute force attack on the password recovery mechanism using user ids of legitimate users.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other The system's security functionality is turned against the system by the attacker.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use standard weak security questions and use several security questions.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Assign a new temporary password rather than revealing the original password.::","","","","TAXONOMY NAME:WASC:ENTRY ID:49:ENTRY NAME:Insufficient Password Recovery::","::50::","TYPE:Maintenance:NOTE:This entry might be reclassified as a category or loose composite, since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).::::TYPE:Maintenance:NOTE:This entry probably needs to be split; see extended description.::",
  524. 641,"Improper Restriction of Names for Files and Other Resources",Base,Incomplete,"The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.","This may produce resultant weaknesses. For instance, if the names of these resources contain scripting characters, it is possible that a script may get executed in the client's browser if the application ever displays the name of the resource on a dynamically generated web page. Alternately, if the resources are consumed by some application parser, a specially crafted name can exploit some vulnerability internal to the parser, potentially resulting in execution of arbitrary code on the server machine. The problems will vary based on the context of usage of such malformed resource names and whether vulnerabilities are present in or assumptions are made by the targeted technology that would make code execution possible.","::NATURE:ChildOf:CWE ID:99:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:99:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Execution of arbitrary code in the context of usage of the resources with dangerous names.::SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data DoS: Crash, Exit, or Restart:NOTE:Confidentiality Availability Read Application Data DoS: Crash, Exit, or Restart Crash of the consumer code of these resources resulting in information leakage or denial of service.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not allow users to control names of resources used on the server side.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform whitelist input validation at entry points and also before consuming the resources. Reject bad file names rather than trying to cleanse them.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make sure that technologies consuming the resources are not vulnerable (e.g. buffer overflow, format string, etc.) in a way that would allow code execution if the name of the resource is malformed.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  525. 642,"External Control of Critical State Data",Class,Draft,"The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors.","If an attacker can modify the state information without detection, then it could be used to perform unauthorized actions or access unexpected resources, since the application programmer does not expect that the state can be changed. State information can be stored in various locations such as a cookie, in a hidden web form field, input parameter or argument, an environment variable, a database record, within a settings file, etc. All of these locations have the potential to be modified by an attacker. When this state information is used to control security or determine resource usage, then it may create a vulnerability. For example, an application may perform authentication, then save the state in an authenticated=true cookie. An attacker may simply create this cookie in order to bypass the authentication.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Often::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity An attacker could potentially modify the state in malicious ways. If the state is related to the privileges or level of authentication that the user has, then state modification might allow the user to bypass authentication or elevate privileges.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The state variables may contain sensitive information that should not be known by the client.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart By modifying state variables, the attacker could violate the application's expectations for the contents of the state, leading to a denial of service due to an unexpected error condition.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Understand all the potential locations that are accessible to attackers. For example, some programmers assume that cookies and hidden form fields cannot be modified by an attacker, or they may not consider that environment variables can be modified before a privileged program is invoked.::PHASE:Architecture and Design:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Store state information and sensitive data on the server side only. Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions. If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that you has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328).::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Store state information on the server side only. Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. With a stateless protocol such as HTTP, use some frameworks can maintain the state for you. Examples include ASP.NET View State and the OWASP ESAPI Session Management feature. Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Operation Implementation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::","::REFERENCE:CVE-2005-2428:DESCRIPTION:Mail client stores password hashes for unrelated accounts in a hidden form field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2428REFERENCE:CVE-2008-0306:DESCRIPTION:Privileged program trusts user-specified environment variable to modify critical configuration settings.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0306REFERENCE:CVE-1999-0073:DESCRIPTION:Telnet daemon allows remote clients to specify critical environment variables for the server, leading to code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0073REFERENCE:CVE-2007-4432:DESCRIPTION:Untrusted search path vulnerability through modified LD_LIBRARY_PATH environment variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4432REFERENCE:CVE-2006-7191:DESCRIPTION:Untrusted search path vulnerability through modified LD_LIBRARY_PATH environment variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7191REFERENCE:CVE-2008-5738:DESCRIPTION:Calendar application allows bypass of authentication by setting a certain cookie value to 1.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5738REFERENCE:CVE-2008-5642:DESCRIPTION:Setting of a language preference in a cookie enables path traversal attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5642REFERENCE:CVE-2008-5125:DESCRIPTION:Application allows admin privileges by setting a cookie value to admin.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5125REFERENCE:CVE-2008-5065:DESCRIPTION:Application allows admin privileges by setting a cookie value to admin.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5065REFERENCE:CVE-2008-4752:DESCRIPTION:Application allows admin privileges by setting a cookie value to admin.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4752REFERENCE:CVE-2000-0102:DESCRIPTION:Shopping cart allows price modification via hidden form field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0102REFERENCE:CVE-2000-0253:DESCRIPTION:Shopping cart allows price modification via hidden form field.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0253REFERENCE:CVE-2008-1319:DESCRIPTION:Server allows client to specify the search path, which can be modified to point to a program that the client has uploaded.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1319","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","::21::31::","",
  526. 643,"Improper Neutralization of Data within XPath Expressions ('XPath Injection')",Base,Incomplete,"The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.","The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).","::NATURE:ChildOf:CWE ID:943:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:943:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:91:VIEW ID:1000::NATURE:ChildOf:CWE ID:91:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism Controlling application flow (e.g. bypassing authentication).::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The attacker could read restricted XML content.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.::","","","","TAXONOMY NAME:WASC:ENTRY ID:39:ENTRY NAME:XPath Injection::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",
  527. 644,"Improper Neutralization of HTTP Headers for Scripting Syntax",Variant,Incomplete,"The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.","An attacker may be able to conduct cross-site scripting and other attacks against users who have these components enabled. If an application does not neutralize user controlled data being placed in the header of an HTTP response coming from the server, the header may contain a script that will get executed in the client's browser context, potentially resulting in a cross site scripting vulnerability or possibly an HTTP response splitting attack. It is important to carefully control data that is being placed both in HTTP response header and in the HTTP response body to ensure that no scripting syntax is present, taking various encodings into account.","::NATURE:ChildOf:CWE ID:116:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:116:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Run arbitrary code.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Attackers may be able to obtain sensitive information.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Disable script execution functionality in the clients' browser.::","::REFERENCE:CVE-2006-3918:DESCRIPTION:Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  528. 645,"Overly Restrictive Account Lockout Mechanism",Base,Incomplete,"The software contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.","Account lockout is a security feature often present in applications as a countermeasure to the brute force attack on the password based authentication mechanism of the system. After a certain number of failed login attempts, the users' account may be disabled for a certain period of time or until it is unlocked by an administrator. Other security events may also possibly trigger account lockout. However, an attacker may use this very security feature to deny service to legitimate system users. It is therefore important to ensure that the account lockout security mechanism is not overly restrictive.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) Users could be locked out of accounts.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement more intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Implement a lockout timeout that grows as the number of incorrect login attempts goes up, eventually resulting in a complete lockout.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider alternatives to account lockout that would still be effective against password brute force attacks, such as presenting the user machine with a puzzle to solve (makes it do some computation).::","","","","","","",
  529. 646,"Reliance on File Name or Extension of Externally-Supplied File",Variant,Incomplete,"The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.","An application might use the file name or extension of of a user-supplied file to determine the proper course of action, such as selecting the correct process to which control should be passed, deciding what data should be made available, or what resources should be allocated. If the attacker can cause the code to misclassify the supplied file, then the wrong action could occur. For example, an attacker could supply a file that ends in a .php.gif extension that appears to be a GIF image, but would be processed as PHP code. In extreme cases, code execution is possible, but the attacker could also cause exhaustion of resources, denial of service, exposure of debug or system data (including application source code), or being bound to a particular server side process. This weakness may be due to a vulnerability in any of the technologies used by the web and application servers, due to misconfiguration, or resultant from another flaw in the application itself.","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data An attacker may be able to read sensitive data.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart An attacker may be able to cause a denial of service.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity An attacker may be able to gain privileges.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make decisions on the server side based on file content and not on file name or extension.::","","","","","::209::","",
  530. 647,"Use of Non-Canonical URL Paths for Authorization Decisions",Variant,Incomplete,"The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.","If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as: http://WWW.EXAMPLE.COM/mypage http://www.example.com/%6Dypage (alternate encoding) http://192.168.1.1/mypage (IP address) http://www.example.com/mypage/ (trailing /) http://www.example.com:80/mypage Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule).","::NATURE:ChildOf:CWE ID:863:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:863:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories:NOTE:Confidentiality Read Files or Directories If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program).::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Reject all alternate path encodings that are not in the expected canonical form.::","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS02-J:ENTRY NAME:Canonicalize path names before validating them::","","",
  531. 648,"Incorrect Use of Privileged APIs",Base,Incomplete,"The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.","When an application contains certain functions that perform operations requiring an elevated level of privilege, the caller of a privileged API must be careful to: ensure that assumptions made by the APIs are valid, such as validity of arguments account for known weaknesses in the design/implementation of the API call the API from a safe context If the caller of the API does not follow these requirements, then it may allow a malicious user or process to elevate their privilege, hijack the process, or steal sensitive data. For instance, it is important to know if privileged APIs do not shed their privileges before returning to the caller or if the privileged function might make certain assumptions about the data, context or state information passed to it by the caller. It is important to always know when and how privileged APIs can be called in order to ensure that their elevated level of privilege cannot be exploited.","::NATURE:ChildOf:CWE ID:269:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity An attacker may be able to elevate privileges.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data An attacker may be able to obtain sensitive information.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands An attacker may be able to execute code.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Before calling privileged APIs, always ensure that the assumptions made by the privileged code hold true prior to making the call.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Know architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses before calling the privileged APIs to ensure that they can be called safely.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If privileged APIs make certain assumptions about data, context or state validity that are passed by the caller, the calling code must ensure that these assumptions have been validated prior to making the call.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If privileged APIs do not shed their privilege prior to returning to the calling code, then calling code needs to shed these privileges immediately and safely right after the call to the privileged APIs. In particular, the calling code needs to ensure that a privileged thread of execution will never be returned to the user or made available to user-controlled processes.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Only call privileged APIs from safe, consistent and expected state.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that a failure or an error will not leave a system in a state where privileges are not properly shed and privilege escalation is possible (i.e. fail securely with regards to handling of privileges).::","::REFERENCE:CVE-2003-0645:DESCRIPTION:A Unix utility that displays online help files, if installed setuid, could allow a local attacker to gain privileges when a particular file-opening function is called.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0645","","","","::107::234::","",
  532. 649,"Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",Base,Incomplete,"The software uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the software does not use integrity checks to detect if those inputs have been modified.","When an application relies on obfuscation or incorrectly applied / weak encryption to protect client-controllable tokens or parameters, that may have an effect on the user state, system state, or some decision made on the server. Without protecting the tokens/parameters for integrity, the application is vulnerable to an attack where an adversary blindly traverses the space of possible values of the said token/parameter in order to attempt to gain an advantage. The goal of the attacker is to find another admissible value that will somehow elevate their privileges in the system, disclose information or change the behavior of the system in some way beneficial to the attacker. If the application does not protect these critical tokens/parameters for integrity, it will not be able to determine that these values have been tampered with. Measures that are used to protect data for confidentiality should not be relied upon to provide the integrity service.","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State:NOTE:Integrity Unexpected State The inputs could be modified without detection, causing the software to have unexpected system state or make incorrect security decisions.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect important client controllable tokens/parameters for integrity using PKI methods (i.e. digital signatures) or other means, and checks for integrity on the server side.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Repeated requests from a particular user that include invalid values of tokens/parameters (those that should not be changed manually by users) should result in the user account lockout.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Client side tokens/parameters should not be such that it would be easy/predictable to guess another valid state.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Obfuscation should not be relied upon. If encryption is used, it needs to be properly applied (i.e. proven algorithm and implementation, use padding, use random initialization vector, user proper encryption mode). Even with proper encryption where the ciphertext does not leak information about the plaintext or reveal its structure, compromising integrity is possible (although less likely) without the provision of the integrity service.::","::REFERENCE:CVE-2005-0039:DESCRIPTION:An IPSec configuration does not perform integrity checking of the IPSec packet as the result of either not configuring ESP properly to support the integrity service or using AH improperly. In either case, the security gateway receiving the IPSec packet would not validate the integrity of the packet to ensure that it was not changed. Thus if the packets were intercepted the attacker could undetectably change some of the bits in the packets. The meaningful bit flipping was possible due to the known weaknesses in the CBC encryption mode. Since the attacker knew the structure of the packet, they were able (in one variation of the attack) to use bit flipping to change the destination IP of the packet to the destination machine controlled by the attacker. And so the destination security gateway would decrypt the packet and then forward the plaintext to the machine controlled by the attacker. The attacker could then read the original message. For instance if VPN was used with the vulnerable IPSec configuration the attacker could read the victim's e-mail. This vulnerability demonstrates the need to enforce the integrity service properly when critical data could be modified by an attacker. This problem might have also been mitigated by using an encryption mode that is not susceptible to bit flipping attacks, but the preferred mechanism to address this problem still remains message verification for integrity. While this attack focuses on the network layer and requires a man in the middle scenario, the situation is not much different at the software level where an attacker can modify tokens/parameters used by the application.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0039","","","","::463::","",
  533. 65,"Windows Hard Link",Variant,Incomplete,"The software, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.","Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. AUTOEXEC.BAT). When the process opens the file, the attacker can assume the privileges of that process, or prevent the program from accurately processing data.","::NATURE:ChildOf:CWE ID:59:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:59:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.::","::REFERENCE:CVE-2002-0725:DESCRIPTION:File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0725REFERENCE:CVE-2003-0844:DESCRIPTION:Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0844","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Windows hard link::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO05-C:ENTRY NAME:Identify files using multiple file attributes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP18:ENTRY NAME:Link in resource name resolution::","","TYPE:Research Gap:NOTE:Under-studied::",
  534. 650,"Trusting HTTP Permission Methods on the Server Side",Variant,Incomplete,"The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.","The HTTP GET method and some other methods are designed to retrieve resources and not to alter the state of the application or resources on the server side. Furthermore, the HTTP specification requires that GET requests (and other requests) should not have side effects. Believing that it will be enough to prevent unintended resource alterations, an application may disallow the HTTP requests to perform DELETE, PUT and POST operations on the resource representation. However, there is nothing in the HTTP protocol itself that actually prevents the HTTP GET method from performing more than just query of the data. Developers can easily code programs that accept a HTTP GET request that do in fact create, update or delete data on the server. For instance, it is a common practice with REST based Web Services to have HTTP GET requests modifying resources on the server side. However, whenever that happens, the access control needs to be properly enforced in the application. No assumptions should be made that only HTTP DELETE, PUT, POST, and other methods have the power to alter the representation of the resource being accessed in the request.","::NATURE:ChildOf:CWE ID:436:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:436:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity An attacker could escalate privileges.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data An attacker could modify resources.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data An attacker could obtain sensitive information.::","","::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Configure ACLs on the server side to ensure that proper level of access control is defined for each accessible resource representation.::","","","","","","",
  535. 651,"Information Exposure Through WSDL File",Variant,Incomplete,"The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).","An information exposure may occur if any of the following apply: The WSDL file is accessible to a wider audience than intended. The WSDL file contains information on the methods/services that should not be publicly accessible or information about deprecated methods. This problem is made more likely due to the WSDL often being automatically generated from the code. Information in the WSDL file helps guess names/locations of methods/resources that should not be publicly accessible.","::NATURE:ChildOf:CWE ID:538:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:538:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Often::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data The attacker may find sensitive information located in the WSDL file.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Limit access to the WSDL file as much as possible. If services are provided only to a limited number of entities, it may be better to provide WSDL privately to each of these entities than to publish WSDL publicly.::PHASE:Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Make sure that WSDL does not describe methods that should not be publicly accessible. Make sure to protect service methods that should not be publicly accessible with access controls.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not use method names in WSDL that might help an adversary guess names of private methods/resources used by the service.::","","","","","","",
  536. 652,"Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",Base,Incomplete,"The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.","The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).","::NATURE:ChildOf:CWE ID:943:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:943:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:91:VIEW ID:1000::NATURE:ChildOf:CWE ID:91:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data An attacker might be able to read sensitive information from the XML database.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use parameterized queries. This will help ensure separation between data plane and control plane.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context.::","","","","TAXONOMY NAME:WASC:ENTRY ID:46:ENTRY NAME:XQuery Injection::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",
  537. 653,"Insufficient Compartmentalization",Base,Draft,"The product does not sufficiently compartmentalize functionality or processes that require different privilege levels, rights, or permissions.","When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.","::NATURE:ChildOf:CWE ID:657:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:657:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Separation of Privilege:DESCRIPTION:Some people and publications use the term Separation of Privilege to describe this weakness, but this term has dual meanings in current usage. This node conflicts with the original definition of Separation of Privilege by Saltzer and Schroeder; that original definition is more closely associated with CWE-654. Because there are multiple interpretations, use of the Separation of Privilege term is discouraged.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism:NOTE:Access Control Gain Privileges or Assume Identity Bypass Protection Mechanism The exploitation of a weakness in low-privileged areas of the software can be leveraged to reach higher-privileged areas without having to overcome any additional obstacles.::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Break up privileges between different modules, objects or entities. Minimize the interfaces between modules and require strong access control between them.::","","","","","","TYPE:Relationship:NOTE:There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.::::TYPE:Terminology:NOTE:The term Separation of Privilege is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",
  538. 654,"Reliance on a Single Factor in a Security Decision",Base,Draft,"A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.","","::NATURE:ChildOf:CWE ID:657:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:657:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Separation of Privilege:DESCRIPTION:Some people and publications use the term Separation of Privilege to describe this weakness, but this term has dual meanings in current usage. While this node is closely associated with the original definition of Separation of Privilege by Saltzer and Schroeder, others use the same term to describe poor compartmentalization (CWE-653). Because there are multiple interpretations, use of the Separation of Privilege term is discouraged.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity If the single factor is compromised (e.g. by theft or spoofing), then the integrity of the entire security mechanism can be violated with respect to the user that is identified by that factor.::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities It can become difficult or impossible for the product to be able to distinguish between legitimate activities by the entity who provided the factor, versus illegitimate activities by an attacker.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use multiple simultaneous checks before granting access to critical operations or granting critical privileges. A weaker but helpful mitigation is to use several successive checks (multiple layers of security).::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use redundant access rules on different choke points (e.g., firewalls).::","","","","","::274::","TYPE:Maintenance:NOTE:This node is closely associated with the term Separation of Privilege. This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this node). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",
  539. 655,"Insufficient Psychological Acceptability",Base,Draft,"The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.","","::NATURE:ChildOf:CWE ID:657:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:657:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism By bypassing the security mechanism, a user might leave the system in a less secure state than intended by the administrator, making it more susceptible to compromise.::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.::","","","","","","TYPE:Other:NOTE:This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.::",
  540. 656,"Reliance on Security Through Obscurity",Base,Draft,"The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.","This reliance on security through obscurity can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.","::NATURE:ChildOf:CWE ID:657:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:657:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1000::NATURE:CanPrecede:CWE ID:259:VIEW ID:1000::NATURE:CanPrecede:CWE ID:321:VIEW ID:1000::NATURE:CanPrecede:CWE ID:472:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Never Assuming your secrets are safe:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Confidentiality Integrity Availability Other Other The security mechanism can be bypassed easily.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box techniques are established for binary analysis of executables that use obfuscation, runtime analysis of proprietary protocols, inferring file formats, and others.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:When available, use publicly-vetted algorithms and procedures, as these are more likely to undergo more extensive security analysis and testing. This is especially the case with encryption and authentication.::","::REFERENCE:CVE-2006-6588:DESCRIPTION:Reliance on hidden form fields in a web application. Many web application vulnerabilities exist because the developer did not consider that hidden form fields can be processed using a modified client.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6588REFERENCE:CVE-2006-7142:DESCRIPTION:Hard-coded cryptographic key stored in executable program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7142REFERENCE:CVE-2005-4002:DESCRIPTION:Hard-coded cryptographic key stored in executable program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4002REFERENCE:CVE-2006-4068:DESCRIPTION:Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4068","","","","::133::","TYPE:Relationship:NOTE:Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",
  541. 657,"Violation of Secure Design Principles",Class,Draft,"The product violates well-established principles for secure design.","This can introduce resultant weaknesses or make it easier for developers to introduce related weaknesses during implementation. Because code is centered around design, it can be resource-intensive to fix design problems.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","","","","","","","",
  542. 66,"Improper Handling of File Names that Identify Virtual Resources",Base,Draft,"The product does not handle or incorrectly handles a file name that identifies a virtual resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.","Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories.","::NATURE:ChildOf:CWE ID:706:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","","","::File Processing","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Virtual Files::","","",
  543. 662,"Improper Synchronization",Base,Draft,"The software attempts to use a shared resource in an exclusive manner, but does not prevent or incorrectly prevents use of the resource by another thread or process.","","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:691:VIEW ID:1000::NATURE:CanPrecede:CWE ID:362:VIEW ID:1000::NATURE:CanPrecede:CWE ID:362:VIEW ID:699::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Read Application Data Alter Execution Logic::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use industry standard APIs to synchronize your code.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:SIG00-C:ENTRY NAME:Mask signals handled by noninterruptible signal handlers::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:SIG31-C:ENTRY NAME:Do not access shared objects in signal handlers:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CLASP:ENTRY NAME:State synchronization error::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA03-J:ENTRY NAME:Do not assume that a group of calls to independently atomic methods is atomic::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","::25::26::27::29::","",
  544. 663,"Use of a Non-reentrant Function in a Concurrent Context",Base,Draft,"The software calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.","","::NATURE:ChildOf:CWE ID:662:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Read Application Data Alter Execution Logic::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use reentrant functions if available.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Add synchronization to your non-reentrant function.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:In Java, use the ReentrantLock Class.::","::REFERENCE:CVE-2001-1349:DESCRIPTION:unsafe calls to library functions from signal handler:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1349REFERENCE:CVE-2004-2259:DESCRIPTION:SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259","","","","::29::","",
  545. 664,"Improper Control of a Resource Through its Lifetime",Class,Draft,"The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.","Resources often have explicit instructions on how to be created, used and destroyed. When software does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states. Even without explicit instructions, various principles are expected to be adhered to, such as Do not use an object until after its creation is complete, or do not use an object after it has been slated for destruction.","","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use Static analysis tools to check for unreleased resources.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO39-C:ENTRY NAME:Do not alternately input and output from a stream without an intervening flush or positioning call:MAPPING FIT:CWE More Abstract::","::196::21::60::61::62::","TYPE:Maintenance:NOTE:More work is needed on this node and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.::",
  546. 665,"Improper Initialization",Class,Draft,"The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.","This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:664:VIEW ID:1003:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory Read Application Data:NOTE:Confidentiality Read Memory Read Application Data When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism If security-critical decisions rely on a variable having a 0 or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a crash or an exit in other environments.::","::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::","::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid race conditions (CWE-362) during initialization routines.::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Run or compile your software with settings that generate warnings about uninitialized variables or data.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::","::REFERENCE:CVE-2001-1471:DESCRIPTION:chain: an invalid value prevents a library file from being included, skipping initialization of key variables, leading to resultant eval injection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1471REFERENCE:CVE-2008-3637:DESCRIPTION:Improper error checking in protection mechanism produces an uninitialized variable, allowing security bypass and code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3637REFERENCE:CVE-2008-4197:DESCRIPTION:Use of uninitialized memory may allow code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4197REFERENCE:CVE-2008-2934:DESCRIPTION:Free of an uninitialized pointer leads to crash and possible code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2934REFERENCE:CVE-2007-3749:DESCRIPTION:OS kernel does not reset a port when starting a setuid program, allowing local users to access the port and gain privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3749REFERENCE:CVE-2008-0063:DESCRIPTION:Product does not clear memory contents when generating an error message, leading to information leak.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063REFERENCE:CVE-2008-0062:DESCRIPTION:Lack of initialization triggers NULL pointer dereference or double-free.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062REFERENCE:CVE-2008-0081:DESCRIPTION:Uninitialized variable leads to code execution in popular desktop application.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081REFERENCE:CVE-2008-3688:DESCRIPTION:chain: Uninitialized variable leads to infinite loop.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3688REFERENCE:CVE-2008-3475:DESCRIPTION:chain: Improper initialization leads to memory corruption.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3475REFERENCE:CVE-2008-5021:DESCRIPTION:Composite: race condition allows attacker to modify an object while it is still being initialized, causing software to access uninitialized memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5021REFERENCE:CVE-2005-1036:DESCRIPTION:Permission bitmap is not properly initialized, leading to resultant privilege elevation or DoS.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1036REFERENCE:CVE-2008-3597:DESCRIPTION:chain: game server can access player data structures before initialization has happened leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3597REFERENCE:CVE-2009-2692:DESCRIPTION:chain: uninitialized function pointers can be dereferenced allowing code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692REFERENCE:CVE-2009-0949:DESCRIPTION:chain: improper initialization of memory can lead to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949REFERENCE:CVE-2009-3620:DESCRIPTION:chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Incorrect initialization::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR02-C:ENTRY NAME:Explicitly specify array bounds, even if implicitly defined by an initializer::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:DCL00-J:ENTRY NAME:Prevent class initialization cycles::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::","::172::26::29::","",
  547. 666,"Operation on Resource in Wrong Phase of Lifetime",Base,Draft,"The software performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.","When a developer wants to initialize, use or release a resource, it is important to follow the specifications outlined for how to operate on that resource and to ensure that the resource is in the expected state. In this case, the software wants to perform a normally valid operation, initialization, use or release, on a resource when it is in the incorrect phase of its lifetime.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Follow the resource's lifecycle from creation to release.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO46-C:ENTRY NAME:Do not access a closed file:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM30-C:ENTRY NAME:Do not access freed memory:MAPPING FIT:CWE More Abstract::","","",
  548. 667,"Improper Locking",Base,Draft,"The software does not properly acquire a lock on a resource, or it does not properly release a lock on a resource, leading to unexpected resource state changes and behaviors.","","::NATURE:ChildOf:CWE ID:662:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:662:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU):NOTE:Availability DoS: Resource Consumption (CPU) Inconsistent locking discipline can lead to deadlock.::","","::PHASE:Implementation:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use industry standard APIs to implement locking mechanism.::","::REFERENCE:CVE-2009-0935:DESCRIPTION:Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0935REFERENCE:CVE-2010-4210:DESCRIPTION:function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4210REFERENCE:CVE-2008-4302:DESCRIPTION:Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4302REFERENCE:CVE-2009-1243:DESCRIPTION:OS kernel performs an unlock in some incorrect circumstances, leading to panic.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1243REFERENCE:CVE-2009-2857:DESCRIPTION:OS deadlock:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2857REFERENCE:CVE-2009-1961:DESCRIPTION:OS deadlock involving 3 separate functions:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1961REFERENCE:CVE-2009-2699:DESCRIPTION:deadlock in library:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2699REFERENCE:CVE-2009-4272:DESCRIPTION:deadlock triggered by packets that force collisions in a routing table:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4272REFERENCE:CVE-2002-1850:DESCRIPTION:read/write deadlock between web server and script:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1850REFERENCE:CVE-2004-0174:DESCRIPTION:web server deadlock involving multiple listening connections:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0174REFERENCE:CVE-2009-1388:DESCRIPTION:multiple simultaneous calls to the same function trigger deadlock.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388REFERENCE:CVE-2006-5158:DESCRIPTION:chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5158REFERENCE:CVE-2006-4342:DESCRIPTION:deadlock when an operation is performed on a resource while it is being removed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4342REFERENCE:CVE-2006-2374:DESCRIPTION:Deadlock in device driver triggered by using file handle of a related device.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2374REFERENCE:CVE-2006-2275:DESCRIPTION:Deadlock when large number of small messages cannot be processed quickly enough.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2275REFERENCE:CVE-2005-3847:DESCRIPTION:OS kernel has deadlock triggered by a signal during a core dump.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3847REFERENCE:CVE-2005-3106:DESCRIPTION:Race condition leads to deadlock.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3106REFERENCE:CVE-2005-2456:DESCRIPTION:Chain: array index error (CWE-129) leads to deadlock (CWE-833):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2456REFERENCE:CVE-2001-0682:DESCRIPTION:Program can not execute when attacker obtains a mutex.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0682REFERENCE:CVE-2002-1914:DESCRIPTION:Program can not execute when attacker obtains a lock on a critical output file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1914REFERENCE:CVE-2002-1915:DESCRIPTION:Program can not execute when attacker obtains a lock on a critical output file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1915REFERENCE:CVE-2002-0051:DESCRIPTION:Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0051REFERENCE:CVE-2000-0338:DESCRIPTION:Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0338REFERENCE:CVE-2000-1198:DESCRIPTION:Chain: Lock files with predictable names. Resultant from randomness.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1198REFERENCE:CVE-2002-1869:DESCRIPTION:Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1869","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:CON31-C:ENTRY NAME:Do not destroy a mutex while it is locked:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS48-C:ENTRY NAME:Do not unlock or destroy another POSIX thread's mutex:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA00-J:ENTRY NAME:Ensure visibility when accessing shared primitive variables::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA02-J:ENTRY NAME:Ensure that compound operations on shared variables are atomic::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:VNA05-J:ENTRY NAME:Ensure atomicity when reading and writing 64-bit values::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:LCK06-J:ENTRY NAME:Do not use an instance lock to protect shared static data::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP19:ENTRY NAME:Missing Lock::","::25::26::27::","",
  549. 668,"Exposure of Resource to Wrong Sphere",Class,Draft,"The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.","Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files. A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system. In either case, the end result is that a resource has been exposed to the wrong party.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Read Application Data Modify Application Data Other::","","","","","","","","TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",
  550. 669,"Incorrect Resource Transfer Between Spheres",Class,Draft,"The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.","","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","","","::A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data Unexpected State::","","","","","","","","",
  551. 67,"Improper Handling of Windows Device Names",Variant,Incomplete,"The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.","Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.","::NATURE:ChildOf:CWE ID:66:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:66:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","::Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.::","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Read Application Data Other::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.::","::REFERENCE:CVE-2002-0106:DESCRIPTION:Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0106REFERENCE:CVE-2002-0200:DESCRIPTION:Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0200REFERENCE:CVE-2002-1052:DESCRIPTION:Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1052REFERENCE:CVE-2001-0493:DESCRIPTION:Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0493REFERENCE:CVE-2001-0558:DESCRIPTION:Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0558REFERENCE:CVE-2000-0168:DESCRIPTION:Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the DOS Device in Path Name vulnerability.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0168REFERENCE:CVE-2001-0492:DESCRIPTION:Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0492REFERENCE:CVE-2004-0552:DESCRIPTION:Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0552REFERENCE:CVE-2005-2195:DESCRIPTION:Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2195","","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Windows MS-DOS device names::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO32-C:ENTRY NAME:Do not perform operations on devices that are only appropriate for files:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO00-J:ENTRY NAME:Do not operate on files in shared directories::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","","",
  552. 670,"Always-Incorrect Control Flow Implementation",Class,Draft,"The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.","This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other Alter Execution Logic::","","","","","","","","TYPE:Maintenance:NOTE:This node could possibly be split into lower-level nodes. Early Return is for returning control to the caller too soon (e.g., CWE-584). Excess Return is when control is returned too far up the call stack (CWE-600, CWE-395). Improper control limitation occurs when the product maintains control at a lower level of execution, when control should be returned further up the call stack (CWE-455). Incorrect syntax covers code that's just plain wrong such as CWE-484 and CWE-483.::",
  553. 671,"Lack of Administrator Control over Security",Class,Draft,"The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.","If the product's administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats - including the product's developer - can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.","::NATURE:ChildOf:CWE ID:657:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:657:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","","","","","","","",
  554. 672,"Operation on a Resource after Expiration or Release",Base,Draft,"The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.","","::NATURE:ChildOf:CWE ID:666:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Application Data Read Application Data:NOTE:Integrity Confidentiality Modify Application Data Read Application Data If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity.::SCOPE:Other:SCOPE:Availability:TECHNICAL IMPACT:Other DoS: Crash, Exit, or Restart:NOTE:Other Availability Other DoS: Crash, Exit, or Restart When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash.::","","","::REFERENCE:CVE-2009-3547:DESCRIPTION:chain: race condition might allow resource to be released before operating on it, leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP15:ENTRY NAME:Faulty Resource Use::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO46-C:ENTRY NAME:Do not access a closed file:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM30-C:ENTRY NAME:Do not access freed memory:MAPPING FIT:CWE More Abstract::","","",
  555. 673,"External Influence of Sphere Definition",Class,Draft,"The product does not prevent the definition of control spheres from external actors.","Typically, a product defines its control sphere within the code itself, or through configuration by the product's administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","","","","","","","TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",
  556. 674,"Uncontrolled Recursion",Base,Draft,"The product does not properly control the amount of recursion that takes place, which consumes excessive resources, such as allocated memory or the program stack.","","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Stack Exhaustion:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's installation path.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Limit the number of recursive calls to a reasonable number.::","::REFERENCE:CVE-2007-1285:DESCRIPTION:Deeply nested arrays trigger stack exhaustion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285REFERENCE:CVE-2007-3409:DESCRIPTION:Self-referencing pointers create infinite loop and resultant stack exhaustion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3409","","CPU::","TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A9:ENTRY NAME:Denial of Service:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP13:ENTRY NAME:Unrestricted Consumption::","::230::231::82::99::","",
  557. 675,"Duplicate Operations on Resource",Class,Draft,"The product performs the same operation on a resource two or more times, when the operation should only be applied once.","","::NATURE:ChildOf:CWE ID:573:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:586:VIEW ID:1000::NATURE:PeerOf:CWE ID:102:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","","","","","","","TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227).::",
  558. 676,"Use of Potentially Dangerous Function",Base,Draft,"The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.","","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context Quality Degradation Unexpected State:NOTE:Other Varies by Context Quality Degradation Unexpected State If the function is used incorrectly, then it could result in security problems.::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode Quality Analysis Binary / Bytecode simple extractor – strings, ELF readers, etc.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger Cost effective for partial coverage: Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags Source Code Quality Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Build and Compilation Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the banned.h include file from Microsoft's SDL. [REF-554] [REF-7]::","::REFERENCE:CVE-2007-1470:DESCRIPTION:Library has multiple buffer overflows using sprintf() and strcpy():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1470REFERENCE:CVE-2009-3849:DESCRIPTION:Buffer overflow using strcat():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3849REFERENCE:CVE-2006-2114:DESCRIPTION:Buffer overflow using strcpy():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2114REFERENCE:CVE-2006-0963:DESCRIPTION:Buffer overflow using strcpy():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0963REFERENCE:CVE-2011-0712:DESCRIPTION:Vulnerable use of strcpy() changed to use safer strlcpy():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0712REFERENCE:CVE-2008-5005:DESCRIPTION:Buffer overflow using strcpy():LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5005","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Dangerous Functions::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:CON33-C:ENTRY NAME:Avoid race conditions when using library functions:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ENV33-C:ENTRY NAME:Do not call system():MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR07-C:ENTRY NAME:Prefer functions that support error checking over equivalent functions that don't::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR34-C:ENTRY NAME:Detect errors when converting a string to a number:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO01-C:ENTRY NAME:Be careful using functions that use file names for identification::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC30-C:ENTRY NAME:Do not use the rand() function for generating pseudorandom numbers:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR31-C:ENTRY NAME:Guarantee that storage for strings has sufficient space for character data and the null terminator:MAPPING FIT:Imprecise::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::","","TYPE:Relationship:NOTE:This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely.::",
  559. 680,"Integer Overflow to Buffer Overflow",Compound,Draft,"The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.","","::NATURE:StartsWith:CWE ID:190:VIEW ID:709:CHAIN ID:680::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","","","",,"::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Memory DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands::","","","::REFERENCE:CVE-2017-1000121:DESCRIPTION:chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000121","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT30-C:ENTRY NAME:Ensure that unsigned integer operations do not wrap:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT32-C:ENTRY NAME:Ensure that operations on signed integers do not result in overflow:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM35-C:ENTRY NAME:Allocate sufficient memory for an object:MAPPING FIT:CWE More Abstract::","::10::100::14::24::45::46::47::67::8::9::92::","",
  560. 681,"Incorrect Conversion between Numeric Types",Class,Draft,"When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.","","::NATURE:ChildOf:CWE ID:704:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:682:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State Quality Degradation:NOTE:Other Integrity Unexpected State Quality Degradation The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid making conversion between numeric types. Always check for the allowed ranges.::","::REFERENCE:CVE-2007-4268:DESCRIPTION:Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268REFERENCE:CVE-2007-4988:DESCRIPTION:Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988REFERENCE:CVE-2009-0231:DESCRIPTION:Integer truncation of length value leads to heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0231REFERENCE:CVE-2008-3282:DESCRIPTION:Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FLP34-C:ENTRY NAME:Ensure that floating point conversions are within range of the new type:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT15-C:ENTRY NAME:Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT31-C:ENTRY NAME:Ensure that integer conversions do not result in lost or misinterpreted data:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT35-C:ENTRY NAME:Evaluate integer expressions in a larger size before comparing or assigning to that size::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:NUM12-J:ENTRY NAME:Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  561. 682,"Incorrect Calculation",Class,Draft,"The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.","When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution.","::NATURE:CanPrecede:CWE ID:170:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart If the incorrect calculation causes the program to move into an unexpected state, it may lead to a crash or impairment of service.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (Other) Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (Other) Execute Unauthorized Code or Commands If the incorrect calculation is used in the context of resource allocation, it could lead to an out-of-bounds operation (CWE-119) leading to a crash or even arbitrary code execution. Alternatively, it may result in an integer overflow (CWE-190) and / or a resource consumption problem (CWE-400).::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity In the context of privilege or permissions assignment, an incorrect calculation can provide an attacker with access to sensitive resources.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism If the incorrect calculation leads to an insufficient comparison (CWE-697), it may compromise a protection mechanism such as a validation routine and allow an attacker to bypass the security-critical code.::","::METHOD:Manual Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Understand your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, not-a-number calculations, and how your language handles numbers that are too large or too small for its underlying representation.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity.::PHASE:Architecture and Design:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences. Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences. Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).::PHASE:Implementation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS::DESCRIPTION:Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FLP32-C:ENTRY NAME:Prevent or detect domain and range errors in math functions:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT07-C:ENTRY NAME:Use only explicitly signed or unsigned char type for numeric values::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT13-C:ENTRY NAME:Use bitwise operators only on unsigned operands::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT33-C:ENTRY NAME:Ensure that division and remainder operations do not result in divide-by-zero errors:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT34-C:ENTRY NAME:Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand:MAPPING FIT:CWE More Abstract::","::124::128::129::","",
  562. 683,"Function Call With Incorrect Order of Arguments",Variant,Draft,"The software calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.","While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers or types of arguments, such as format strings in C. It also can occur in languages or environments that do not enforce strong typing.","::NATURE:ChildOf:CWE ID:628:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:628:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the function, procedure, or routine as specified.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the software. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type.::","::REFERENCE:CVE-2006-7049:DESCRIPTION:Application calls functions with arguments in the wrong order, allowing attacker to bypass intended access restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7049","","","","","",
  563. 684,"Incorrect Provision of Specified Functionality",Class,Draft,"The code does not function according to its published specifications, potentially leading to incorrect usage.","When providing functionality to an external party, it is important that the software behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to an exploitable state.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that your code strictly conforms to specifications.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:PRE09-C:ENTRY NAME:Do not replace secure functions with less secure functions::","","",
  564. 685,"Function Call With Incorrect Number of Arguments",Variant,Draft,"The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.","","::NATURE:ChildOf:CWE ID:628:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:628:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","::METHOD:Other:EFFECTIVENESS::DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl.::","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the software. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP37-C:ENTRY NAME:Call functions with the correct number and type of arguments:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO47-C:ENTRY NAME:Use valid format strings:MAPPING FIT:Imprecise::","","",
  565. 686,"Function Call With Incorrect Argument Type",Variant,Draft,"The software calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.","This weakness is most likely to occur in loosely typed languages, or in strongly typed languages in which the types of variable arguments cannot be enforced at compilation time, or where there is implicit casting.","::NATURE:ChildOf:CWE ID:628:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:628:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the software. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type.::","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP37-C:ENTRY NAME:Call functions with the correct number and type of arguments:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO47-C:ENTRY NAME:Use valid format strings:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS34-C:ENTRY NAME:Do not call putenv() with a pointer to an automatic variable as the argument::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR37-C:ENTRY NAME:Arguments to character handling functions must be representable as an unsigned char::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  566. 687,"Function Call With Incorrectly Specified Argument Value",Variant,Draft,"The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.","","::NATURE:ChildOf:CWE ID:628:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:628:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","::METHOD:Manual Static Analysis:EFFECTIVENESS::DESCRIPTION:This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::","","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM04-C:ENTRY NAME:Do not perform zero length allocations::","","TYPE:Relationship:NOTE:When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.::",
  567. 688,"Function Call With Incorrect Variable or Reference as Argument",Variant,Draft,"The software calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.","","::NATURE:ChildOf:CWE ID:628:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:628:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","::METHOD:Other:EFFECTIVENESS::DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the software. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type.::","::REFERENCE:CVE-2005-2548:DESCRIPTION:Kernel code specifies the wrong variable in first argument, leading to resultant NULL pointer dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2548","","","","","",
  568. 689,"Permission Race Condition During Resource Copy",Compound,Draft,"The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.","","::NATURE:Requires:CWE ID:362:VIEW ID:1000::NATURE:Requires:CWE ID:732:VIEW ID:1000::NATURE:ChildOf:CWE ID:732:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","","::REFERENCE:CVE-2002-0760:DESCRIPTION:Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0760REFERENCE:CVE-2005-2174:DESCRIPTION:Product inserts a new object into database before setting the object's permissions, introducing a race condition.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2174REFERENCE:CVE-2006-5214:DESCRIPTION:Error file has weak permissions before a chmod is performed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5214REFERENCE:CVE-2005-2475:DESCRIPTION:Archive permissions issue using hard link.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2475REFERENCE:CVE-2003-0265:DESCRIPTION:Database product creates files world-writable before initializing the setuid bits, leading to modification of executables.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0265","","","","::26::27::","TYPE:Research Gap:NOTE:Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete.::",
  569. 69,"Improper Handling of Windows ::DATA Alternate Data Stream",Variant,Incomplete,"The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).","An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and 'dir' at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.","::NATURE:ChildOf:CWE ID:66:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:66:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","::Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type.::","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Non-Repudiation:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Hide Activities Other::","","::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Software tools are capable of finding ADSs on your system.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that the source code correctly parses the filename to read or write to the correct stream.::","::REFERENCE:CVE-1999-0278:DESCRIPTION:In IIS, remote attackers can obtain source code for ASP files by appending ::$DATA to the URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0278REFERENCE:CVE-2000-0927:DESCRIPTION:Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0927","","System Process::","TAXONOMY NAME:PLOVER:ENTRY NAME:Windows ::DATA alternate data stream::","::11::168::","TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::",
  570. 690,"Unchecked Return Value to NULL Pointer Dereference",Compound,Draft,"The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.","While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.","::NATURE:StartsWith:CWE ID:252:VIEW ID:709:CHAIN ID:690::NATURE:ChildOf:CWE ID:476:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.::METHOD:White Box:EFFECTIVENESS::DESCRIPTION:Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.::","","::REFERENCE:CVE-2008-1052:DESCRIPTION:Large Content-Length value leads to NULL pointer dereference when malloc fails.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1052REFERENCE:CVE-2006-6227:DESCRIPTION:Large message length field leads to NULL pointer dereference when malloc fails.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6227REFERENCE:CVE-2006-2555:DESCRIPTION:Parsing routine encounters NULL dereference when input is missing a colon separator.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2555REFERENCE:CVE-2003-1054:DESCRIPTION:URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1054REFERENCE:CVE-2008-5183:DESCRIPTION:chain: unchecked return value can lead to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP34-C:ENTRY NAME:Do not dereference null pointers:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR08-J:ENTRY NAME:Do not catch NullPointerException or any of its ancestors::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP32-PL:ENTRY NAME:Do not ignore function return values:MAPPING FIT:CWE More Specific::","","",
  571. 691,"Insufficient Control Flow Management",Class,Draft,"The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.","","","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic::","","","","","","TAXONOMY NAME:WASC:ENTRY ID:40:ENTRY NAME:Insufficient Process Validation::","::29::","TYPE:Maintenance:NOTE:This is a fairly high-level concept, although it covers a number of weaknesses in CWE that were more scattered throughout the Research view (CWE-1000) before Draft 9 was released.::",
  572. 692,"Incomplete Blacklist to Cross-Site Scripting",Compound,Draft,"The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.","While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a blacklist cannot keep track of all the variations. The XSS Cheat Sheet [REF-564] contains a large number of attacks that are intended to bypass incomplete blacklists.","::NATURE:StartsWith:CWE ID:184:VIEW ID:709:CHAIN ID:692::NATURE:ChildOf:CWE ID:79:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","","","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","","::REFERENCE:CVE-2007-5727:DESCRIPTION:Blacklist only removes <SCRIPT> tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5727REFERENCE:CVE-2006-3617:DESCRIPTION:Blacklist only removes <SCRIPT> tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3617REFERENCE:CVE-2006-4308:DESCRIPTION:Blacklist only checks javascript: tag:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4308","","","","::267::71::80::85::","",
  573. 693,"Protection Mechanism Failure",Class,Draft,"The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.","This weakness covers three distinct situations. A missing protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An insufficient protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an ignored mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.","","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","","","","","","::1::103::107::127::16::17::20::22::237::36::474::475::477::49::51::55::57::59::65::70::74::87::97::","TYPE:Maintenance:NOTE:This is a fairly high-level concept, although it covers a number of weaknesses in CWE that were more scattered throughout the natural hierarchy before Draft 9 was released.::::TYPE:Research Gap:NOTE:The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.::",
  574. 694,"Use of Multiple Resources with Duplicate Identifier",Base,Incomplete,"The software uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.","If the software assumes that each resource has a unique identifier, the software could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier.","::NATURE:ChildOf:CWE ID:99:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:99:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:99:VIEW ID:1003:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:1000::NATURE:ChildOf:CWE ID:573:VIEW ID:699::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism If unique identifiers are assumed when protecting sensitive resources, then duplicate identifiers might allow attackers to bypass the protection.::SCOPE:Other:TECHNICAL IMPACT:Quality Degradation::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Where possible, use unique identifiers. If non-unique identifiers are detected, then do not operate any resource with a non-unique identifier and report the error appropriately.::","::REFERENCE:CVE-2013-4787:DESCRIPTION:chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4787","","","","","TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).::",
  575. 695,"Use of Low-Level Functionality",Base,Incomplete,"The software uses low-level functionality that is explicitly prohibited by the framework or specification under which the software is supposed to operate.","The use of low-level functionality can violate the specification in unexpected ways that effectively disable built-in protection mechanisms, introduce exploitable inconsistencies, or otherwise expose the functionality to attack.","::NATURE:ChildOf:CWE ID:573:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:573:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","","","","","","::36::","",
  576. 696,"Incorrect Behavior Order",Class,Incomplete,"The software performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.","","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Alter Execution Logic::","","","::REFERENCE:CVE-2017-6964:DESCRIPTION:Linux-based device mapper encryption program does not check the return value of setuid and setgid allowing attackers to execute code with unintended privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6964REFERENCE:CVE-2007-5191:DESCRIPTION:file-system management programs call the setuid and setgid functions in the wrong order and do not check the return values, allowing attackers to gain unintended privileges:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5191REFERENCE:CVE-2007-1588:DESCRIPTION:C++ web server program calls Process::setuid before calling Process::setgid, preventing it from dropping privileges, potentially allowing CGI programs to be called with higher privileges than intended:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1588","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:POS36-C:ENTRY NAME:Observe correct revocation order while relinquishing privileges:MAPPING FIT:CWE More Abstract::","::463::","",
  577. 697,"Incorrect Comparison",Class,Incomplete,"The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.","This weakness class covers several possibilities: the comparison checks one factor incorrectly; the comparison should consider multiple factors, but it does not check some of those factors at all; the comparison checks the wrong factor.","","::ORDINALITY:Primary:DESCRIPTION:::","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Varies by Context::","","","::REFERENCE:CVE-2016-10003:DESCRIPTION:Proxy performs incorrect comparison of request headers, leading to infoleak:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10003","","","","::10::14::15::174::182::24::267::3::34::4::41::43::44::45::46::47::52::53::6::64::66::67::7::71::73::78::79::8::80::88::9::92::","TYPE:Maintenance:NOTE:This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208).::",
  578. 698,"Execution After Redirect (EAR)",Base,Incomplete,"The web application sends a redirect to another location, but instead of exiting, it executes additional code.","","::NATURE:ChildOf:CWE ID:705:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:670:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","","","::TERM:Redirect Without Exit:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Alter Execution Logic Execute Unauthorized Code or Commands:NOTE:Other Confidentiality Integrity Availability Alter Execution Logic Execute Unauthorized Code or Commands This weakness could affect the control flow of the application and allow execution of untrusted code.::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.::","","::REFERENCE:CVE-2013-1402:DESCRIPTION:Execution-after-redirect allows access to application configuration details.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1402REFERENCE:CVE-2009-1936:DESCRIPTION:chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1936REFERENCE:CVE-2007-2713:DESCRIPTION:Remote attackers can obtain access to administrator functionality through EAR.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2713REFERENCE:CVE-2007-4932:DESCRIPTION:Remote attackers can obtain access to administrator functionality through EAR.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4932REFERENCE:CVE-2007-5578:DESCRIPTION:Bypass of authentication step through EAR.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5578REFERENCE:CVE-2007-2713:DESCRIPTION:Chain: Execution after redirect triggers eval injection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2713REFERENCE:CVE-2007-6652:DESCRIPTION:chain: execution after redirect allows non-administrator to perform static code injection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6652","","","","","",
  579. 7,"J2EE Misconfiguration: Missing Custom Error Page",Variant,Incomplete,"The default error page of a web application should not display sensitive information about the software system.","A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response. When an attacker explores a web site looking for vulnerabilities, the amount of information that the site provides is crucial to the eventual success or failure of any attempted attacks.","::NATURE:ChildOf:CWE ID:756:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:756:VIEW ID:699:ORDINAL:Primary::","","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data A stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Handle exceptions appropriately in source code.::PHASE:Implementation System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always define appropriate error pages. The application configuration should specify a default error page in order to guarantee that the application will never leak error messages to an attacker. Handling standard HTTP error codes is useful and user-friendly in addition to being a good security practice, and a good configuration will also define a last-chance error handler that catches any exception that could possibly be thrown by the application.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not attempt to process an error or attempt to mask it.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Verify return values are correct and do not supply sensitive information about the system.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Misconfiguration: Missing Error Handling::","","",
  580. 703,"Improper Check or Handling of Exceptional Conditions",Class,Incomplete,"The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.","","","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data DoS: Crash, Exit, or Restart Unexpected State::","::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fault Injection - source code Fault Injection - binary Cost effective for partial coverage: Forced Path Execution::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction::","","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR06-J:ENTRY NAME:Do not throw undeclared checked exceptions::","","TYPE:Relationship:NOTE:This is a high-level class that might have some overlap with other classes. It could be argued that even normal weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).::",
  581. 704,"Incorrect Type Conversion or Cast",Class,Incomplete,"The software does not correctly convert an object, resource, or structure from one type to a different type.","","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:664:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:664:VIEW ID:1003:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP05-C:ENTRY NAME:Do not cast away a const qualification::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP39-C:ENTRY NAME:Do not access a variable through a pointer of an incompatible type:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT31-C:ENTRY NAME:Ensure that integer conversions do not result in lost or misinterpreted data:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT36-C:ENTRY NAME:Converting a pointer to integer or integer to pointer:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR34-C:ENTRY NAME:Cast characters to unsigned types before converting to larger integer sizes:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR37-C:ENTRY NAME:Arguments to character handling functions must be representable as an unsigned char:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  582. 705,"Incorrect Control Flow Scoping",Class,Incomplete,"The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.","","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic Other::","","","::REFERENCE:CVE-2014-1266:DESCRIPTION:chain: incorrect goto in Apple SSL product bypasses certificate validation, allowing man-in-the-middle attack (Apple goto fail bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint ('Man-in-the-Middle')).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ENV32-C:ENTRY NAME:All exit handlers must return normally:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR04-C:ENTRY NAME:Choose an appropriate termination strategy::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:THI05-J:ENTRY NAME:Do not use Thread.stop() to terminate threads::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR04-J:ENTRY NAME:Do not complete abruptly from a finally block::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ERR05-J:ENTRY NAME:Do not let checked exceptions escape from a finally block::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP31-PL:ENTRY NAME:Do not suppress or ignore exceptions:MAPPING FIT:Imprecise::","","",
  583. 706,"Use of Incorrectly-Resolved Name or Reference",Class,Incomplete,"The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.","","::NATURE:ChildOf:CWE ID:664:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:99:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","","","","","","::38::471::48::","",
  584. 707,"Improper Enforcement of Message or Data Structure",Class,Incomplete,"The software does not enforce or incorrectly enforces that structured messages or data are well-formed before being read from an upstream component or sent to a downstream component.","If a message is malformed it may cause the message to be incorrectly interpreted. This weakness typically applies in cases where the product prepares a control message that another process must act on, such as a command or query, and malicious input that was intended as data, can enter the control plane instead. However, this weakness also applies to more general cases where there are not always control implications.","","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","","","","","","::250::3::33::34::4::43::468::52::53::64::66::7::78::79::83::84::","",
  585. 708,"Incorrect Ownership Assignment",Base,Incomplete,"The software assigns an owner to a resource, but the owner is outside of the intended control sphere.","This may allow the resource to be manipulated by actors outside of the intended control sphere.","::NATURE:ChildOf:CWE ID:282:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:282:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:345:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data:NOTE:Confidentiality Integrity Read Application Data Modify Application Data An attacker could read and modify data for which they do not have permissions to access directly.::","","::PHASE:Policy:STRATEGY::EFFECTIVENESS::DESCRIPTION:Periodically review the privileges and their owners.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated tools to check for privilege settings.::","::REFERENCE:CVE-2007-5101:DESCRIPTION:File system sets wrong ownership and group when creating a new file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5101REFERENCE:CVE-2007-4238:DESCRIPTION:OS installs program with bin owner/group, allowing modification.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4238REFERENCE:CVE-2007-1716:DESCRIPTION:Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1716REFERENCE:CVE-2005-3148:DESCRIPTION:Backup software restores symbolic links with incorrect uid/gid.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3148REFERENCE:CVE-2005-1064:DESCRIPTION:Product changes the ownership of files that a symlink points to, instead of the symlink itself.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1064REFERENCE:CVE-2011-1551:DESCRIPTION:Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1551","","","","","TYPE:Maintenance:NOTE:This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.::",
  586. 710,"Improper Adherence to Coding Standards",Class,Incomplete,"The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.","","","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Document and closely follow coding standards.::PHASE:Testing Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Where possible, use automated tools to enforce the standards.::","","","","","","",
  587. 72,"Improper Handling of Apple HFS+ Alternate Data Stream Path",Variant,Incomplete,"The software does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.","If the software chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the software may take unexpected actions. Further, if the software intends to restrict access to a file, then an attacker might still be able to bypass intended access restrictions by requesting the data or resource fork for that file.","::NATURE:ChildOf:CWE ID:66:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:66:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:macOS:OPERATING SYSTEM PREVALENCE:Undetermined::","::The Apple HFS+ file system permits files to have multiple data input streams, accessible through special paths. The Mac OS X operating system provides a way to access the different data input streams through special paths and as an extended attribute: - Resource fork: file/..namedfork/rsrc, file/rsrc (deprecated), xattr:com.apple.ResourceFork - Data fork: file/..namedfork/data (only versions prior to Mac OS X v10.5) Additionally, on filesystems that lack native support for multiple streams, the resource fork and file metadata may be stored in a file with ._ prepended to the name. Forks can also be accessed through non-portable APIs. Forks inherit the file system access controls of the file they belong to. Programs need to control access to these paths, if the processing of a file system object is dependent on the structure of its path.::","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories::","","","::REFERENCE:CVE-2004-1084:DESCRIPTION:Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1084","","","","","TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::::TYPE:Research Gap:NOTE:Under-studied::",
  588. 73,"External Control of File Name or Path",Class,Draft,"The software allows user input to control or influence paths or file names that are used in filesystem operations.","This could allow an attacker to access or modify system files or other files that are critical to the application. Path manipulation errors occur when the following two conditions are met: 1. An attacker can specify a path used in an operation on the filesystem. 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.","::NATURE:ChildOf:CWE ID:642:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:610:VIEW ID:1000::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:22:VIEW ID:1000::NATURE:CanPrecede:CWE ID:41:VIEW ID:1000::NATURE:CanPrecede:CWE ID:98:VIEW ID:1000::NATURE:CanPrecede:CWE ID:434:VIEW ID:1000::NATURE:CanPrecede:CWE ID:59:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Unix:OPERATING SYSTEM PREVALENCE:Often:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Often:::OPERATING SYSTEM CLASS:macOS:OPERATING SYSTEM PREVALENCE:Often::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories Modify Files or Directories:NOTE:Integrity Confidentiality Read Files or Directories Modify Files or Directories The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Modify Files or Directories Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Modify Files or Directories Execute Unauthorized Code or Commands The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (Other):NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (Other) The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects.::","::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the software. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to inbox.txt and ID 2 could map to profile.txt. Features such as the ESAPI AccessReferenceMap provide this capability.::PHASE:Architecture and Design Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Run your code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes .. sequences and symbolic links (CWE-23, CWE-59).::PHASE:Installation Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.::PHASE:Operation Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::","::REFERENCE:CVE-2008-5748:DESCRIPTION:Chain: external control of values for user's desired language and theme enables path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5748REFERENCE:CVE-2008-5764:DESCRIPTION:Chain: external control of user's target language enables remote file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5764","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Path Manipulation::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP16:ENTRY NAME:Path Traversal::","::13::267::64::72::76::78::79::80::","TYPE:Relationship:NOTE:The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.::",
  589. 732,"Incorrect Permission Assignment for Critical Resource",Class,Draft,"The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.","When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution or sensitive user data.","::NATURE:ChildOf:CWE ID:285:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Installation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Files or Directories:NOTE:Confidentiality Read Application Data Read Files or Directories An attacker may be able to read sensitive information from the associated resource, such as credentials or configuration information stored in a file.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity An attacker may be able to modify critical properties of the associated resource to gain privileges, such as replacing a world-writable executable with a Trojan horse.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Other:NOTE:Integrity Other Modify Application Data Other An attacker may be able to destroy or corrupt critical data in the associated resource, such as deletion of records from a database.::","::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Manual Static Analysis:EFFECTIVENESS::DESCRIPTION:Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Manual Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Fuzzing:EFFECTIVENESS::DESCRIPTION:Fuzzing is not effective in detecting this weakness.::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners – Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When using a critical resource such as a configuration file, check to see if the resource has insecure permissions (such as being modifiable by any regular user) [REF-62], and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS:Moderate:DESCRIPTION:Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly. This will allow you to maintain more fine-grained control over your resources. [REF-207]::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::PHASE:Implementation Installation:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:During program startup, explicitly set the default permissions or umask to the most restrictive setting possible. Also set the appropriate permissions during program installation. This will prevent you from inheriting insecure permissions from any user who installs or runs the program.::PHASE:System Configuration:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:For all configuration files, executables, and libraries, make sure that they are only readable and writable by the software's administrator.::PHASE:Documentation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not suggest insecure configuration changes in documentation, especially if those configurations can extend to resources and other programs that are outside the scope of the application.::PHASE:Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not assume that a system administrator will manually change the configuration to the settings that are recommended in the software's manual.::PHASE:Operation System Configuration:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Ensure that the software runs properly under the Federal Desktop Core Configuration (FDCC) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.::","::REFERENCE:CVE-2009-3482:DESCRIPTION:Anti-virus product sets insecure Everyone: Full Control permissions for files under the Program Files folder, allowing attackers to replace executables with Trojan horses.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3482REFERENCE:CVE-2009-3897:DESCRIPTION:Product creates directories with 0777 permissions at installation, allowing users to gain privileges and access a socket used for authentication.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3897REFERENCE:CVE-2009-3489:DESCRIPTION:Photo editor installs a service with an insecure security descriptor, allowing users to stop or start the service, or execute commands as SYSTEM.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3489REFERENCE:CVE-2009-3289:DESCRIPTION:Library function copies a file to a new target and uses the source file's permissions for the target, which is incorrect when the source file is a symbolic link, which typically has 0777 permissions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3289REFERENCE:CVE-2009-0115:DESCRIPTION:Device driver uses world-writable permissions for a socket file, allowing attackers to inject arbitrary commands.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0115REFERENCE:CVE-2009-1073:DESCRIPTION:LDAP server stores a cleartext password in a world-readable file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1073REFERENCE:CVE-2009-0141:DESCRIPTION:Terminal emulator creates TTY devices with world-writable permissions, allowing an attacker to write to the terminals of other users.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0141REFERENCE:CVE-2008-0662:DESCRIPTION:VPN product stores user credentials in a registry key with Everyone: Full Control permissions, allowing attackers to steal the credentials.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0662REFERENCE:CVE-2008-0322:DESCRIPTION:Driver installs its device interface with Everyone: Write permissions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0322REFERENCE:CVE-2009-3939:DESCRIPTION:Driver installs a file with world-writable permissions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3939REFERENCE:CVE-2009-3611:DESCRIPTION:Product changes permissions to 0777 before deleting a backup; the permissions stay insecure for subsequent backups.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3611REFERENCE:CVE-2007-6033:DESCRIPTION:Product creates a share with Everyone: Full Control permissions, allowing arbitrary program execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6033REFERENCE:CVE-2007-5544:DESCRIPTION:Product uses Everyone: Full Control permissions for memory-mapped files (shared memory) in inter-process communication, allowing attackers to tamper with a session.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5544REFERENCE:CVE-2005-4868:DESCRIPTION:Database product uses read/write permissions for everyone for its shared memory, allowing theft of credentials.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4868REFERENCE:CVE-2004-1714:DESCRIPTION:Security product uses Everyone: Full Control permissions for its configuration files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1714REFERENCE:CVE-2001-0006:DESCRIPTION:Everyone: Full Control permissions assigned to a mutex allows users to disable network connectivity.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0006REFERENCE:CVE-2002-0969:DESCRIPTION:Chain: database product contains buffer overflow that is only reachable through a .ini configuration file - which has Everyone: Full Control permissions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0969","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO03-J:ENTRY NAME:Create files with appropriate access permission::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC01-J:ENTRY NAME:Do not allow tainted variables in privileged blocks::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:ENV03-J:ENTRY NAME:Do not grant dangerous combinations of permissions::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO06-C:ENTRY NAME:Create files with appropriate access permissions::","::1::122::127::17::180::234::60::61::62::","TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-396).::",
  590. 733,"Compiler Optimization Removal or Modification of Security-critical Code",Base,Incomplete,"The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.","","::NATURE:ChildOf:CWE ID:1038:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:1038:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Compiled:LANGUAGE PREVALENCE:Undetermined::","","","","",,"::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other::","::METHOD:Black Box:EFFECTIVENESS::DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:EFFECTIVENESS::DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::","","::REFERENCE:CVE-2008-1685:DESCRIPTION:C compiler optimization, as allowed by specifications, removes code that is used to perform checks to detect integer overflows.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1685","","","","::10::24::46::8::9::","",
  591. 74,"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",Class,Incomplete,"The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.","Software has certain assumptions about what constitutes data and control respectively. It is the lack of verification of these assumptions for user-controlled input that leads to injection problems. Injection problems encompass a wide variety of issues -- all mitigated in very different ways and usually attempted in order to alter the control flow of the process. For this reason, the most effective way to discuss these weaknesses is to note the distinct features which classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities.","::NATURE:ChildOf:CWE ID:707:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:116:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699::NATURE:ChildOf:CWE ID:20:VIEW ID:1003:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism In some cases, injectable code controls authentication; this may lead to a remote vulnerability.::SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic:NOTE:Other Alter Execution Logic Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Other:NOTE:Integrity Other Other Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities Often the actions performed by injected control code are unlogged.::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Programming languages and supporting technologies might be chosen which are not subject to these issues.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Utilize an appropriate mix of whitelist and blacklist parsing to filter control-plane syntax from all input.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Injection problem ('data' used as something else)::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A6:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::10::101::108::13::135::14::24::242::250::267::273::28::3::34::40::42::43::45::46::47::51::52::53::64::66::67::7::71::72::76::78::79::8::80::83::84::9::","TYPE:Relationship:NOTE:In the development view (CWE-699), this is classified as an Input Validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. In the research view (CWE-1000), however, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.::",
  592. 749,"Exposed Dangerous Method or Function",Base,Incomplete,"The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.","This weakness can lead to a wide variety of resultant weaknesses, depending on the behavior of the exposed method. It can apply to any number of technologies and approaches, such as ActiveX controls, Java functions, IOCTLs, and so on. The exposure can occur in a few different ways: 1) The function/method was never intended to be exposed to outside actors. 2) The function/method was only intended to be accessible to a limited set of actors, such as Internet-based access from a single web site.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:691:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Gain Privileges or Assume Identity Read Application Data Modify Application Data Execute Unauthorized Code or Commands Other:NOTE:Integrity Confidentiality Availability Access Control Other Gain Privileges or Assume Identity Read Application Data Modify Application Data Execute Unauthorized Code or Commands Other Exposing critical functionality essentially provides an attacker with the privilege level of the exposed functionality. This could result in the modification or exposure of sensitive data or possibly even execution of arbitrary code.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.::PHASE:Architecture and Design Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be: accessible to all users restricted to a small set of privileged users prevented from being directly accessible at all Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.::","::REFERENCE:CVE-2007-6382:DESCRIPTION:arbitrary Java code execution via exposed method:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6382REFERENCE:CVE-2007-1112:DESCRIPTION:security tool ActiveX control allows download or upload of files:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1112","","","","","TYPE:Research Gap:NOTE:Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community.::",
  593. 75,"Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",Class,Draft,"The software does not adequately filter user-controlled input for special elements with control implications.","","::NATURE:ChildOf:CWE ID:74:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Modify Application Data Execute Unauthorized Code or Commands::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Programming languages and supporting technologies might be chosen which are not subject to these issues.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Utilize an appropriate mix of whitelist and blacklist parsing to filter special element syntax from all input.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Special Element Injection::","::81::93::","",
  594. 754,"Improper Check for Unusual or Exceptional Conditions",Class,Incomplete,"The software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.","The programmer may assume that certain events or conditions will never occur or do not need to be worried about, such as low memory conditions, lack of access to resources due to restrictive permissions, or misbehaving clients or components. However, attackers may intentionally trigger these unusual conditions, thus violating the programmer's assumptions, possibly introducing instability, incorrect behavior, or a vulnerability. Note that this entry is not exclusively about the use of exceptions and exception handling, which are mechanisms for both checking and handling unusual or unexpected conditions.","::NATURE:ChildOf:CWE ID:703:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:703:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","::Many functions will return some value about the success of their actions. This will alert the program whether or not to handle any errors caused by that function.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Unexpected State:NOTE:Integrity Availability DoS: Crash, Exit, or Restart Unexpected State The data which were produced as a result of a function call could be in a bad state upon return. If the return value is not checked, then this bad data may be used in operations, possibly leading to a crash or other unintended behaviors.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules.::METHOD:Manual Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::","::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).::PHASE:Implementation:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Check the results of all functions that return a value and verify that the value is expected.::PHASE:Implementation:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to strike the balance between being too cryptic and not being cryptic enough. They should not necessarily reveal the methods that were used to determine the error. Such detailed information can be used to refine the original attack to increase the chances of success. If errors must be tracked in some detail, capture them in log messages - but consider what could occur if the log messages can be viewed by attackers. Avoid recording highly sensitive information such as passwords in any form. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not. Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use system limits, which should help to prevent resource exhaustion. However, the software should still handle low resource conditions since they may still occur.::","::REFERENCE:CVE-2007-3798:DESCRIPTION:Unchecked return value leads to resultant integer overflow and code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798REFERENCE:CVE-2006-4447:DESCRIPTION:Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4447REFERENCE:CVE-2006-2916:DESCRIPTION:Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916","","","TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP31-PL:ENTRY NAME:Do not suppress or ignore exceptions:MAPPING FIT:CWE More Abstract::","","TYPE:Relationship:NOTE:Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value.::",
  595. 755,"Improper Handling of Exceptional Conditions",Class,Incomplete,"The software does not handle or incorrectly handles an exceptional condition.","","::NATURE:ChildOf:CWE ID:703:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:703:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","","::REFERENCE:CVE-2008-4302:DESCRIPTION:Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4302","","","","","",
  596. 756,"Missing Custom Error Page",Class,Incomplete,"The software does not return custom error pages to the user, possibly exposing sensitive information.","","::NATURE:ChildOf:CWE ID:755:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:209:VIEW ID:1000::","","","","","","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.::","","","","","","","","",
  597. 757,"Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",Class,Incomplete,"A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.","When a security mechanism can be forced to downgrade to use a less secure algorithm, this can make it easier for attackers to compromise the software by exploiting weaker algorithm. The victim might not be aware that the less secure algorithm is being used. For example, if an attacker can force a communications channel to use cleartext instead of strongly-encrypted data, then the attacker could read the channel by sniffing, instead of going through extra effort of trying to decrypt the data using brute force techniques.","::NATURE:ChildOf:CWE ID:693:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","","::REFERENCE:CVE-2006-4302:DESCRIPTION:Attacker can select an older version of the software to exploit its vulnerabilities.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4302REFERENCE:CVE-2006-4407:DESCRIPTION:Improper prioritization of encryption ciphers during negotiation leads to use of a weaker cipher.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4407REFERENCE:CVE-2005-2969:DESCRIPTION:chain: SSL/TLS implementation disables a verification step (CWE-325) that enables a downgrade attack to a weaker protocol.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969REFERENCE:CVE-2001-1444:DESCRIPTION:Telnet protocol implementation allows downgrade to weaker authentication and encryption using a man-in-the-middle attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1444REFERENCE:CVE-2002-1646:DESCRIPTION:SSH server implementation allows override of configuration setting to use weaker authentication schemes. This may be a composite with CWE-642.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1646","","","","::220::606::620::","TYPE:Relationship:NOTE:This is related to CWE-300 (Man-in-the-Middle), although not all downgrade attacks necessarily require a man in the middle. See examples.::",
  598. 758,"Reliance on Undefined, Unspecified, or Implementation-Defined Behavior",Class,Incomplete,"The software uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.","This can lead to resultant weaknesses when the required properties change, such as when the software is ported to a different platform or if an interaction error (CWE-435) occurs.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","","","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","","::REFERENCE:CVE-2006-1902:DESCRIPTION:Change in C compiler behavior causes resultant buffer overflows in programs that depend on behaviors that were undefined in the C standard.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1902","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR32-C:ENTRY NAME:Ensure size arguments for variable length arrays are in a valid range:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ERR34-C:ENTRY NAME:Detect errors when converting a string to a number:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP30-C:ENTRY NAME:Do not depend on the order of evaluation for side effects:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP33-C:ENTRY NAME:Do not read uninitialized memory:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO46-C:ENTRY NAME:Do not access a closed file:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT34-C:ENTRY NAME:Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:INT36-C:ENTRY NAME:Converting a pointer to integer or integer to pointer:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM30-C:ENTRY NAME:Do not access freed memory:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC14-C:ENTRY NAME:Do not introduce unnecessary platform dependencies::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC15-C:ENTRY NAME:Do not depend on undefined behavior::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MSC37-C:ENTRY NAME:Ensure that control never reaches the end of a non-void function:MAPPING FIT:CWE More Abstract::","","",
  599. 759,"Use of a One-Way Hash without a Salt",Base,Incomplete,"The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input.","This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables. It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details.","::NATURE:ChildOf:CWE ID:916:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:916:VIEW ID:1000:ORDINAL:Primary::","","","::In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity If an attacker can gain access to the hashes, then the lack of a salt makes it easier to conduct brute force attacks using techniques such as rainbow tables.::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations (stretching) or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS:Limited:DESCRIPTION:If a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password.::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.::","::REFERENCE:CVE-2008-1526:DESCRIPTION:Router does not use a salt with a hash, making it easier to crack passwords.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1526REFERENCE:CVE-2006-1058:DESCRIPTION:Router does not use a salt with a hash, making it easier to crack passwords.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1058","","","","","",
  600. 76,"Improper Neutralization of Equivalent Special Elements",Base,Draft,"The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.","The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the software might filter a dangerous -e command-line switch when calling an external program, but it might not account for --exec or other switches that have the same semantics.","::NATURE:ChildOf:CWE ID:75:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:75:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Programming languages and supporting technologies might be chosen which are not subject to these issues.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Utilize an appropriate mix of whitelist and blacklist parsing to filter equivalent special element syntax from all input.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Equivalent Special Element Injection::","","",
  601. 760,"Use of a One-Way Hash with a Predictable Salt",Base,Incomplete,"The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input.","This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide. It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details.","::NATURE:ChildOf:CWE ID:916:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:916:VIEW ID:1000:ORDINAL:Primary::","","","::In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations (stretching) or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.::PHASE:Implementation:STRATEGY::EFFECTIVENESS:Limited:DESCRIPTION:If a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password.::","::REFERENCE:CVE-2008-4905:DESCRIPTION:Blogging software uses a hard-coded salt when calculating a password hash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4905REFERENCE:CVE-2002-1657:DESCRIPTION:Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1657REFERENCE:CVE-2001-0967:DESCRIPTION:Server uses a constant salt when encrypting passwords, simplifying brute force attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0967REFERENCE:CVE-2005-0408:DESCRIPTION:chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0408","","","","","",
  602. 761,"Free of Pointer not at Start of Buffer",Variant,Incomplete,"The application calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.","This can cause the application to crash, or in some cases, modify critical program variables or execute code. This weakness often occurs when the memory is allocated explicitly on the heap with one of the malloc() family functions and free() is called, but pointer arithmetic has caused the pointer to be in the interior or end of the buffer.","::NATURE:ChildOf:CWE ID:763:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Memory DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When utilizing pointer arithmetic to traverse a buffer, use a separate variable to track progress through memory and preserve the originally allocated address for later freeing.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, glibc in Linux provides protection against free of invalid pointers.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a language that provides abstractions for memory allocation and deallocation.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a tool that dynamically detects memory management problems, such as valgrind.::","","","Memory::","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP12:ENTRY NAME:Faulty Memory Release::","","TYPE:Maintenance:NOTE:Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590.::",
  603. 762,"Mismatched Memory Management Routines",Variant,Incomplete,"The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.","This weakness can be generally described as mismatching memory management routines, such as: The memory was allocated on the stack (automatically), but it was deallocated using the memory management routine free() (CWE-590), which is intended for explicitly allocated heap memory. The memory was allocated explicitly using one set of memory management functions, and deallocated using a different set. For example, memory might be allocated with malloc() in C++ instead of the new operator, and then deallocated with the delete operator. When the memory management functions are mismatched, the consequences may be as severe as code execution, memory corruption, or program crash. Consequences and ease of exploit will vary depending on the implementation of the routines and the object being managed.","::NATURE:ChildOf:CWE ID:763:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Memory DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().::PHASE:Implementation:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone. For example, glibc in Linux provides protection against free of invalid pointers. When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391]. To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, glibc in Linux provides protection against free of invalid pointers.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a language that provides abstractions for memory allocation and deallocation.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a tool that dynamically detects memory management problems, such as valgrind.::","","","Memory::","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:WIN30-C:ENTRY NAME:Properly pair allocation and deallocation functions:MAPPING FIT:Exact::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP12:ENTRY NAME:Faulty Memory Release::","","TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that allows manual management of memory.::",
  604. 763,"Release of Invalid Pointer or Reference",Base,Incomplete,"The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly.","This weakness can take several forms, such as: The memory was allocated, explicitly or implicitly, via one memory management method and deallocated using a different, non-compatible function (CWE-762). The function calls or memory management routines chosen are appropriate, however they are used incorrectly, such as in CWE-761.","::NATURE:ChildOf:CWE ID:404:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Memory DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands:NOTE:Integrity Availability Confidentiality Modify Memory DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands This weakness may result in the corruption of memory, and perhaps instructions, possibly leading to a crash. If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, glibc in Linux provides protection against free of invalid pointers.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a language that provides abstractions for memory allocation and deallocation.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a tool that dynamically detects memory management problems, such as valgrind.::","","","Memory::","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP12:ENTRY NAME:Faulty Memory Release::","","TYPE:Maintenance:NOTE:This area of the view CWE-1000 hierarchy needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457.::",
  605. 764,"Multiple Locks of a Critical Resource",Variant,Incomplete,"The software locks a critical resource more times than intended, leading to an unexpected state in the system.","When software is operating in a concurrent environment and repeatedly locks a critical resource, the consequences will vary based on the type of lock, the lock's implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra locking calls will reduce the size of the total available pool, possibly leading to degraded performance or a denial of service. If this can be triggered by an attacker, it will be similar to an unrestricted lock (CWE-412). In the context of a binary lock, it is likely that any duplicate locking attempts will never succeed since the lock is already held and progress may not be possible.","::NATURE:ChildOf:CWE ID:667:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:667:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:675:VIEW ID:1000::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Integrity:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Crash, Exit, or Restart Unexpected State::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the software acquires a lock and then determines it is not able to perform its intended behavior, be sure to release the lock(s) before waiting for conditions to improve. Reacquire the lock(s) before trying again.::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP21:ENTRY NAME:Multiple locks/unlocks::","","TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",
  606. 765,"Multiple Unlocks of a Critical Resource",Variant,Incomplete,"The software unlocks a critical resource more times than intended, leading to an unexpected state in the system.","When software is operating in a concurrent environment and repeatedly unlocks a critical resource, the consequences will vary based on the type of lock, the lock's implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra calls to unlock will increase the count for the number of available resources, likely resulting in a crash or unpredictable behavior when the system nears capacity.","::NATURE:ChildOf:CWE ID:667:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:667:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:675:VIEW ID:1000::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Integrity:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Modify Memory Unexpected State::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the software acquires a lock and then determines it is not able to perform its intended behavior, be sure to release the lock(s) before waiting for conditions to improve. Reacquire the lock(s) before trying again.::","::REFERENCE:CVE-2009-0935:DESCRIPTION:Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0935","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP21:ENTRY NAME:Multiple locks/unlocks::","","TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",
  607. 766,"Critical Variable Declared Public",Variant,Incomplete,"The software declares a critical variable or field to be public when intended security policy requires it to be private.","","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Modify Application Data:NOTE:Integrity Confidentiality Read Application Data Modify Application Data Making a critical variable public allows anyone with access to the object in which the variable is contained to alter or read the value.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering.::","::REFERENCE:CVE-2010-3860:DESCRIPTION:variables declared public allows remote read of system properties such as user name and home directory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3860","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to protect stored data from modification::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:OBJ01-J:ENTRY NAME:Declare data members as private and provide accessible wrapper methods::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP28:ENTRY NAME:Unexpected access points::","","",
  608. 767,"Access to Critical Private Variable via Public Method",Variant,Incomplete,"The software defines a public method that reads or modifies a private variable.","If an attacker modifies the variable to contain unexpected values, this could violate assumptions from other parts of the code. Additionally, if an attacker can read the private variable, it may expose sensitive information or make it easier to launch further attacks.","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C#:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Other::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use class accessor and mutator methods appropriately. Perform validation when accepting data from a public method that is intended to modify a critical private variable. Also be sure that appropriate access controls are being applied when a public method interfaces with critical data.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to protect stored data from modification::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:OOP31-PL:ENTRY NAME:Do not access private variables or subroutines in other packages:MAPPING FIT:Imprecise::","","TYPE:Maintenance:NOTE:This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness.::",
  609. 768,"Incorrect Short Circuit Evaluation",Variant,Incomplete,"The software contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.","Usage of short circuit evaluation, though well-defined in the C standard, may alter control flow in a way that introduces logic errors that are difficult to detect, possibly causing errors later during the software's execution. If an attacker can discover such an inconsistency, it may be exploitable to gain arbitrary control over a system. If the first condition of an or statement is assumed to be true under normal circumstances, or if the first condition of an and statement is assumed to be false, then any subsequent conditional may contain its own logic errors that are not detected during code review or testing. Finally, the usage of short circuit evaluation may decrease the maintainability of the code.","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT::NOTE:Confidentiality Integrity Availability Widely varied consequences are possible if an attacker is aware of an unexpected state in the software after a conditional. It may lead to information exposure, a system crash, or even complete attacker control of the system.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way.::","","","","TAXONOMY NAME:CLASP:ENTRY NAME:Failure to protect stored data from modification::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP1:ENTRY NAME:Glitch in computation::","","",
  610. 769,"Uncontrolled File Descriptor Consumption",Base,Incomplete,"The software does not properly limit the number of open file descriptors that it uses.","When an attacker can influence the consumption of file descriptors, the attacker might be able to prevent the process from opening files for writing or reading. In some cases, file descriptor exhaustion could affect other processes. There are at least three distinct scenarios which can commonly lead to file descriptor exhaustion: Lack of throttling for the number of open file descriptors Losing all references to a file descriptor before reaching the shutdown stage Not closing file descriptors after processing","::NATURE:ChildOf:CWE ID:400:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:400:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:400:VIEW ID:1003:ORDINAL:Primary::","","","","::TERM:File descriptor exhaustion:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"","","::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:If file I/O is being supported by an application for multiple users, balancing the resource allotment across the group may help to prevent exhaustion as well as differentiate malicious activity from an insufficient resource pool.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider using the getrlimit() function included in the sys/resources library in order to determine how many files are currently allowed to be opened for the process.::","","","","","","",
  611. 77,"Improper Neutralization of Special Elements used in a Command ('Command Injection')",Class,Draft,"The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.","Command injection vulnerabilities typically occur when: 1. Data enters the application from an untrusted source. 2. The data is part of a string that is executed as a command by the application. 3. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have. Command injection is a common problem with wrapper programs.","::NATURE:ChildOf:CWE ID:74:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:1003:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:If at all possible, use library calls rather than external processes to recreate the desired functionality.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If possible, ensure that all external commands called from the program are statically created.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Run time: Run time policy enforcement may be used in a whitelist fashion to prevent use of any non-sanctioned commands.::PHASE:System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Assign permissions to the software system that prevents the user from accessing/opening privileged files.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Command Injection::::TAXONOMY NAME:CLASP:ENTRY NAME:Command injection::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A2:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A6:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:IDS34-PL:ENTRY NAME:Do not pass untrusted, unsanitized data to a command interpreter:MAPPING FIT:CWE More Specific::","::11::136::15::23::248::43::6::75::76::","TYPE:Terminology:NOTE:The command injection phrase carries different meanings to different people. For some people, it refers to refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed.::",
  612. 770,"Allocation of Resources Without Limits or Throttling",Base,Incomplete,"The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor.","","::NATURE:ChildOf:CWE ID:665:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:400:VIEW ID:1000::NATURE:ChildOf:CWE ID:400:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION::::PHASE:System Configuration:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other) When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource.::","::METHOD:Manual Static Analysis:EFFECTIVENESS::DESCRIPTION:Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all.::METHOD:Fuzzing:EFFECTIVENESS:Opportunistic:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted software in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the software within a short time frame. Manual analysis is likely required to interpret the results.::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::","::PHASE:Requirements:STRATEGY::EFFECTIVENESS::DESCRIPTION:Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Mitigation of resource exhaustion attacks requires that the target system either: recognizes the attack and denies that user further access for a given amount of time, typically by using increasing time delays uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed. The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution can be difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply requires more resources on the part of the attacker.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that protocols have specific limits of scale placed on them.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery. Ensure that all failures in resource allocation place the system into a safe posture.::PHASE:Operation Architecture and Design:STRATEGY:Resource Limitation:EFFECTIVENESS::DESCRIPTION:Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).::","::REFERENCE:CVE-2009-4017:DESCRIPTION:Language interpreter does not restrict the number of temporary files being created when handling a MIME request with a large number of parts..:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017REFERENCE:CVE-2009-2726:DESCRIPTION:Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2726REFERENCE:CVE-2009-2540:DESCRIPTION:Large integer value for a length property in an object causes a large amount of memory allocation.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2540REFERENCE:CVE-2009-2054:DESCRIPTION:Product allows exhaustion of file descriptors when processing a large number of TCP packets.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2054REFERENCE:CVE-2008-5180:DESCRIPTION:Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5180REFERENCE:CVE-2008-1700:DESCRIPTION:Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1700REFERENCE:CVE-2005-4650:DESCRIPTION:CMS does not restrict the number of searches that can occur simultaneously, leading to resource exhaustion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4650","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:FIO04-J:ENTRY NAME:Close resources when they are no longer needed::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SER12-J:ENTRY NAME:Avoid memory and resource leaks during serialization::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC05-J:ENTRY NAME:Do not exhaust heap space::","::121::125::130::147::197::229::230::231::469::82::99::","TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",
  613. 771,"Missing Reference to Active Allocated Resource",Base,Incomplete,"The software does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.","This does not necessarily apply in languages or frameworks that automatically perform garbage collection, since the removal of all references may act as a signal that the resource is ready to be reclaimed.","::NATURE:ChildOf:CWE ID:400:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:400:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource.::","","::PHASE:Operation Architecture and Design:STRATEGY:Resource Limitation:EFFECTIVENESS::DESCRIPTION:Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP14:ENTRY NAME:Failure to release resource::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO42-C:ENTRY NAME:Close files when they are no longer needed:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM31-C:ENTRY NAME:Free dynamically allocated memory when no longer needed:MAPPING FIT:CWE More Abstract::","","TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",
  614. 772,"Missing Release of Resource after Effective Lifetime",Base,Incomplete,"The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.","When a resource is not released after use, it can allow attackers to cause a denial of service.","::NATURE:ChildOf:CWE ID:404:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:404:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:400:VIEW ID:1000::","","::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource.::","","::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.::PHASE:Operation Architecture and Design:STRATEGY:Resource Limitation:EFFECTIVENESS::DESCRIPTION:Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).::","::REFERENCE:CVE-2007-0897:DESCRIPTION:Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0897REFERENCE:CVE-2001-0830:DESCRIPTION:Sockets not properly closed when attacker repeatedly connects and disconnects from server.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0830REFERENCE:CVE-1999-1127:DESCRIPTION:Does not shut down named pipe connections if malformed data is sent.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1127REFERENCE:CVE-2009-2858:DESCRIPTION:Chain: memory leak (CWE-404) leads to resource exhaustion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2858REFERENCE:CVE-2009-2054:DESCRIPTION:Product allows exhaustion of file descriptors when processing a large number of TCP packets.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2054REFERENCE:CVE-2008-2122:DESCRIPTION:Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2122REFERENCE:CVE-2007-4103:DESCRIPTION:Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4103REFERENCE:CVE-2002-1372:DESCRIPTION:Return values of file/socket operations not checked, allowing resultant consumption of file descriptors.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1372","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP14:ENTRY NAME:Failure to release resource::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO42-C:ENTRY NAME:Close files when they are no longer needed:MAPPING FIT:CWE More Abstract::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM31-C:ENTRY NAME:Free dynamically allocated memory when no longer needed:MAPPING FIT:CWE More Abstract::","::469::","TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",
  615. 773,"Missing Reference to Active File Descriptor or Handle",Variant,Incomplete,"The software does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.","This can cause the software to consume all available file descriptors or handles, which can prevent other processes from performing critical file processing operations.","::NATURE:ChildOf:CWE ID:771:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:769:VIEW ID:1000::NATURE:ChildOf:CWE ID:769:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource.::","","::PHASE:Operation Architecture and Design:STRATEGY:Resource Limitation:EFFECTIVENESS::DESCRIPTION:Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP14:ENTRY NAME:Failure to release resource::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO42-C:ENTRY NAME:Close files when they are no longer needed:MAPPING FIT:CWE More Abstract::","","TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",
  616. 774,"Allocation of File Descriptors or Handles Without Limits or Throttling",Variant,Incomplete,"The software allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.","This can cause the software to consume all available file descriptors or handles, which can prevent other processes from performing critical file processing operations.","::NATURE:ChildOf:CWE ID:770:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:769:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:769:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:769:VIEW ID:1000::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource.::","","::PHASE:Operation Architecture and Design:STRATEGY:Resource Limitation:EFFECTIVENESS::DESCRIPTION:Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).::","","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP13:ENTRY NAME:Unrestricted Consumption::","","TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",
  617. 775,"Missing Release of File Descriptor or Handle after Effective Lifetime",Variant,Incomplete,"The software does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.","When a file descriptor or handle is not released after use (typically by explicitly closing it), attackers can cause a denial of service by consuming all available file descriptors/handles, or otherwise preventing other system processes from obtaining their own file descriptors/handles.","::NATURE:ChildOf:CWE ID:772:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:769:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:769:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:769:VIEW ID:1000::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource.::","","::PHASE:Operation Architecture and Design:STRATEGY:Resource Limitation:EFFECTIVENESS::DESCRIPTION:Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users. Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).::","::REFERENCE:CVE-2007-0897:DESCRIPTION:Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0897","","","TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP14:ENTRY NAME:Failure to release resource::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO42-C:ENTRY NAME:Close files when they are no longer needed:MAPPING FIT:CWE More Abstract::","","TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",
  618. 776,"Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",Variant,Draft,"The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.","If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.","::NATURE:ChildOf:CWE ID:674:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:674:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:409:VIEW ID:1000::NATURE:ChildOf:CWE ID:409:VIEW ID:699::","","::LANGUAGE NAME:XML:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Undetermined::","","::TERM:XEE:DESCRIPTION:XEE is the acronym commonly used for XML Entity Expansion.::TERM:Billion Laughs Attack:DESCRIPTION:::TERM:XML Bomb:DESCRIPTION:While the XML Bomb term was used in the early years of knowledge of this issue, the XEE term seems to be more commonly used.::",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.::","","::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.::","::REFERENCE:CVE-2008-3281:DESCRIPTION:XEE in XML-parsing library.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281REFERENCE:CVE-2011-3288:DESCRIPTION:XML bomb / XEE in enterprise communication product.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3288REFERENCE:CVE-2011-1755:DESCRIPTION:Billion laughs attack in XMPP server daemon.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1755REFERENCE:CVE-2009-1955:DESCRIPTION:XML bomb in web server module:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955REFERENCE:CVE-2003-1564:DESCRIPTION:Parsing library allows XML bomb:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564","","","TAXONOMY NAME:WASC:ENTRY ID:44:ENTRY NAME:XML Entity Expansion::","","",
  619. 777,"Regular Expression without Anchors",Variant,Incomplete,"The software uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.","When performing tasks such as whitelist validation, data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression.","::NATURE:ChildOf:CWE ID:625:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:625:VIEW ID:699:ORDINAL:Primary::","","","::Regular expressions are typically used to match a pattern of text. Anchors are used in regular expressions to specify where the pattern should match: at the beginning, the end, or both (the whole input).::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Confidentiality:SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Availability Confidentiality Access Control Bypass Protection Mechanism An unanchored regular expression in the context of a whitelist will possibly result in a protection mechanism failure, allowing malicious or malformed data to enter trusted regions of the program. The specific consequences will depend on what functionality the whitelist was protecting.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Be sure to understand both what will be matched and what will not be matched by a regular expression. Anchoring the ends of the expression will allow the programmer to define a whitelist strictly limited to what is matched by the text in the regular expression. If you are using a package that only matches one line by default, ensure that you can match multi-line inputs if necessary.::","","","","","","",
  620. 778,"Insufficient Logging",Base,Draft,"When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.","When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.","::NATURE:ChildOf:CWE ID:223:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:223:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:693:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures can be logged.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems.::","::REFERENCE:CVE-2008-4315:DESCRIPTION:server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4315REFERENCE:CVE-2008-1203:DESCRIPTION:admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1203REFERENCE:CVE-2007-3730:DESCRIPTION:default configuration for POP server does not log source IP or username for login attempts:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3730REFERENCE:CVE-2007-1225:DESCRIPTION:proxy does not log requests without http:// in the URL, allowing web surfers to access restricted web content without detection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1225REFERENCE:CVE-2003-1566:DESCRIPTION:web server does not log requests for a non-standard request type:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1566","","","","","",
  621. 779,"Logging of Excessive Data",Base,Draft,"The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.","While logging is a good practice in general, and very high levels of logging are appropriate for debugging stages of development, too much logging in a production environment might hinder a system administrator's ability to detect anomalous conditions. This can provide cover for an attacker while attempting to penetrate a system, clutter the audit trail for forensic analysis, or make it more difficult to debug problems in a production environment.","::NATURE:ChildOf:CWE ID:400:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:400:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Other) Log files can become so large that they consume excessive resources, such as disk and CPU, which can hinder the performance of the system.::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities Logging too much information can make the log files of less use to forensics analysts and developers when trying to diagnose a problem or recover from an attack.::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities If system administrators are unable to effectively process log files, attempted attacks may go undetected, possibly leading to eventual system compromise.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Suppress large numbers of duplicate log messages and replace them with periodic summaries. For example, syslog may include an entry that states last message repeated X times when recording repeated events.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Support a maximum size for the log file that can be controlled by the administrator. If the maximum size is reached, the admin should be notified. Also, consider reducing functionality of the software. This may result in a denial-of-service to legitimate software users, but it will prevent the software from adversely impacting the entire system.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Adjust configurations appropriately when software is transitioned from a debug state to production.::","::REFERENCE:CVE-2007-0421:DESCRIPTION:server records a large amount of data to the server log when it receives malformed headers:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0421REFERENCE:CVE-2002-1154:DESCRIPTION:chain: application does not restrict access to front-end for updates, which allows attacker to fill the error log:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1154","","","","","",
  622. 78,"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",Base,Draft,"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.","This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. There are at least two subtypes of OS command injection: The application intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. For example, the program might use system(nslookup [HOSTNAME]) to run nslookup and allow the user to supply a HOSTNAME, which is used as an argument. Attackers cannot prevent nslookup from executing. However, if the program does not remove command separators from the HOSTNAME argument, attackers could place the separators into the arguments, which allows them to execute their own program after nslookup has finished executing. The application accepts an input that it uses to fully select which program to run, as well as which commands to use. The application simply redirects this entire command to the operating system. For example, the program might use exec([COMMAND]) to execute the [COMMAND] that was supplied by the user. If the COMMAND is under attacker control, then the attacker can execute arbitrary commands or programs. If the command is being executed using functions like exec() and CreateProcess(), the attacker might not be able to combine multiple commands together in the same line. From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.","::NATURE:ChildOf:CWE ID:77:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:77:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:77:VIEW ID:1003:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:88:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Shell injection:DESCRIPTION:::TERM:Shell metacharacters:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Non-Repudiation:TECHNICAL IMPACT:Execute Unauthorized Code or Commands DoS: Crash, Exit, or Restart Read Files or Directories Modify Files or Directories Read Application Data Modify Application Data Hide Activities:NOTE:Confidentiality Integrity Availability Non-Repudiation Execute Unauthorized Code or Commands DoS: Crash, Exit, or Restart Read Files or Directories Modify Files or Directories Read Application Data Modify Application Data Hide Activities Attackers could execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner.::","::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Static Analysis:EFFECTIVENESS:High:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:If at all possible, use library calls rather than external processes to recreate the desired functionality.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::PHASE:Architecture and Design:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.::PHASE:Architecture and Design:STRATEGY:Parameterization:EFFECTIVENESS::DESCRIPTION:If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When constructing OS command strings, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ; and > characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.::PHASE:Architecture and Design:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.::PHASE:Operation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS::DESCRIPTION:Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's -T switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's -T switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to strike the balance between being too cryptic and not being cryptic enough. They should not necessarily reveal the methods that were used to determine the error. Such detailed information can be used to refine the original attack to increase the chances of success. If errors must be tracked in some detail, capture them in log messages - but consider what could occur if the log messages can be viewed by attackers. Avoid recording highly sensitive information such as passwords in any form. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not. In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used.::PHASE:Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS::DESCRIPTION:Use runtime policy enforcement to create a whitelist of allowable commands, then prevent use of any command that does not appear in the whitelist. Technologies such as AppArmor are available to do this.::PHASE:Operation:STRATEGY:Firewall:EFFECTIVENESS:Moderate:DESCRIPTION:Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Operation Implementation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.::","::REFERENCE:CVE-1999-0067:DESCRIPTION:Canonical example. CGI program does not neutralize | metacharacter when invoking a phonebook program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0067REFERENCE:CVE-2001-1246:DESCRIPTION:Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1246REFERENCE:CVE-2002-0061:DESCRIPTION:Web server allows command execution using | (pipe) character.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0061REFERENCE:CVE-2003-0041:DESCRIPTION:FTP client does not filter | from filenames returned by the server, allowing for OS command injection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0041REFERENCE:CVE-2008-2575:DESCRIPTION:Shell metacharacters in a filename in a ZIP archive:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2575REFERENCE:CVE-2002-1898:DESCRIPTION:Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1898REFERENCE:CVE-2008-4304:DESCRIPTION:OS command injection through environment variable.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4304REFERENCE:CVE-2008-4796:DESCRIPTION:OS command injection through https:// URLs:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796REFERENCE:CVE-2007-3572:DESCRIPTION:Chain: incomplete blacklist for OS command injection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3572REFERENCE:CVE-2012-1988:DESCRIPTION:Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1988","::Program Invocation","System Process::","TAXONOMY NAME:PLOVER:ENTRY NAME:OS Command Injection::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A3:ENTRY NAME:Malicious File Execution:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A6:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ENV03-C:ENTRY NAME:Sanitize the environment when invoking external programs::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ENV33-C:ENTRY NAME:Do not call system():MAPPING FIT:CWE More Specific::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR02-C:ENTRY NAME:Sanitize data passed to complex subsystems::::TAXONOMY NAME:WASC:ENTRY ID:31:ENTRY NAME:OS Commanding::::TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS07-J:ENTRY NAME:Do not pass untrusted, unsanitized data to the Runtime.exec() method::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::108::15::43::6::88::","TYPE:Terminology:NOTE:The OS command injection phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an -exec switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX find command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.::::TYPE:Research Gap:NOTE:More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.::",
  623. 780,"Use of RSA Algorithm without OAEP",Variant,Incomplete,"The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.","Padding schemes are often used with cryptographic algorithms to make the plaintext less predictable and complicate attack efforts. The OAEP scheme is often used with RSA to nullify the impact of predictable common text.","::NATURE:ChildOf:CWE ID:327:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism Without OAEP in RSA encryption, it will take less work for an attacker to decrypt the data or to infer patterns from the ciphertext.::","","","","","","","","TYPE:Maintenance:NOTE:This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.::",
  624. 781,"Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",Variant,Draft,"The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.","When an IOCTL uses the METHOD_NEITHER option for I/O control, it is the responsibility of the IOCTL to validate the addresses that have been supplied to it. If validation is missing or incorrect, attackers can supply arbitrary memory addresses, leading to code execution or a denial of service.","::NATURE:ChildOf:CWE ID:20:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:822:VIEW ID:699::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often::OPERATING SYSTEM NAME:Windows NT:OPERATING SYSTEM PREVALENCE:Sometimes::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Memory Read Memory Execute Unauthorized Code or Commands DoS: Crash, Exit, or Restart:NOTE:Integrity Availability Confidentiality Modify Memory Read Memory Execute Unauthorized Code or Commands DoS: Crash, Exit, or Restart An attacker may be able to access memory that belongs to another process or user. If the attacker can control the contents that the IOCTL writes, it may lead to code execution at high privilege levels. At the least, a crash can occur.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If METHOD_NEITHER is required for the IOCTL, then ensure that all user-space addresses are properly validated before they are first accessed. The ProbeForRead and ProbeForWrite routines are available for this task. Also properly protect and manage the user-supplied buffers, since the I/O Manager does not do this when METHOD_NEITHER is being used. See References.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:If possible, avoid using METHOD_NEITHER in the IOCTL and select methods that effectively control the buffer size, such as METHOD_BUFFERED, METHOD_IN_DIRECT, or METHOD_OUT_DIRECT.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If the IOCTL is part of a driver that is only intended to be accessed by trusted users, then use proper access control for the associated device or device namespace. See References.::","::REFERENCE:CVE-2006-2373:DESCRIPTION:Driver for file-sharing and messaging protocol allows attackers to execute arbitrary code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2373REFERENCE:CVE-2009-0686:DESCRIPTION:Anti-virus product does not validate addresses, allowing attackers to gain SYSTEM privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0686REFERENCE:CVE-2009-0824:DESCRIPTION:DVD software allows attackers to cause a crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0824REFERENCE:CVE-2008-5724:DESCRIPTION:Personal firewall allows attackers to gain SYSTEM privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5724REFERENCE:CVE-2007-5756:DESCRIPTION:chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5756","","","","","TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::::TYPE:Research Gap:NOTE:While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system.::",
  625. 782,"Exposed IOCTL with Insufficient Access Control",Variant,Draft,"The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.","When an IOCTL contains privileged functionality and is exposed unnecessarily, attackers may be able to access this functionality by invoking the IOCTL. Even if the functionality is benign, if the programmer has assumed that the IOCTL would only be accessed by a trusted process, there may be little or no validation of the incoming data, exposing weaknesses that would never be reachable if the attacker cannot call the IOCTL directly. The implementations of IOCTLs will differ between operating system types and versions, so the methods of attack and prevention may vary widely.","::NATURE:ChildOf:CWE ID:749:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:749:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:699::NATURE:CanPrecede:CWE ID:781:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often:::OPERATING SYSTEM CLASS:Unix:OPERATING SYSTEM PREVALENCE:Undetermined:::OPERATING SYSTEM CLASS:Windows:OPERATING SYSTEM PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT::NOTE:Integrity Availability Confidentiality Attackers can invoke any functionality that the IOCTL offers. Depending on the functionality, the consequences may include code execution, denial-of-service, and theft of data.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:In Windows environments, use proper access control for the associated device or device namespace. See References.::","::REFERENCE:CVE-2009-2208:DESCRIPTION:Operating system does not enforce permissions on an IOCTL that can be used to modify network settings.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2208REFERENCE:CVE-2008-3831:DESCRIPTION:Device driver does not restrict ioctl calls to its master.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3831REFERENCE:CVE-2008-3525:DESCRIPTION:ioctl does not check for a required capability before processing certain requests.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3525REFERENCE:CVE-2008-0322:DESCRIPTION:Chain: insecure device permissions allows access to an IOCTL, allowing arbitrary memory to be overwritten.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0322REFERENCE:CVE-2007-4277:DESCRIPTION:Chain: anti-virus product uses weak permissions for a device, leading to resultant buffer overflow in an exposed IOCTL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4277REFERENCE:CVE-2007-1400:DESCRIPTION:Chain: sandbox allows opening of a TTY device, enabling shell commands through an exposed ioctl.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1400REFERENCE:CVE-2006-4926:DESCRIPTION:Anti-virus product uses insecure security descriptor for a device driver, allowing access to a privileged IOCTL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4926REFERENCE:CVE-1999-0728:DESCRIPTION:Unauthorized user can disable keyboard or mouse by directly invoking a privileged IOCTL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0728","","","","","TYPE:Relationship:NOTE:This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.::::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::",
  626. 783,"Operator Precedence Logic Error",Variant,Draft,"The program uses an expression in which operator precedence causes incorrect logic to be used.","While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.","::NATURE:ChildOf:CWE ID:670:VIEW ID:1000:ORDINAL:Primary::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Rarely::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Rarely:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Rarely::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Varies by Context Unexpected State:NOTE:Confidentiality Integrity Availability Varies by Context Unexpected State The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Regularly wrap sub-expressions in parentheses, especially in security-critical code.::","::REFERENCE:CVE-2008-2516:DESCRIPTION:Authentication module allows authentication bypass because it uses (x = call(args) == SUCCESS) instead of ((x = call(args)) == SUCCESS).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2516REFERENCE:CVE-2008-0599:DESCRIPTION:Chain: Language interpreter calculates wrong buffer size (CWE-131) by using size = ptr ? X : Y instead of size = (ptr ? X : Y) expression.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599REFERENCE:CVE-2001-1155:DESCRIPTION:Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP00-C:ENTRY NAME:Use parentheses for precedence of operation:MAPPING FIT:Exact::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:EXP04-PL:ENTRY NAME:Do not mix the early-precedence logical operators with late-precedence logical operators:MAPPING FIT:CWE More Abstract::","","",
  627. 784,"Reliance on Cookies without Validation and Integrity Checking in a Security Decision",Variant,Draft,"The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.","Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value.","::NATURE:ChildOf:CWE ID:807:VIEW ID:1000::NATURE:ChildOf:CWE ID:565:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:565:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Often::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to claim a high level of authorization, or to claim that successful authentication has occurred.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid using cookie data for a security-related decision.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Add integrity checks to detect tampering.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.::","::REFERENCE:CVE-2009-1549:DESCRIPTION:Attacker can bypass authentication by setting a cookie to a specific value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1549REFERENCE:CVE-2009-1619:DESCRIPTION:Attacker can bypass authentication and gain admin privileges by setting an admin cookie to 1.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1619REFERENCE:CVE-2009-0864:DESCRIPTION:Content management system allows admin privileges by setting a login cookie to OK.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0864REFERENCE:CVE-2008-5784:DESCRIPTION:e-dating application allows admin privileges by setting the admin cookie to 1.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5784REFERENCE:CVE-2008-6291:DESCRIPTION:Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to admin.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6291","","","","","TYPE:Maintenance:NOTE:A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472.::",
  628. 785,"Use of Path Manipulation Function without Maximum-sized Buffer",Variant,Incomplete,"The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.","Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others.","::NATURE:ChildOf:CWE ID:676:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:120:VIEW ID:1000::NATURE:ChildOf:CWE ID:120:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:699::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","::Windows provides a large number of utility functions that manipulate buffers containing filenames. In most cases, the result is returned in a buffer that is passed in as input. (Usually the filename is modified in place.) Most functions require the buffer to be at least MAX_PATH bytes in length, but you should check the documentation for each function individually. If the buffer is not large enough to store the result of the manipulation, a buffer overflow can occur.::","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Modify Memory Execute Unauthorized Code or Commands DoS: Crash, Exit, or Restart::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always specify output buffers large enough to handle the maximum-size possible result from path manipulation functions.::","","","Memory::::File or Directory::","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Often Misused: File System::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP9:ENTRY NAME:Faulty String Expansion::","","TYPE:Maintenance:NOTE:Much of this entry was originally part of CWE-249, which was deprecated for several reasons.::::TYPE:Maintenance:NOTE:This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries.::",
  629. 786,"Access of Memory Location Before Start of Buffer",Base,Incomplete,"The software reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.","This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::","","","","","","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory:NOTE:Confidentiality Read Memory For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Modify Memory DoS: Crash, Exit, or Restart:NOTE:Integrity Availability Modify Memory DoS: Crash, Exit, or Restart Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory Execute Unauthorized Code or Commands:NOTE:Integrity Modify Memory Execute Unauthorized Code or Commands If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, possibly in violation of an implicit or explicit policy.::","","","::REFERENCE:CVE-2002-2227:DESCRIPTION:Unchecked length of SSLv2 challenge value leads to buffer underflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2227REFERENCE:CVE-2007-4580:DESCRIPTION:Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4580REFERENCE:CVE-2007-1584:DESCRIPTION:Buffer underflow from an all-whitespace string, which causes a counter to be decremented before the buffer while looking for a non-whitespace character.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1584REFERENCE:CVE-2007-0886:DESCRIPTION:Buffer underflow resultant from encoded data that triggers an integer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0886REFERENCE:CVE-2006-6171:DESCRIPTION:Product sets an incorrect buffer size limit, leading to off-by-two buffer underflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171REFERENCE:CVE-2006-4024:DESCRIPTION:Negative value is used in a memcpy() operation, leading to buffer underflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4024REFERENCE:CVE-2004-2620:DESCRIPTION:Buffer underflow due to mishandled special characters:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2620","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR30-C:ENTRY NAME:Do not form or use out-of-bounds pointers or array subscripts:MAPPING FIT:CWE More Specific::","","",
  630. 787,"Out-of-bounds Write",Base,Incomplete,"The software writes data past the end, or before the beginning, of the intended buffer.","Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:1003:ORDINAL:Primary::","","","","","","",,"::SCOPE:Integrity:SCOPE:Availability:SCOPE:Confidentiality:TECHNICAL IMPACT:Modify Memory DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands::","","","","","","","","",
  631. 788,"Access of Memory Location After End of Buffer",Base,Incomplete,"The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.","This typically occurs when a pointer or its index is decremented to a position before the buffer; when pointer arithmetic results in a position before the buffer; or when a negative index is used, which generates a position before the buffer.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::","","","","","","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory:NOTE:Confidentiality Read Memory For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.::SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Modify Memory DoS: Crash, Exit, or Restart:NOTE:Integrity Availability Modify Memory DoS: Crash, Exit, or Restart Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory Execute Unauthorized Code or Commands:NOTE:Integrity Modify Memory Execute Unauthorized Code or Commands If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator.::","","","::REFERENCE:CVE-2009-2550:DESCRIPTION:Classic stack-based buffer overflow in media player using a long entry in a playlist:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2550REFERENCE:CVE-2009-2403:DESCRIPTION:Heap-based buffer overflow in media player using a long entry in a playlist:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2403REFERENCE:CVE-2009-0689:DESCRIPTION:large precision value in a format string triggers overflow:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689REFERENCE:CVE-2009-0558:DESCRIPTION:attacker-controlled array index leads to code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0558REFERENCE:CVE-2008-4113:DESCRIPTION:OS kernel trusts userland-supplied length value, allowing reading of sensitive information:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113REFERENCE:CVE-2007-4268:DESCRIPTION:Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268","","","","","",
  632. 789,"Uncontrolled Memory Allocation",Variant,Draft,"The product allocates memory based on an untrusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.","","::NATURE:ChildOf:CWE ID:770:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:770:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:1000::NATURE:CanPrecede:CWE ID:476:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Memory):NOTE:Availability DoS: Resource Consumption (Memory) Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.::","","::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.::PHASE:Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.::","::REFERENCE:CVE-2008-1708:DESCRIPTION:memory consumption and daemon exit by specifying a large value in a length field:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1708REFERENCE:CVE-2008-0977:DESCRIPTION:large value in a length field leads to memory consumption and crash when no more memory is available:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0977REFERENCE:CVE-2006-3791:DESCRIPTION:large key size in game program triggers crash when a resizing function cannot allocate enough memory:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3791REFERENCE:CVE-2004-2589:DESCRIPTION:large Content-Length HTTP header value triggers application crash in instant messaging application due to failure in memory allocation:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2589","","","TAXONOMY NAME:WASC:ENTRY ID:35:ENTRY NAME:SOAP Array Abuse::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:MEM35-C:ENTRY NAME:Allocate sufficient memory for an object:MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:IDS32-PL:ENTRY NAME:Validate any integer that is used as an array index:MAPPING FIT:Imprecise::","","TYPE:Relationship:NOTE:This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.::::TYPE:Applicable Platform:NOTE:Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.::",
  633. 79,"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",Base,Usable,"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","Cross-site scripting (XSS) vulnerabilities occur when: 1. Untrusted data enters a web application, typically from a web request. 2. The web application dynamically generates a web page that contains this untrusted data. 3. During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc. 4. A victim visits the generated web page through a web browser, which contains malicious script that was injected using the untrusted data. 5. Since the script comes from a web page that was sent by the web server, the victim's web browser executes the malicious script in the context of the web server's domain. 6. This effectively violates the intention of the web browser's same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain. There are three main kinds of XSS: Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. Type 2: Stored XSS (or Persistent) - The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs. Type 0: DOM-Based XSS - In DOM-based XSS, the client performs the injection of XSS into the page; in the other types, the server performs the injection. DOM-based XSS generally involves server-controlled, trusted script that is sent to the client, such as Javascript that performs sanity checks on a form before the user submits it. If the server-supplied script processes user-supplied data and then injects it back into the web page (such as with dynamic HTML), then DOM-based XSS is possible. Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim's machine, sometimes referred to as drive-by hacking. In many cases, the attack can be launched without the victim even being aware of it. Even with careful users, attackers frequently use a variety of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less suspicious.","::NATURE:ChildOf:CWE ID:74:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:494:VIEW ID:1000::NATURE:PeerOf:CWE ID:352:VIEW ID:1000::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Often::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Often::","::Same Origin Policy The same origin policy states that browsers should limit the resources accessible to scripts running on a given web site, or origin, to the resources associated with that web site on the client-side, and not the client-side resources of any other sites or origins. The goal is to prevent one site from being able to modify or read the contents of an unrelated site. Since the World Wide Web involves interactions between many sites, this policy is important for browsers to enforce. Domain The Domain of a website when referring to XSS is roughly equivalent to the resources associated with that website on the client-side of the connection. That is, the domain can be thought of as all resources the browser is storing for the user's interactions with this particular site.::","::TERM:XSS:DESCRIPTION:XSS is a common abbreviation for Cross-Site Scripting.::TERM:HTML Injection:DESCRIPTION:HTML injection is used as a synonym of stored (Type 2) XSS.::TERM:CSS:DESCRIPTION:In the early years after initial discovery of XSS, CSS was a commonly-used acronym. However, this would cause confusion with Cascading Style Sheets, so usage of this acronym has declined significantly.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Confidentiality:TECHNICAL IMPACT:Bypass Protection Mechanism Read Application Data:NOTE:Access Control Confidentiality Bypass Protection Mechanism Read Application Data The most common attack performed with cross-site scripting involves the disclosure of information stored in user cookies. Typically, a malicious user will craft a client-side script, which -- when parsed by a web browser -- performs some activity (such as sending all site cookies to a given E-mail address). This script will be loaded and run by each user visiting the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands In some circumstances it may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws.::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism Read Application Data:NOTE:Confidentiality Integrity Availability Access Control Execute Unauthorized Code or Commands Bypass Protection Mechanism Read Application Data The consequence of an XSS attack is the same regardless of whether it is stored or reflected. The difference is in how the payload arrives at the server. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Some cross-site scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running Active X controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.::METHOD:Black Box:EFFECTIVENESS:Moderate:DESCRIPTION:Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.::","::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: HTML body Element attributes (such as src=XYZ) URIs JavaScript sections Cascading Style Sheets and style property etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.::PHASE:Architecture and Design Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Limited:DESCRIPTION:Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Architecture and Design:STRATEGY:Parameterization:EFFECTIVENESS::DESCRIPTION:If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:With Struts, write all data from form beans with the bean's filter attribute set to true.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When dynamically constructing web pages, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon (<3) would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the < character, which would need to be escaped or otherwise handled. In this case, stripping the < might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.::PHASE:Architecture and Design:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.::PHASE:Operation:STRATEGY:Firewall:EFFECTIVENESS:Moderate:DESCRIPTION:Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.::PHASE:Operation Implementation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.::","::REFERENCE:CVE-2014-8958:DESCRIPTION:Admin GUI allows XSS through cookie.:LINK:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8958REFERENCE:CVE-2017-9764:DESCRIPTION:Web stats program allows XSS through crafted HTTP header.:LINK:REFERENCE:CVE-2014-5198:DESCRIPTION:Web log analysis product allows XSS through crafted HTTP Referer header.:LINK:REFERENCE:CVE-2008-5080:DESCRIPTION:Chain: protection mechanism failure allows XSS:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5080REFERENCE:CVE-2006-4308:DESCRIPTION:Chain: incomplete blacklist (CWE-184) only checks javascript: tag, allowing XSS (CWE-79) using other tags:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4308REFERENCE:CVE-2007-5727:DESCRIPTION:Chain: incomplete blacklist (CWE-184) only removes SCRIPT tags, enabling XSS (CWE-79):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5727REFERENCE:CVE-2008-5770:DESCRIPTION:Reflected XSS using the PATH_INFO in a URL:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5770REFERENCE:CVE-2008-4730:DESCRIPTION:Reflected XSS not properly handled when generating an error message:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4730REFERENCE:CVE-2008-5734:DESCRIPTION:Reflected XSS sent through email message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5734REFERENCE:CVE-2008-0971:DESCRIPTION:Stored XSS in a security product.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0971REFERENCE:CVE-2008-5249:DESCRIPTION:Stored XSS using a wiki page.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5249REFERENCE:CVE-2006-3568:DESCRIPTION:Stored XSS in a guestbook application.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3568REFERENCE:CVE-2006-3211:DESCRIPTION:Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3211REFERENCE:CVE-2006-3295:DESCRIPTION:Chain: library file is not protected against a direct request (CWE-425), leading to reflected XSS (CWE-79).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3295","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Cross-site scripting (XSS)::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Cross-site Scripting::::TAXONOMY NAME:CLASP:ENTRY NAME:Cross-site scripting::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A1:ENTRY NAME:Cross Site Scripting (XSS):MAPPING FIT:Exact::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A4:ENTRY NAME:Cross-Site Scripting (XSS) Flaws:MAPPING FIT:Exact::::TAXONOMY NAME:WASC:ENTRY ID:8:ENTRY NAME:Cross-site Scripting::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::209::588::591::592::63::85::","TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::::TYPE:Applicable Platform:NOTE:XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.::",
  634. 790,"Improper Filtering of Special Elements",Class,Incomplete,"The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.","","::NATURE:ChildOf:CWE ID:138:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:138:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","","","",
  635. 791,"Incomplete Filtering of Special Elements",Base,Incomplete,"The software receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.","","::NATURE:ChildOf:CWE ID:790:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:790:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","","","",
  636. 792,"Incomplete Filtering of One or More Instances of Special Elements",Variant,Incomplete,"The software receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.","Incomplete filtering of this nature involves either only filtering a single instance of a special element when more exist, or not filtering all instances or all elements where multiple special elements exist.","::NATURE:ChildOf:CWE ID:791:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:791:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","","","",
  637. 793,"Only Filtering One Instance of a Special Element",Variant,Incomplete,"The software receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.","Incomplete filtering of this nature may be location-dependent, as in only the first or last element is filtered.","::NATURE:ChildOf:CWE ID:792:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:792:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","","","",
  638. 794,"Incomplete Filtering of Multiple Instances of Special Elements",Variant,Incomplete,"The software receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.","Incomplete filtering of this nature may be applied to sequential elements (special elements that appear next to each other) or non-sequential elements (special elements that appear multiple times in different locations).","::NATURE:ChildOf:CWE ID:792:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:792:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","","","",
  639. 795,"Only Filtering Special Elements at a Specified Location",Base,Incomplete,"The software receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.","A filter might only account for instances of special elements when they occur: relative to a marker (e.g. at the beginning/end of string; the second argument), or at an absolute position (e.g. byte number 10). This may leave special elements in the data that did not match the filter position, but still may be dangerous.","::NATURE:ChildOf:CWE ID:791:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:791:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","","","",
  640. 796,"Only Filtering Special Elements Relative to a Marker",Variant,Incomplete,"The software receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. at the beginning/end of a string; the second argument), thereby missing remaining special elements that may exist before sending it to a downstream component.","","::NATURE:ChildOf:CWE ID:795:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:795:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","","","",
  641. 797,"Only Filtering Special Elements at an Absolute Position",Variant,Incomplete,"The software receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. byte number 10), thereby missing remaining special elements that may exist before sending it to a downstream component.","","::NATURE:ChildOf:CWE ID:795:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:795:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","","","","","","","",
  642. 798,"Use of Hard-coded Credentials",Base,Incomplete,"The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.","Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the software administrator. This hole might be difficult for the system administrator to detect. Even if detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely. There are two main variations: Inbound: the software contains an authentication mechanism that checks the input credentials against a hard-coded set of credentials. Outbound: the software connects to another system or component, and it contains hard-coded credentials for connecting to that component. In the Inbound variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the software. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. Finally, since all installations of the software will have the same password, even across different organizations, this enables massive attacks such as worms to take place. The Outbound variant applies to front-end systems that authenticate with a back-end service. The back-end service may require a fixed password which can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end software. Any user of that program may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:344:VIEW ID:1000::NATURE:ChildOf:CWE ID:671:VIEW ID:1000::NATURE:PeerOf:CWE ID:257:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Read Application Data Gain Privileges or Assume Identity Execute Unauthorized Code or Commands Other:NOTE:Integrity Confidentiality Availability Access Control Other Read Application Data Gain Privileges or Assume Identity Execute Unauthorized Code or Commands Other This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.::","::METHOD:Black Box:EFFECTIVENESS:Moderate:DESCRIPTION:Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.::METHOD:Manual Static Analysis:EFFECTIVENESS::DESCRIPTION:This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the software, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.::METHOD:Manual Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:For hard-coded credentials in incoming authentication: use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Network Sniffer Forced Path Execution::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may provide some protection.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a first login mode that requires the user to enter a unique strong password or key.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:If the software must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash. Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For front-end to back-end connections: Three solutions are possible, although none are complete. The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access. Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.::","::REFERENCE:CVE-2010-2772:DESCRIPTION:SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2772REFERENCE:CVE-2010-2073:DESCRIPTION:FTP server library uses hard-coded usernames and passwords for three default accounts:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2073REFERENCE:CVE-2010-1573:DESCRIPTION:Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1573REFERENCE:CVE-2008-2369:DESCRIPTION:Server uses hard-coded authentication key:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2369REFERENCE:CVE-2008-0961:DESCRIPTION:Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0961REFERENCE:CVE-2008-1160:DESCRIPTION:Security appliance uses hard-coded password allowing attackers to gain root access:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1160REFERENCE:CVE-2006-7142:DESCRIPTION:Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7142REFERENCE:CVE-2005-3716:DESCRIPTION:VoIP product uses unchangeable hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3716REFERENCE:CVE-2005-3803:DESCRIPTION:VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3803REFERENCE:CVE-2005-0496:DESCRIPTION:Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0496","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:MSC03-J:ENTRY NAME:Never hard code sensitive information::","::190::191::70::","",
  643. 799,"Improper Control of Interaction Frequency",Class,Incomplete,"The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.","This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day.","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Insufficient anti-automation:DESCRIPTION:The term insufficient anti-automation focuses primarly on non-human actors such as viruses or bots, but the scope of this CWE entry is broader.::TERM:Brute force:DESCRIPTION:Vulnerabilities that can be targeted using brute force attacks are often symptomatic of this weakness.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:DoS: Resource Consumption (Other) Bypass Protection Mechanism Other::","","","::REFERENCE:CVE-2002-1876:DESCRIPTION:Mail server allows attackers to prevent other users from accessing mail by sending large number of rapid requests.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1876","","","TAXONOMY NAME:WASC:ENTRY ID:21:ENTRY NAME:Insufficient Anti-Automation::","","",
  644. 8,"J2EE Misconfiguration: Entity Bean Declared Remote",Variant,Incomplete,"When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.","","::NATURE:ChildOf:CWE ID:668:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Declare Java beans local when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Misconfiguration: Unsafe Bean Declaration::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::","","TYPE:Other:NOTE:Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.::",
  645. 80,"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.","This may allow such characters to be treated as control characters, which are executed client-side in the context of the user's session. Although this can be classified as an injection problem, the more pertinent issue is the improper conversion of such special characters to respective context-appropriate entities before displaying them to the user.","::NATURE:ChildOf:CWE ID:79:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:79:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Carefully check each input parameter against a rigorous positive specification (whitelist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:With Struts, write all data from form beans with the bean's filter attribute set to true.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.::","::REFERENCE:CVE-2002-0938:DESCRIPTION:XSS in parameter in a link.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0938REFERENCE:CVE-2002-1495:DESCRIPTION:XSS in web-based email product via attachment filenames.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1495REFERENCE:CVE-2003-1136:DESCRIPTION:HTML injection in posted message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1136REFERENCE:CVE-2004-2171:DESCRIPTION:XSS not quoted in error page.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2171","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Basic XSS::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::18::193::32::86::","",
  646. 804,"Guessable CAPTCHA",Base,Incomplete,"The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.","An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks. There can be several different causes of a guessable CAPTCHA: An audio or visual image that does not have sufficient distortion from the unobfuscated source image. A question is generated that with a format that can be automatically recognized, such as a math question. A question for which the number of possible answers is limited, such as birth years or favorite sports teams. A general-knowledge or trivia question for which the answer can be accessed using a data base, such as country capitals or popular actors. Other data associated with the CAPTCHA may provide hints about its contents, such as an image whose filename contains the word that is used in the CAPTCHA.","::NATURE:ChildOf:CWE ID:863:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:863:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:1000::NATURE:ChildOf:CWE ID:287:VIEW ID:699::NATURE:ChildOf:CWE ID:330:VIEW ID:1000::NATURE:ChildOf:CWE ID:330:VIEW ID:699::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Sometimes::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Other:NOTE:Access Control Other Bypass Protection Mechanism Other When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.::","","","","","","TAXONOMY NAME:WASC:ENTRY ID:21:ENTRY NAME:Insufficient Anti-Automation::","","",
  647. 805,"Buffer Access with Incorrect Length Value",Base,Incomplete,"The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.","When the length value exceeds the size of the destination, a buffer overflow could occur.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often:::LANGUAGE CLASS:Assembly:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU):NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:High:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::","::PHASE:Requirements:STRATEGY:Language Selection:EFFECTIVENESS::DESCRIPTION:Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.::PHASE:Build and Compilation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Consider adhering to the following rules when allocating and managing an application's memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space. If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64].::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-59] [REF-57].::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::","::REFERENCE:CVE-2011-1959:DESCRIPTION:Chain: large length value causes buffer over-read (CWE-126):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1959REFERENCE:CVE-2011-1848:DESCRIPTION:Use of packet length field to make a calculation, then copy into a fixed-size buffer:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1848REFERENCE:CVE-2011-0105:DESCRIPTION:Chain: retrieval of length value from an uninitialized memory location:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0105REFERENCE:CVE-2011-0606:DESCRIPTION:Crafted length value in document reader leads to buffer overflow:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0606REFERENCE:CVE-2011-0651:DESCRIPTION:SSL server overflow when the sum of multiple length fields exceeds a given value:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0651REFERENCE:CVE-2010-4156:DESCRIPTION:Language interpreter API function doesn't validate length argument, leading to information exposure:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156","","Memory::","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ARR38-C:ENTRY NAME:Guarantee that library functions do not form invalid pointers:MAPPING FIT:Imprecise::","::100::","",
  648. 806,"Buffer Access Using Size of Source Buffer",Variant,Incomplete,"The software uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.","When the size of the destination is smaller than the size of the source, a buffer overflow could occur.","::NATURE:ChildOf:CWE ID:805:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:805:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Resultant:DESCRIPTION:::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Sometimes::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU):NOTE:Availability DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism When the consequence is arbitrary code execution, this can often be used to subvert any other security service.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use an abstraction library to abstract away risky APIs. Examples include the Safe C String Library (SafeStr) by Viega, and the Strsafe.h library from Microsoft. This is not a complete solution, since many buffer overflows are not related to strings.::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. This is not necessarily a complete solution, since these canary-based mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Programmers should adhere to the following rules when allocating and managing their applications memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space. Truncate all input strings to a reasonable length before passing them to the copy and concatenation functions::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64].::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:Defense in Depth:DESCRIPTION:Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].::PHASE:Build and Compilation Operation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution.::","","","Memory::","","","",
  649. 807,"Reliance on Untrusted Inputs in a Security Decision",Base,Incomplete,"The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.","Developers may assume that inputs such as cookies, environment variables, and hidden form fields cannot be modified. However, an attacker could change these inputs using customized clients or other attacks. This change might not be detected. When security decisions such as authentication and authorization are made based on the values of these inputs, attackers can bypass the security of the software. Without sufficient encryption, integrity checking, or other mechanism, any input that originates from an outsider cannot be trusted.","::NATURE:ChildOf:CWE ID:693:VIEW ID:1000:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity Varies by Context:NOTE:Confidentiality Access Control Availability Other Bypass Protection Mechanism Gain Privileges or Assume Identity Varies by Context Attackers can bypass the security decision to access whatever is being protected. The consequences will depend on the associated functionality, but they can range from granting additional privileges to untrusted users to bypassing important security checks. Ultimately, this weakness may lead to exposure or modification of sensitive data, system crash, or execution of arbitrary code.::","::METHOD:Manual Static Analysis:EFFECTIVENESS:High:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling::","::PHASE:Architecture and Design:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Store state information and sensitive data on the server side only. Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions. If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that you has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328).::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. With a stateless protocol such as HTTP, use a framework that maintains the state for you. Examples include ASP.NET View State [REF-756] and the OWASP ESAPI Session Management feature [REF-45]. Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Operation Implementation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.::PHASE:Architecture and Design Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. Identify all inputs that are used for security decisions and determine if you can modify the design so that you do not have to rely on submitted inputs at all. For example, you may be able to keep critical information about the user's session on the server side instead of recording it within external data.::","::REFERENCE:CVE-2009-1549:DESCRIPTION:Attacker can bypass authentication by setting a cookie to a specific value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1549REFERENCE:CVE-2009-1619:DESCRIPTION:Attacker can bypass authentication and gain admin privileges by setting an admin cookie to 1.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1619REFERENCE:CVE-2009-0864:DESCRIPTION:Content management system allows admin privileges by setting a login cookie to OK.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0864REFERENCE:CVE-2008-5784:DESCRIPTION:e-dating application allows admin privileges by setting the admin cookie to 1.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5784REFERENCE:CVE-2008-6291:DESCRIPTION:Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to admin.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6291","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:SEC09-J:ENTRY NAME:Do not base security checks on untrusted sources::","","",
  650. 81,"Improper Neutralization of Script in an Error Message Web Page",Variant,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.","Error pages may include customized 403 Forbidden or 404 Not Found pages. When an attacker can trigger an error that contains unneutralized input, then cross-site scripting attacks may be possible.","::NATURE:ChildOf:CWE ID:79:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:79:VIEW ID:699:ORDINAL:Primary::NATURE:CanAlsoBe:CWE ID:209:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:390:VIEW ID:1000::","::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Do not write user-controlled input to error pages.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Carefully check each input parameter against a rigorous positive specification (whitelist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:With Struts, write all data from form beans with the bean's filter attribute set to true.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.::","::REFERENCE:CVE-2002-0840:DESCRIPTION:XSS in default error page from Host: header.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0840REFERENCE:CVE-2002-1053:DESCRIPTION:XSS in error message.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1053REFERENCE:CVE-2002-1700:DESCRIPTION:XSS in error page from targeted parameter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1700","","","TAXONOMY NAME:PLOVER:ENTRY NAME:XSS in error pages::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::198::","",
  651. 82,"Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",Variant,Incomplete,"The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.","Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim's browser. Note that when the page is loaded into a user's browsers, the exploit will automatically execute.","::NATURE:ChildOf:CWE ID:83:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:83:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.::","::REFERENCE:CVE-2006-3211:DESCRIPTION:Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3211REFERENCE:CVE-2002-1649:DESCRIPTION:javascript URI scheme in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1649REFERENCE:CVE-2002-1803:DESCRIPTION:javascript URI scheme in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1803REFERENCE:CVE-2002-1804:DESCRIPTION:javascript URI scheme in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1804REFERENCE:CVE-2002-1805:DESCRIPTION:javascript URI scheme in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1805REFERENCE:CVE-2002-1806:DESCRIPTION:javascript URI scheme in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1806REFERENCE:CVE-2002-1807:DESCRIPTION:javascript URI scheme in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1807REFERENCE:CVE-2002-1808:DESCRIPTION:javascript URI scheme in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1808","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Script in IMG tags::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","","",
  652. 820,"Missing Synchronization",Base,Incomplete,"The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.","If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.","::NATURE:ChildOf:CWE ID:662:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:662:VIEW ID:699:ORDINAL:Primary::","","","","","","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Read Application Data Alter Execution Logic::","","","","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:LCK05-J:ENTRY NAME:Synchronize access to static fields that can be modified by untrusted code::","","",
  653. 821,"Incorrect Synchronization",Base,Incomplete,"The software utilizes a shared resource in a concurrent manner but it does not correctly synchronize access to the resource.","If access to a shared resource is not correctly synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.","::NATURE:ChildOf:CWE ID:662:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:662:VIEW ID:699:ORDINAL:Primary::","","","","","","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Other:TECHNICAL IMPACT:Modify Application Data Read Application Data Alter Execution Logic::","","","","","","","","",
  654. 822,"Untrusted Pointer Dereference",Base,Incomplete,"The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.","An attacker can supply a pointer for memory locations that the program is not expecting. If the pointer is dereferenced for a write operation, the attack might allow modification of critical program state variables, cause a crash, or execute code. If the dereferencing operation is for a read, then the attack might allow reading of sensitive data, cause a crash, or set a program variable to an unexpected value (since the value will be read from an unexpected memory location). There are several variants of this weakness, including but not necessarily limited to: The untrusted value is directly invoked as a function call. In OS kernels or drivers where there is a boundary between userland and privileged memory spaces, an untrusted pointer might enter through an API or system call (see CWE-781 for one such example). Inadvertently accepting the value from an untrusted control sphere when it did not have to be accepted as input at all. This might occur when the code was originally developed to be run by a single user in a non-networked environment, and the code is then ported to or otherwise exposed to a networked environment.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:125:VIEW ID:1000::NATURE:CanPrecede:CWE ID:787:VIEW ID:1000::","","","","","","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory:NOTE:Confidentiality Read Memory If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is malformed or larger than expected by a read or write operation, the application may terminate unexpectedly.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Modify Memory:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Modify Memory If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.::","","","::REFERENCE:CVE-2007-5655:DESCRIPTION:message-passing framework interprets values in packets as pointers, causing a crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5655REFERENCE:CVE-2010-2299:DESCRIPTION:labeled as a type confusion issue, also referred to as a stale pointer. However, the bug ID says contents are simply interpreted as a pointer... renderer ordinarily doesn't supply this pointer directly. The handle in the untrusted area is replaced in one function, but not another - thus also, effectively, exposure to wrong sphere (CWE-668).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2299REFERENCE:CVE-2009-1719:DESCRIPTION:Untrusted dereference using undocumented constructor.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1719REFERENCE:CVE-2009-1250:DESCRIPTION:An error code is incorrectly checked and interpreted as a pointer, leading to a crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1250REFERENCE:CVE-2009-0311:DESCRIPTION:An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0311REFERENCE:CVE-2010-1818:DESCRIPTION:Undocumented attribute in multimedia software allows unmarshaling of an untrusted pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1818REFERENCE:CVE-2010-3189:DESCRIPTION:ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3189REFERENCE:CVE-2010-1253:DESCRIPTION:Spreadsheet software treats certain record values that lead to user-controlled pointer (might be untrusted offset, not untrusted pointer).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1253","","","","","TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::::TYPE:Research Gap:NOTE:Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples.::",
  655. 823,"Use of Out-of-range Pointer Offset",Base,Incomplete,"The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.","While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array. Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error. If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the program. As a result, the attack might change the state of the software as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:125:VIEW ID:1000::NATURE:CanPrecede:CWE ID:787:VIEW ID:1000::","","","","::TERM:Untrusted pointer offset:DESCRIPTION:This term is narrower than the concept of out-of-range offset, since the offset might be the result of a calculation or other error that does not depend on any externally-supplied values.::","","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory:NOTE:Confidentiality Read Memory If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is malformed or larger than expected by a read or write operation, the application may terminate unexpectedly.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Modify Memory:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Modify Memory If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.::","","","::REFERENCE:CVE-2010-2160:DESCRIPTION:Invalid offset in undocumented opcode leads to memory corruption.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2160REFERENCE:CVE-2010-1281:DESCRIPTION:Multimedia player uses untrusted value from a file when using file-pointer calculations.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1281REFERENCE:CVE-2009-3129:DESCRIPTION:Spreadsheet program processes a record with an invalid size field, which is later used as an offset.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3129REFERENCE:CVE-2009-2694:DESCRIPTION:Instant messaging library does not validate an offset value specified in a packet.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694REFERENCE:CVE-2009-2687:DESCRIPTION:Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2687REFERENCE:CVE-2009-0690:DESCRIPTION:negative offset leads to out-of-bounds read:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0690REFERENCE:CVE-2008-4114:DESCRIPTION:untrusted offset in kernel:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4114REFERENCE:CVE-2010-2873:DESCRIPTION:blind trust of an offset value while writing heap memory allows corruption of function pointer,leading to code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2873REFERENCE:CVE-2010-2866:DESCRIPTION:negative value (signed) causes pointer miscalculation:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2866REFERENCE:CVE-2010-2872:DESCRIPTION:signed values cause incorrect pointer calculation:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2872REFERENCE:CVE-2007-5657:DESCRIPTION:values used as pointer offsets:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5657REFERENCE:CVE-2010-2867:DESCRIPTION:a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2867REFERENCE:CVE-2009-1097:DESCRIPTION:portions of a GIF image used as offsets, causing corruption of an object pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097REFERENCE:CVE-2008-1807:DESCRIPTION:invalid numeric field leads to a free of arbitrary memory locations, then code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807REFERENCE:CVE-2007-2500:DESCRIPTION:large number of elements leads to a free of an arbitrary address:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2500REFERENCE:CVE-2008-1686:DESCRIPTION:array index issue (CWE-129) with negative offset, used to dereference a function pointer:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686REFERENCE:CVE-2010-2878:DESCRIPTION:buffer seek value - basically an offset?:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2878","","","","","TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::::TYPE:Research Gap:NOTE:Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples.::",
  656. 824,"Access of Uninitialized Pointer",Base,Incomplete,"The program accesses or uses a pointer that has not been initialized.","If the pointer contains an uninitialized value, then the value might not point to a valid memory location. This could cause the program to read from or write to unexpected memory locations, leading to a denial of service. If the uninitialized pointer is used as a function call, then arbitrary functions could be invoked. If an attacker can influence the portion of uninitialized memory that is contained in the pointer, this weakness could be leveraged to execute code or perform other attacks. Depending on memory layout, associated memory management behaviors, and program operation, the attacker might be able to influence the contents of the uninitialized pointer, thus gaining more fine-grained control of the memory location to be accessed.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:125:VIEW ID:1000::NATURE:CanPrecede:CWE ID:787:VIEW ID:1000::","","","","","","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory:NOTE:Confidentiality Read Memory If the uninitialized pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart If the uninitialized pointer references a memory location that is not accessible to the program, or points to a location that is malformed (such as NULL) or larger than expected by a read or write operation, then a crash may occur.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands If the uninitialized pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.::","","","::REFERENCE:CVE-2010-0211:DESCRIPTION:chain: unchecked return value (CWE-252) leads to free of invalid, uninitialized pointer (CWE-824).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0211REFERENCE:CVE-2009-2768:DESCRIPTION:Pointer in structure is not initialized, leading to NULL pointer dereference (CWE-476) and system crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2768REFERENCE:CVE-2009-1721:DESCRIPTION:Free of an uninitialized pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1721REFERENCE:CVE-2009-1415:DESCRIPTION:Improper handling of invalid signatures leads to free of invalid pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415REFERENCE:CVE-2009-0846:DESCRIPTION:Invalid encoding triggers free of uninitialized pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846REFERENCE:CVE-2009-0040:DESCRIPTION:Crafted PNG image leads to free of uninitialized pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040REFERENCE:CVE-2008-2934:DESCRIPTION:Crafted GIF image leads to free of uninitialized pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2934REFERENCE:CVE-2007-4682:DESCRIPTION:Access of uninitialized pointer might lead to code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4682REFERENCE:CVE-2007-4639:DESCRIPTION:Step-based manipulation: invocation of debugging function before the primary initialization function leads to access of an uninitialized pointer and code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4639REFERENCE:CVE-2007-4000:DESCRIPTION:Unchecked return values can lead to a write to an uninitialized pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4000REFERENCE:CVE-2007-2442:DESCRIPTION:zero-length input leads to free of uninitialized pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442REFERENCE:CVE-2007-1213:DESCRIPTION:Crafted font leads to uninitialized function pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1213REFERENCE:CVE-2006-6143:DESCRIPTION:Uninitialized function pointer in freed memory is invoked:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6143REFERENCE:CVE-2006-4175:DESCRIPTION:LDAP server mishandles malformed BER queries, leading to free of uninitialized memory:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4175REFERENCE:CVE-2006-0054:DESCRIPTION:Firewall can crash with certain ICMP packets that trigger access of an uninitialized pointer.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0054REFERENCE:CVE-2003-1201:DESCRIPTION:LDAP server does not initialize members of structs, which leads to free of uninitialized pointer if an LDAP request fails.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1201","","","","","TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::::TYPE:Research Gap:NOTE:Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples.::",
  657. 825,"Expired Pointer Dereference",Base,Incomplete,"The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.","When a program releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data, then this could cause the program to read or modify data that is in use by a different function or process. Depending on how the newly-allocated memory is used, this could lead to a denial of service, information exposure, or code execution.","::NATURE:ChildOf:CWE ID:119:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:119:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:672:VIEW ID:1000::NATURE:ChildOf:CWE ID:672:VIEW ID:699::NATURE:CanPrecede:CWE ID:125:VIEW ID:1000::NATURE:CanPrecede:CWE ID:787:VIEW ID:1000::","","","","::TERM:Dangling pointer:DESCRIPTION:::","","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory:NOTE:Confidentiality Read Memory If the expired pointer is used in a read operation, an attacker might be able to control data read in by the application.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart If the expired pointer references a memory location that is not accessible to the program, or points to a location that is malformed (such as NULL) or larger than expected by a read or write operation, then a crash may occur.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands If the expired pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Choose a language that provides automatic memory management.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.::","::REFERENCE:CVE-2008-5013:DESCRIPTION:access of expired memory address leads to arbitrary code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5013REFERENCE:CVE-2010-3257:DESCRIPTION:stale pointer issue leads to denial of service and possibly other consequences:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3257REFERENCE:CVE-2007-1211:DESCRIPTION:read of value at an offset into a structure after the offset is no longer valid:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1211","","","","","TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::::TYPE:Research Gap:NOTE:Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples.::",
  658. 826,"Premature Release of Resource During Expected Lifetime",Base,Incomplete,"The program releases a resource that is still intended to be used by the program itself or another actor.","This weakness focuses on errors in which the program should not release a resource, but performs the release anyway. This is different than a weakness in which the program releases a resource at the appropriate time, but it maintains a reference to the resource, which it later accesses. For this weaknesses, the resource should still be valid upon the subsequent access. When a program releases a resource that is still being used, it is possible that operations will still be taken on this resource, which may have been repurposed in the meantime, leading to issues similar to CWE-825. Consequences may include denial of service, information exposure, or code execution.","::NATURE:ChildOf:CWE ID:666:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:666:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:672:VIEW ID:1000::","","","","","","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Memory:NOTE:Confidentiality Read Application Data Read Memory If the released resource is subsequently reused or reallocated, then a read operation on the original resource might access sensitive data that is associated with a different user or entity.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart When the resource is released, the software might modify some of its structure, or close associated channels (such as a file descriptor). When the software later accesses the resource as if it is valid, the resource might not be in an expected state, leading to resultant errors that may lead to a crash.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Modify Application Data Modify Memory:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Modify Application Data Modify Memory When the resource is released, the software might modify some of its structure. This might affect program logic in the sections of code that still assume the resource is active. If the released resource is related to memory and is used in a function call, or points to unexpected data in a write operation, then code execution may be possible upon subsequent accesses.::","","","::REFERENCE:CVE-2009-3547:DESCRIPTION:chain: race condition might allow resource to be released before operating on it, leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547","","","","","TYPE:Research Gap:NOTE:Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources.::",
  659. 827,"Improper Control of Document Type Definition",Base,Incomplete,"The software does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the software to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.","As DTDs are processed, they might try to read or include files on the machine performing the parsing. If an attacker is able to control the DTD, then the attacker might be able to specify sensitive resources or requests or provide malicious content. For example, the SOAP specification prohibits SOAP messages from containing DTDs.","::NATURE:ChildOf:CWE ID:706:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:829:VIEW ID:1000::NATURE:CanPrecede:CWE ID:776:VIEW ID:1000::","","::LANGUAGE NAME:XML:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories:NOTE:Confidentiality Read Files or Directories If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory):NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) The DTD may cause the parser to consume excessive CPU cycles or memory using techniques such as nested or recursive entity references (CWE-776).::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Gain Privileges or Assume Identity:NOTE:Integrity Confidentiality Availability Access Control Execute Unauthorized Code or Commands Gain Privileges or Assume Identity The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities.::","","","::REFERENCE:CVE-2010-2076:DESCRIPTION:Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2076","","","","","",
  660. 828,"Signal Handler with Functionality that is not Asynchronous-Safe",Base,Incomplete,"The software defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.","This can lead to an unexpected system state with a variety of potential consequences depending on context, including denial of service and code execution. Signal handlers are typically intended to interrupt normal functionality of a program, or even other signals, in order to notify the process of an event. When a signal handler uses global or static variables, or invokes functions that ultimately depend on such state or its associated metadata, then it could corrupt system state that is being used by normal functionality. This could subject the program to race conditions or other weaknesses that allow an attacker to cause the program state to be corrupted. While denial of service is frequently the consequence, in some cases this weakness could be leveraged for code execution. There are several different scenarios that introduce this issue: Invocation of non-reentrant functions from within the handler. One example is malloc(), which modifies internal global variables as it manages memory. Very few functions are actually reentrant. Code sequences (not necessarily function calls) contain non-atomic use of global variables, or associated metadata or structures, that can be accessed by other functionality of the program, including other signal handlers. Frequently, the same function is registered to handle multiple signals. The signal handler function is intended to run at most one time, but instead it can be invoked multiple times. This could happen by repeated delivery of the same signal, or by delivery of different signals that have the same handler function (CWE-831). Note that in some environments or contexts, it might be possible for the signal handler to be interrupted itself. If both a signal handler and the normal behavior of the software have to operate on the same set of state variables, and a signal is received in the middle of the normal execution's modifications of those variables, the variables may be in an incorrect or corrupt state during signal handler execution, and possibly still incorrect or corrupt upon return.","::NATURE:ChildOf:CWE ID:364:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:364:VIEW ID:699:ORDINAL:Primary::","","","","","","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands The most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure.::","","::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Eliminate the usage of non-reentrant functionality inside of signal handlers. This includes replacing all non-reentrant library calls with reentrant calls. Note: This will not always be possible and may require large portions of the software to be rewritten or even redesigned. Sometimes reentrant-safe library alternatives will not be available. Sometimes non-reentrant interaction between the state of the system and the signal handler will be required by design.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Where non-reentrant functionality must be leveraged within a signal handler, be sure to block or mask signals appropriately. This includes blocking other signals within the signal handler itself that may also leverage the functionality. It also includes blocking all signals reliant upon the functionality when it is being accessed or modified by the normal behaviors of the software.::","::REFERENCE:CVE-2008-4109:DESCRIPTION:Signal handler uses functions that ultimately call the unsafe syslog/malloc/s*printf, leading to denial of service via multiple login attempts:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4109REFERENCE:CVE-2006-5051:DESCRIPTION:Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051REFERENCE:CVE-2001-1349:DESCRIPTION:unsafe calls to library functions from signal handler:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1349REFERENCE:CVE-2004-0794:DESCRIPTION:SIGURG can be used to remotely interrupt signal handler; other variants exist.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0794REFERENCE:CVE-2004-2259:DESCRIPTION:SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259REFERENCE:CVE-2002-1563:DESCRIPTION:SIGCHLD not blocked in a daemon loop while counter is modified, causing counter to get out of sync.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1563","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:SIG31-C:ENTRY NAME:Do not access or modify shared objects in signal handlers::","","",
  661. 829,"Inclusion of Functionality from Untrusted Control Sphere",Class,Incomplete,"The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.","When including third-party functionality, such as a web widget, library, or other source of functionality, the software must effectively trust that functionality. Without sufficient protection mechanisms, the functionality could be malicious in nature (either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source). The functionality might also contain its own weaknesses, or grant access to additional functionality and state information that should be kept private to the base system, such as system state information, sensitive application data, or the DOM of a web application. This might lead to many different consequences depending on the included functionality, but some examples include injection of malware, information exposure by granting excessive privileges or permissions to the untrusted functionality, DOM-based XSS vulnerabilities, stealing user's cookies, or open redirect to malware (CWE-601).","::NATURE:ChildOf:CWE ID:669:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:669:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Confidentiality Integrity Availability Execute Unauthorized Code or Commands An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site.::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling::","::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.::PHASE:Architecture and Design:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to inbox.txt and ID 2 could map to profile.txt. Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Architecture and Design Operation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.::PHASE:Architecture and Design Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components.::PHASE:Operation:STRATEGY:Firewall:EFFECTIVENESS:Moderate:DESCRIPTION:Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.::","::REFERENCE:CVE-2010-2076:DESCRIPTION:Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2076REFERENCE:CVE-2004-0285:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0285REFERENCE:CVE-2004-0030:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0030REFERENCE:CVE-2004-0068:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0068REFERENCE:CVE-2005-2157:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2157REFERENCE:CVE-2005-2162:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2162REFERENCE:CVE-2005-2198:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2198REFERENCE:CVE-2004-0128:DESCRIPTION:Modification of assumed-immutable variable in configuration script leads to file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0128REFERENCE:CVE-2005-1864:DESCRIPTION:PHP file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1864REFERENCE:CVE-2005-1869:DESCRIPTION:PHP file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1869REFERENCE:CVE-2005-1870:DESCRIPTION:PHP file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1870REFERENCE:CVE-2005-2154:DESCRIPTION:PHP local file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2154REFERENCE:CVE-2002-1704:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1704REFERENCE:CVE-2002-1707:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1707REFERENCE:CVE-2005-1964:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1964REFERENCE:CVE-2005-1681:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1681REFERENCE:CVE-2005-2086:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2086REFERENCE:CVE-2004-0127:DESCRIPTION:Directory traversal vulnerability in PHP include statement.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0127REFERENCE:CVE-2005-1971:DESCRIPTION:Directory traversal vulnerability in PHP include statement.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1971REFERENCE:CVE-2005-3335:DESCRIPTION:PHP file inclusion issue, both remote and local; local include uses .. and %00 characters as a manipulation, but many remote file inclusion issues probably have this vector.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3335","","","","::175::","",
  662. 83,"Improper Neutralization of Script in Attributes in a Web Page",Variant,Draft,"The software does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.","","::NATURE:ChildOf:CWE ID:79:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:79:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Carefully check each input parameter against a rigorous positive specification (whitelist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:With Struts, write all data from form beans with the bean's filter attribute set to true.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.::","::REFERENCE:CVE-2001-0520:DESCRIPTION:Bypass filtering of SCRIPT tags using onload in BODY, href in A, BUTTON, INPUT, and others.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0520REFERENCE:CVE-2002-1493:DESCRIPTION:guestbook XSS in STYLE or IMG SRC attributes.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1493REFERENCE:CVE-2002-1965:DESCRIPTION:Javascript in onerror attribute of IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1965REFERENCE:CVE-2002-1495:DESCRIPTION:XSS in web-based email product via onmouseover event.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1495REFERENCE:CVE-2002-1681:DESCRIPTION:XSS via script in <P> tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1681REFERENCE:CVE-2004-1935:DESCRIPTION:Onload, onmouseover, and other events in an e-mail attachment.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1935REFERENCE:CVE-2005-0945:DESCRIPTION:Onmouseover and onload events in img, link, and mail tags.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0945REFERENCE:CVE-2003-1136:DESCRIPTION:Javascript in onmouseover attribute in e-mail address or URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1136","","","TAXONOMY NAME:PLOVER:ENTRY NAME:XSS using Script in Attributes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::243::","",
  663. 830,"Inclusion of Web Functionality from an Untrusted Source",Base,Incomplete,"The software includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the software, potentially granting total access and control of the software to the untrusted source.","Including third party functionality in a web-based environment is risky, especially if the source of the functionality is untrusted. Even if the third party is a trusted source, the software may still be exposed to attacks and malicious behavior if that trusted source is compromised, or if the code is modified in transmission from the third party to the software. This weakness is common in mashup development on the web, which may include source functionality from other domains. For example, Javascript-based web widgets may be inserted by using '<SCRIPT SRC=http://other.domain.here>' tags, which causes the code to run in the domain of the software, not the remote site from which the widget was loaded. As a result, the included code has access to the local DOM, including cookies and other data that the developer might not want the remote site to be able to access. Such dependencies may be desirable, or even required, but sometimes programmers are not aware that a dependency exists.","::NATURE:ChildOf:CWE ID:829:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:829:VIEW ID:699:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","","","","","","","",
  664. 831,"Signal Handler Function Associated with Multiple Signals",Base,Incomplete,"The software defines a function that is used as a handler for more than one signal.","While sometimes intentional and safe, when the same function is used to handle multiple signals, a race condition could occur if the function uses any state outside of its local declaration, such as global variables or non-reentrant functions, or has any side effects. An attacker could send one signal that invokes the handler function; in many OSes, this will typically prevent the same signal from invoking the handler again, at least until the handler function has completed execution. However, the attacker could then send a different signal that is associated with the same handler function. This could interrupt the original handler function while it is still executing. If there is shared state, then the state could be corrupted. This can lead to a variety of potential consequences depending on context, including denial of service and code execution. Another rarely-explored possibility arises when the signal handler is only designed to be executed once (if at all). By sending multiple signals, an attacker could invoke the function more than once. This may generate extra, unintended side effects. A race condition might not even be necessary; the attacker could send one signal, wait until it is handled, then send the other signal.","::NATURE:ChildOf:CWE ID:364:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:364:VIEW ID:699:ORDINAL:Primary::","","","","","","",,"::SCOPE:Availability:SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands Read Application Data Gain Privileges or Assume Identity Bypass Protection Mechanism Varies by Context:NOTE:Availability Integrity Confidentiality Access Control Other DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands Read Application Data Gain Privileges or Assume Identity Bypass Protection Mechanism Varies by Context The most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure.::","","","","","","","","",
  665. 832,"Unlock of a Resource that is not Locked",Base,Incomplete,"The software attempts to unlock a resource that is not locked.","Depending on the locking functionality, an unlock of a non-locked resource might cause memory corruption or other modification to the resource (or its associated metadata that is used for tracking locks).","::NATURE:ChildOf:CWE ID:667:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:667:VIEW ID:699:ORDINAL:Primary::","","","","","","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands Modify Memory Other:NOTE:Integrity Confidentiality Availability Other DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands Modify Memory Other Depending on the locking being used, an unlock operation might not have any adverse effects. When effects exist, the most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit; depending on the implementation of the unlocking, memory corruption or code execution could occur.::","","","::REFERENCE:CVE-2010-4210:DESCRIPTION:function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4210REFERENCE:CVE-2008-4302:DESCRIPTION:Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4302REFERENCE:CVE-2009-1243:DESCRIPTION:OS kernel performs an unlock in some incorrect circumstances, leading to panic.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1243","","","","","",
  666. 833,"Deadlock",Base,Incomplete,"The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.","","::NATURE:ChildOf:CWE ID:667:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:667:VIEW ID:699:ORDINAL:Primary::","","","","","","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Other) DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Other) DoS: Crash, Exit, or Restart Each thread of execution will hang and prevent tasks from completing. In some cases, CPU consumption may occur if a lock check occurs in a tight loop.::","","","::REFERENCE:CVE-2009-2857:DESCRIPTION:OS deadlock:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2857REFERENCE:CVE-2009-1961:DESCRIPTION:OS deadlock involving 3 separate functions:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1961REFERENCE:CVE-2009-2699:DESCRIPTION:deadlock in library:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2699REFERENCE:CVE-2009-4272:DESCRIPTION:deadlock triggered by packets that force collisions in a routing table:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4272REFERENCE:CVE-2002-1850:DESCRIPTION:read/write deadlock between web server and script:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1850REFERENCE:CVE-2004-0174:DESCRIPTION:web server deadlock involving multiple listening connections:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0174REFERENCE:CVE-2009-1388:DESCRIPTION:multiple simultaneous calls to the same function trigger deadlock.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388REFERENCE:CVE-2006-5158:DESCRIPTION:chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5158REFERENCE:CVE-2006-4342:DESCRIPTION:deadlock when an operation is performed on a resource while it is being removed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4342REFERENCE:CVE-2006-2374:DESCRIPTION:Deadlock in device driver triggered by using file handle of a related device.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2374REFERENCE:CVE-2006-2275:DESCRIPTION:Deadlock when large number of small messages cannot be processed quickly enough.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2275REFERENCE:CVE-2005-3847:DESCRIPTION:OS kernel has deadlock triggered by a signal during a core dump.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3847REFERENCE:CVE-2005-3106:DESCRIPTION:Race condition leads to deadlock.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3106REFERENCE:CVE-2005-2456:DESCRIPTION:Chain: array index error (CWE-129) leads to deadlock (CWE-833):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2456","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:LCK08-J:ENTRY NAME:Ensure actively held locks are released on exceptional conditions::","::25::","",
  667. 834,"Excessive Iteration",Base,Incomplete,"The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.","If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the software or its host system; it depends on the amount of resources consumed per iteration.","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::","","","","","","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Amplification DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Amplification DoS: Crash, Exit, or Restart Excessive looping will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond. If limited resources such as memory are consumed for each iteration, the loop may eventually cause a crash or program exit due to exhaustion of resources, such as an out-of-memory error.::","::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Forced Path Execution::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","","","","","","","",
  668. 835,"Loop with Unreachable Exit Condition ('Infinite Loop')",Base,Incomplete,"The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.","If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.","::NATURE:ChildOf:CWE ID:834:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:834:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","","","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Amplification:NOTE:Availability DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Amplification An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond.::","","","::REFERENCE:CVE-2011-1027:DESCRIPTION:Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1027REFERENCE:CVE-2011-1142:DESCRIPTION:Chain: self-referential values in recursive definitions lead to infinite loop.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1142REFERENCE:CVE-2011-1002:DESCRIPTION:NULL UDP packet is never cleared from a queue, leading to infinite loop.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1002REFERENCE:CVE-2010-4476:DESCRIPTION:Floating point conversion routine cycles back and forth between two different values.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476REFERENCE:CVE-2010-4645:DESCRIPTION:Floating point conversion routine cycles back and forth between two different values.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4645REFERENCE:CVE-2010-2534:DESCRIPTION:Chain: improperly clearing a pointer in a linked list leads to infinite loop.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2534","","","","","",
  669. 836,"Use of Password Hash Instead of Password for Authentication",Base,Incomplete,"The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.","Some authentication mechanisms rely on the client to generate the hash for a password, possibly to reduce load on the server or avoid sending the password across the network. However, when the client is used to generate the hash, an attacker can bypass the authentication by obtaining a copy of the hash, e.g. by using SQL injection to compromise a database of authentication credentials, or by exploiting an information exposure. The attacker could then use a modified client to replay the stolen hash without having knowledge of the original password. As a result, the server-side comparison against a client-side hash does not provide any more security than the use of passwords without hashing.","::NATURE:ChildOf:CWE ID:287:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:287:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:602:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity An attacker could bypass the authentication routine without knowing the original password.::","","","::REFERENCE:CVE-2009-1283:DESCRIPTION:Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1283REFERENCE:CVE-2005-3435:DESCRIPTION:Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3435","","","","","",
  670. 837,"Improper Enforcement of a Single, Unique Action",Base,Incomplete,"The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly enforces this restriction.","In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to stuff the ballot box by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the software.","::NATURE:ChildOf:CWE ID:799:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:799:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","","","",,"::SCOPE:Other:TECHNICAL IMPACT::NOTE:Other An attacker might be able to gain advantage over other users by performing the action multiple times, or affect the correctness of the software.::","","","::REFERENCE:CVE-2008-0294:DESCRIPTION:Ticket-booking web application allows a user to lock a seat more than once.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0294REFERENCE:CVE-2005-4051:DESCRIPTION:CMS allows people to rate downloads by voting more than once.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4051REFERENCE:CVE-2002-216:DESCRIPTION:Polling software allows people to vote more than once by setting a cookie.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-216REFERENCE:CVE-2003-1433:DESCRIPTION:Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1433REFERENCE:CVE-2002-1018:DESCRIPTION:Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1018REFERENCE:CVE-2009-2346:DESCRIPTION:Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2346","","","","","",
  671. 838,"Inappropriate Encoding for Output Context",Base,Incomplete,"The software uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.","This weakness can cause the downstream component to use a decoding method that produces different data than what the software intended to send. When the wrong encoding is used - even if closely related - the downstream component could decode the data incorrectly. This can have security consequences when the provided boundaries between control and data are inadvertently broken, because the resulting data could introduce control characters or special elements that were not sent by the software. The resulting data could then be used to bypass protection mechanisms such as input validation, and enable injection attacks. While using output encoding is essential for ensuring that communications between components are accurate, the use of the wrong encoding - even if closely related - could cause the downstream component to misinterpret the output. For example, HTML entity encoding is used for elements in the HTML body of a web page. However, a programmer might use entity encoding when generating output for that is used within an attribute of an HTML tag, which could contain functional Javascript that is not affected by the HTML encoding. While web applications have received the most attention for this problem, this weakness could potentially apply to any type of software that uses a communications stream that could support multiple encodings.","::NATURE:ChildOf:CWE ID:116:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:116:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","","","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Modify Application Data Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Modify Application Data Execute Unauthorized Code or Commands An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.::","","::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component.::PHASE:Architecture and Design:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support.::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. Note that some template mechanisms provide built-in support for the appropriate encoding.::","::REFERENCE:CVE-2009-2814:DESCRIPTION:Server does not properly handle requests that do not contain UTF-8 data; browser assumes UTF-8, allowing XSS.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2814","","","TAXONOMY NAME:CERT Java Secure Coding:ENTRY ID:IDS13-J:ENTRY NAME:Use compatible encodings on both sides of file or network IO::","::468::","",
  672. 839,"Numeric Range Comparison Without Minimum Check",Base,Incomplete,"The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.","Some programs use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption. The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account.","::NATURE:ChildOf:CWE ID:187:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:195:VIEW ID:1000::NATURE:CanPrecede:CWE ID:682:VIEW ID:1000::NATURE:CanPrecede:CWE ID:119:VIEW ID:1000::NATURE:CanPrecede:CWE ID:124:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Often::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Often::","","::TERM:Signed comparison:DESCRIPTION:The signed comparison term is often used to describe when the program uses a signed variable and checks it to ensure that it is less than a maximum value (typically a maximum buffer size), but does not verify that it is greater than 0.::","","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Modify Application Data Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Modify Application Data Execute Unauthorized Code or Commands An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other):NOTE:Availability DoS: Resource Consumption (Other) in some contexts, a negative value could lead to resource consumption.::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Modify Memory Read Memory:NOTE:Confidentiality Integrity Modify Memory Read Memory If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.::","","::PHASE:Implementation:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.::","::REFERENCE:CVE-2010-1866:DESCRIPTION:Chain: integer overflow causes a negative signed value, which later bypasses a maximum-only check, leading to heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1866REFERENCE:CVE-2009-1099:DESCRIPTION:Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099REFERENCE:CVE-2011-0521:DESCRIPTION:Chain: kernel's lack of a check for a negative value leads to memory corruption.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0521REFERENCE:CVE-2010-3704:DESCRIPTION:Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3704REFERENCE:CVE-2010-2530:DESCRIPTION:Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2530REFERENCE:CVE-2009-3080:DESCRIPTION:Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080REFERENCE:CVE-2008-6393:DESCRIPTION:chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6393REFERENCE:CVE-2008-4558:DESCRIPTION:chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4558","","","","","",
  673. 84,"Improper Neutralization of Encoded URI Schemes in a Web Page",Variant,Draft,"The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.","","::NATURE:ChildOf:CWE ID:79:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:79:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Resolve all URIs to absolute or canonical representations before processing.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Carefully check each input parameter against a rigorous positive specification (whitelist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:With Struts, write all data from form beans with the bean's filter attribute set to true.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.::","::REFERENCE:CVE-2005-0563:DESCRIPTION:Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Access (OWA) component in Exchange Server 5.5 allows remote attackers to inject arbitrary web script or HTML via an email message with an encoded javascript: URL (jav&#X41sc&#0010;ript:) in an IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0563REFERENCE:CVE-2005-2276:DESCRIPTION:Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. j&#X41vascript in an IMG tag).:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2276REFERENCE:CVE-2005-0692:DESCRIPTION:Encoded script within BBcode IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0692REFERENCE:CVE-2002-0117:DESCRIPTION:Encoded javascript in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0117REFERENCE:CVE-2002-0118:DESCRIPTION:Encoded javascript in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0118","","","TAXONOMY NAME:PLOVER:ENTRY NAME:XSS using Script Via Encoded URI Schemes::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::244::","",
  674. 841,"Improper Enforcement of Behavioral Workflow",Base,Incomplete,"The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.","By performing actions in an unexpected order, or by omitting steps, an attacker could manipulate the business logic of the software or cause it to enter an invalid state. In some cases, this can also expose resultant weaknesses. For example, a file-sharing protocol might require that an actor perform separate steps to provide a username, then a password, before being able to transfer files. If the file-sharing server accepts a password command followed by a transfer command, without any username being provided, the software might still perform the transfer. Note that this is different than CWE-696, which focuses on when the software performs actions in the wrong sequence; this entry is closely related, but it is focused on ensuring that the actor performs actions in the correct sequence. Workflow-related behaviors include: Steps are performed in the expected order. Required steps are not omitted. Steps are not interrupted. Steps are performed in a timely fashion.","::NATURE:ChildOf:CWE ID:691:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Alter Execution Logic:NOTE:Other Alter Execution Logic An attacker could cause the software to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications.::","","","::REFERENCE:CVE-2011-0348:DESCRIPTION:Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0348REFERENCE:CVE-2007-3012:DESCRIPTION:Attacker can access portions of a restricted page by canceling out of a dialog.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3012REFERENCE:CVE-2009-5056:DESCRIPTION:Ticket-tracking system does not enforce a permission setting.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5056REFERENCE:CVE-2004-2164:DESCRIPTION:Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2164REFERENCE:CVE-2003-0777:DESCRIPTION:Chain: product does not properly handle dropped connections, leading to missing NULL terminator (CWE-170) and segmentation fault.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0777REFERENCE:CVE-2005-3327:DESCRIPTION:Chain: Authentication bypass by skipping the first startup step as required by the protocol.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3327REFERENCE:CVE-2004-0829:DESCRIPTION:Chain: File server crashes when sent a find next request without an initial find first.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0829REFERENCE:CVE-2010-2620:DESCRIPTION:FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2620REFERENCE:CVE-2005-3296:DESCRIPTION:FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3296","","","TAXONOMY NAME:WASC:ENTRY ID:40:ENTRY NAME:Insufficient Process Validation::","","TYPE:Research Gap:NOTE:This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.::",
  675. 842,"Placement of User into Incorrect Group",Base,Incomplete,"The software or the administrator places a user into an incorrect group.","If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.","::NATURE:ChildOf:CWE ID:286:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:286:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity::","","","::REFERENCE:CVE-1999-1193:DESCRIPTION:Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1193REFERENCE:CVE-2010-3716:DESCRIPTION:Chain: drafted web request allows the creation of users with arbitrary group membership.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3716REFERENCE:CVE-2008-5397:DESCRIPTION:Chain: improper processing of configuration options causes users to contain unintended group memberships.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397REFERENCE:CVE-2007-6644:DESCRIPTION:CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6644REFERENCE:CVE-2007-3260:DESCRIPTION:Product assigns members to the root group, allowing escalation of privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3260REFERENCE:CVE-2002-0080:DESCRIPTION:Chain: daemon does not properly clear groups before dropping privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0080","","","","","",
  676. 843,"Access of Resource Using Incompatible Type ('Type Confusion')",Base,Incomplete,"The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.","When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access. While this weakness is frequently associated with unions when parsing data with many different embedded object types in C, it can be present in any application that can interpret the same variable or memory location in multiple ways. This weakness is not unique to C and C++. For example, errors in PHP applications can be triggered by providing array parameters when scalars are expected, or vice versa. Languages such as Perl, which perform automatic conversion of a variable of one type when it is accessed as if it were another type, can also contain these issues.","::NATURE:ChildOf:CWE ID:704:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:704:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:119:VIEW ID:1000::","","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Object Type Confusion:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"","","","::REFERENCE:CVE-2010-4577:DESCRIPTION:Type confusion in CSS sequence leads to out-of-bounds read.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577REFERENCE:CVE-2011-0611:DESCRIPTION:Size inconsistency allows code execution, first discovered when it was actively exploited in-the-wild.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611REFERENCE:CVE-2010-0258:DESCRIPTION:Improperly-parsed file containing records of different types leads to code execution when a memory location is interpreted as a different object than intended.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0258","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP39-C:ENTRY NAME:Do not access a variable through a pointer of an incompatible type:MAPPING FIT:Exact::","","TYPE:Applicable Platform:NOTE:This weakness is possible in any type-unsafe programming language.::::TYPE:Research Gap:NOTE:Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as memory corruption instead. This weakness seems likely to gain prominence in upcoming years. For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential type confusion behavior might be intentional, possibly requiring more manual analysis.::",
  677. 85,"Doubled Character XSS Manipulations",Variant,Draft,"The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.","","::NATURE:ChildOf:CWE ID:79:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:79:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:675:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Resolve all filtered input to absolute or canonical representations before processing.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Carefully check each input parameter against a rigorous positive specification (whitelist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:With Struts, write all data from form beans with the bean's filter attribute set to true.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.::","::REFERENCE:CVE-2002-2086:DESCRIPTION:XSS using <script.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2086REFERENCE:CVE-2000-0116:DESCRIPTION:Encoded javascript in IMG tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0116REFERENCE:CVE-2001-1157:DESCRIPTION:Extra < in front of SCRIPT tag.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1157","","","TAXONOMY NAME:PLOVER:ENTRY NAME:DOUBLE - Doubled character XSS manipulations, e.g. "<script"::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::245::","",
  678. 86,"Improper Neutralization of Invalid Characters in Identifiers in Web Pages",Variant,Draft,"The software does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.","Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the software may attempt to remove a javascript: URI scheme, but a java%00script: URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks.","::NATURE:ChildOf:CWE ID:79:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:79:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:184:VIEW ID:1000::NATURE:ChildOf:CWE ID:436:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.::","::REFERENCE:CVE-2004-0595:DESCRIPTION:XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. Multiple Interpretation Error (MIE) and validate-before-cleanse.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0595","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Invalid Characters in Identifiers::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::247::73::85::","",
  679. 862,"Missing Authorization",Class,Incomplete,"The software does not perform an authorization check when an actor attempts to access a resource or perform an action.","Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.","::NATURE:ChildOf:CWE ID:285:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:285:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Often::TECHNOLOGY NAME:Database Server:TECHNOLOGY PREVALENCE:Often::","::An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: No access, Read access, Change access, and Full control. Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.::","::TERM:AuthZ:DESCRIPTION:AuthZ is typically used as an abbreviation of authorization within the web application security community. It is also distinct from AuthC, which is an abbreviation of authentication. The use of Auth as an abbreviation is discouraged, since it could be used for either authentication or authorization.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Files or Directories:NOTE:Confidentiality Read Application Data Read Files or Directories An attacker could read sensitive data, either by reading the data directly from a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to read the data.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data Modify Files or Directories:NOTE:Integrity Modify Application Data Modify Files or Directories An attacker could modify sensitive data, either by writing the data directly to a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to write the data.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism:NOTE:Access Control Gain Privileges or Assume Identity Bypass Protection Mechanism An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:Limited:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.::METHOD:Manual Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.::PHASE:System Configuration Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a default deny policy when defining these ACLs.::","::REFERENCE:CVE-2009-3168:DESCRIPTION:Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3168REFERENCE:CVE-2009-3597:DESCRIPTION:Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3597REFERENCE:CVE-2009-2282:DESCRIPTION:Terminal server does not check authorization for guest access.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2282REFERENCE:CVE-2008-5027:DESCRIPTION:System monitoring software allows users to bypass authorization by creating custom forms.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027REFERENCE:CVE-2009-3781:DESCRIPTION:Content management system does not check access permissions for private files, allowing others to view those files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3781REFERENCE:CVE-2008-6548:DESCRIPTION:Product does not check the ACL of a page accessed using an include directive, allowing attackers to read unauthorized files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6548REFERENCE:CVE-2009-2960:DESCRIPTION:Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2960REFERENCE:CVE-2009-3230:DESCRIPTION:Database server does not use appropriate privileges for certain sensitive operations.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230REFERENCE:CVE-2009-2213:DESCRIPTION:Gateway uses default Allow configuration for its authorization settings.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2213REFERENCE:CVE-2009-0034:DESCRIPTION:Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034REFERENCE:CVE-2008-6123:DESCRIPTION:Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123REFERENCE:CVE-2008-7109:DESCRIPTION:Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7109REFERENCE:CVE-2008-3424:DESCRIPTION:Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3424REFERENCE:CVE-2008-4577:DESCRIPTION:ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577REFERENCE:CVE-2007-2925:DESCRIPTION:Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925REFERENCE:CVE-2006-6679:DESCRIPTION:Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6679REFERENCE:CVE-2005-3623:DESCRIPTION:OS kernel does not check for a certain privilege before setting ACLs for files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3623REFERENCE:CVE-2005-2801:DESCRIPTION:Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801REFERENCE:CVE-2001-1155:DESCRIPTION:Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155","","","","","",
  680. 863,"Incorrect Authorization",Class,Incomplete,"The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.","Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are incorrectly applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.","::NATURE:ChildOf:CWE ID:285:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:285:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Often::TECHNOLOGY NAME:Database Server:TECHNOLOGY PREVALENCE:Often::","::An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: No access, Read access, Change access, and Full control. Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.::","::TERM:AuthZ:DESCRIPTION:AuthZ is typically used as an abbreviation of authorization within the web application security community. It is also distinct from AuthC, which is an abbreviation of authentication. The use of Auth as an abbreviation is discouraged, since it could be used for either authentication or authorization.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Files or Directories:NOTE:Confidentiality Read Application Data Read Files or Directories An attacker could read sensitive data, either by reading the data directly from a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data Modify Files or Directories:NOTE:Integrity Modify Application Data Modify Files or Directories An attacker could modify sensitive data, either by writing the data directly to a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity Bypass Protection Mechanism:NOTE:Access Control Gain Privileges or Assume Identity Bypass Protection Mechanism An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.::","::METHOD:Automated Static Analysis:EFFECTIVENESS:Limited:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS::DESCRIPTION:Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.::METHOD:Manual Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.::PHASE:System Configuration Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a default deny policy when defining these ACLs.::","::REFERENCE:CVE-2009-2213:DESCRIPTION:Gateway uses default Allow configuration for its authorization settings.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2213REFERENCE:CVE-2009-0034:DESCRIPTION:Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034REFERENCE:CVE-2008-6123:DESCRIPTION:Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123REFERENCE:CVE-2008-7109:DESCRIPTION:Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7109REFERENCE:CVE-2008-3424:DESCRIPTION:Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3424REFERENCE:CVE-2008-4577:DESCRIPTION:ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577REFERENCE:CVE-2006-6679:DESCRIPTION:Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6679REFERENCE:CVE-2005-2801:DESCRIPTION:Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801REFERENCE:CVE-2001-1155:DESCRIPTION:Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1155","","","","","",
  681. 87,"Improper Neutralization of Alternate XSS Syntax",Variant,Draft,"The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.","","::NATURE:ChildOf:CWE ID:79:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:79:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Read Application Data Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Resolve all input to absolute or canonical representations before processing.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Carefully check each input parameter against a rigorous positive specification (whitelist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:With Struts, write all data from form beans with the bean's filter attribute set to true.::PHASE:Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS:Defense in Depth:DESCRIPTION:To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.::","::REFERENCE:CVE-2002-0738:DESCRIPTION:XSS using &={script}.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0738","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Alternate XSS syntax::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::199::","",
  682. 88,"Argument Injection or Modification",Base,Draft,"The software does not sufficiently delimit the arguments being passed to a component in another control sphere, allowing alternate arguments to be provided, leading to potentially security-relevant changes.","","::NATURE:ChildOf:CWE ID:77:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:77:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:77:VIEW ID:1003:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Alter Execution Logic Read Application Data Modify Application Data:NOTE:Confidentiality Integrity Availability Other Execute Unauthorized Code or Commands Alter Execution Logic Read Application Data Modify Application Data An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior.::","","::PHASE:Architecture and Design:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control. Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::","::REFERENCE:CVE-1999-0113:DESCRIPTION:Canonical Example:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113REFERENCE:CVE-2001-0150:DESCRIPTION:Web browser executes Telnet sessions using command line arguments that are specified by the web site, which could allow remote attackers to execute arbitrary commands.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0150REFERENCE:CVE-2001-0667:DESCRIPTION:Web browser allows remote attackers to execute commands by spawning Telnet with a log file option on the command line and writing arbitrary code into an executable file which is later executed.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0667REFERENCE:CVE-2002-0985:DESCRIPTION:Argument injection vulnerability in the mail function for PHP may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) possibly executing commands.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0985REFERENCE:CVE-2003-0907:DESCRIPTION:Help and Support center in windows does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0907REFERENCE:CVE-2004-0121:DESCRIPTION:Mail client does not sufficiently filter parameters of mailto: URLs when using them as arguments to mail executable, which allows remote attackers to execute arbitrary programs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0121REFERENCE:CVE-2004-0473:DESCRIPTION:Web browser doesn't filter - when invoking various commands, allowing command-line switches to be specified.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0473REFERENCE:CVE-2004-0480:DESCRIPTION:Mail client allows remote attackers to execute arbitrary code via a URI that uses a UNC network share pathname to provide an alternate configuration file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0480REFERENCE:CVE-2004-0489:DESCRIPTION:SSH URI handler for web browser allows remote attackers to execute arbitrary code or conduct port forwarding via the a command line option.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0489REFERENCE:CVE-2004-0411:DESCRIPTION:Web browser doesn't filter - when invoking various commands, allowing command-line switches to be specified.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0411REFERENCE:CVE-2005-4699:DESCRIPTION:Argument injection vulnerability in TellMe 1.2 and earlier allows remote attackers to modify command line arguments for the Whois program and obtain sensitive information via -- style options in the q_Host parameter.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4699REFERENCE:CVE-2006-1865:DESCRIPTION:Beagle before 0.2.5 can produce certain insecure command lines to launch external helper applications while indexing, which allows attackers to execute arbitrary commands. NOTE: it is not immediately clear whether this issue involves argument injection, shell metacharacters, or other issues.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1865REFERENCE:CVE-2006-2056:DESCRIPTION:Argument injection vulnerability in Internet Explorer 6 for Windows XP SP2 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2056REFERENCE:CVE-2006-2057:DESCRIPTION:Argument injection vulnerability in Mozilla Firefox 1.0.6 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2057REFERENCE:CVE-2006-2058:DESCRIPTION:Argument injection vulnerability in Avant Browser 10.1 Build 17 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2058REFERENCE:CVE-2006-2312:DESCRIPTION:Argument injection vulnerability in the URI handler in Skype 2.0.*.104 and 2.5.*.0 through 2.5.*.78 for Windows allows remote authorized attackers to download arbitrary files via a URL that contains certain command-line switches.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2312REFERENCE:CVE-2006-3015:DESCRIPTION:Argument injection vulnerability in WinSCP 3.8.1 build 328 allows remote attackers to upload or download arbitrary files via encoded spaces and double-quote characters in a scp or sftp URI.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3015REFERENCE:CVE-2006-4692:DESCRIPTION:Argument injection vulnerability in the Windows Object Packager (packager.exe) in Microsoft Windows XP SP1 and SP2 and Server 2003 SP1 and earlier allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a / (slash) character in the filename of the Command Line property, followed by a valid file extension, which causes the command before the slash to be executed, aka Object Packager Dialogue Spoofing Vulnerability.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4692REFERENCE:CVE-2006-6597:DESCRIPTION:Argument injection vulnerability in HyperAccess 8.4 allows user-assisted remote attackers to execute arbitrary vbscript and commands via the /r option in a telnet:// URI, which is configured to use hawin32.exe.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6597REFERENCE:CVE-2007-0882:DESCRIPTION:Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client -f sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882REFERENCE:CVE-2001-1246:DESCRIPTION:Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1246","","System Process::","TAXONOMY NAME:PLOVER:ENTRY NAME:Argument Injection or Modification::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ENV03-C:ENTRY NAME:Sanitize the environment when invoking external programs::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:ENV33-C:ENTRY NAME:Do not call system():MAPPING FIT:Imprecise::::TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:STR02-C:ENTRY NAME:Sanitize data passed to complex subsystems::::TAXONOMY NAME:WASC:ENTRY ID:30:ENTRY NAME:Mail Command Injection::","::133::41::460::88::","TYPE:Relationship:NOTE:At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags.::",
  683. 89,"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",Base,Draft,"The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.","Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands. SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.","::NATURE:ChildOf:CWE ID:943:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:943:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:943:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Database Server:TECHNOLOGY PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:Operation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack.::","::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:EFFECTIVENESS:Moderate:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:EFFECTIVENESS::DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Dynamic Analysis with Automated Results Interpretation:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner::METHOD:Dynamic Analysis with Manual Results Interpretation:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.::PHASE:Architecture and Design:STRATEGY:Parameterization:EFFECTIVENESS::DESCRIPTION:If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using exec or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. Specifically, follow the principle of least privilege when creating user accounts to a SQL database. The database users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data. Use the strictest permissions possible on all database objects, such as execute-only for stored procedures.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). Instead of building a new implementation, such features may be available in the database or programming language. For example, the Oracle DBMS_ASSERT package can check or enforce that parameters have certain properties that make them less vulnerable to SQL injection. For MySQL, the mysql_real_escape_string() API function is available in both C and PHP.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When constructing SQL query strings, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing SQL injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent SQL injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, the name O'Reilly would likely pass the validation step, since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise handled. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded. When feasible, it may be safest to disallow meta-characters entirely, instead of escaping them. This will provide some defense in depth. After the data is entered into the database, later processes may neglect to escape meta-characters before use, and you may not have control over those processes.::PHASE:Architecture and Design:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to strike the balance between being too cryptic and not being cryptic enough. They should not necessarily reveal the methods that were used to determine the error. Such detailed information can be used to refine the original attack to increase the chances of success. If errors must be tracked in some detail, capture them in log messages - but consider what could occur if the log messages can be viewed by attackers. Avoid recording highly sensitive information such as passwords in any form. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not. In the context of SQL Injection, error messages revealing the structure of a SQL query can help attackers tailor successful attack strings.::PHASE:Operation:STRATEGY:Firewall:EFFECTIVENESS:Moderate:DESCRIPTION:Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.::PHASE:Operation Implementation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.::","::REFERENCE:CVE-2004-0366:DESCRIPTION:chain: SQL injection in library intended for database authentication allows SQL injection and authentication bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0366REFERENCE:CVE-2008-2790:DESCRIPTION:SQL injection through an ID that was supposed to be numeric.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2790REFERENCE:CVE-2008-2223:DESCRIPTION:SQL injection through an ID that was supposed to be numeric.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2223REFERENCE:CVE-2007-6602:DESCRIPTION:SQL injection via user name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6602REFERENCE:CVE-2008-5817:DESCRIPTION:SQL injection via user name or password fields.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5817REFERENCE:CVE-2003-0377:DESCRIPTION:SQL injection in security product, using a crafted group name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0377REFERENCE:CVE-2008-2380:DESCRIPTION:SQL injection in authentication library.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2380REFERENCE:CVE-2017-11508:DESCRIPTION:SQL injection in vulnerability management and reporting tool, using a crafted password.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11508","","","TAXONOMY NAME:PLOVER:ENTRY NAME:SQL injection::::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:SQL Injection::::TAXONOMY NAME:CLASP:ENTRY NAME:SQL injection::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A2:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A1:ENTRY NAME:Unvalidated Input:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A6:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:19:ENTRY NAME:SQL Injection::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::108::109::110::470::66::7::","TYPE:Relationship:NOTE:SQL injection can be resultant from special character mismanagement, MAID, or blacklist/whitelist problems. It can be primary to authentication errors.::",
  684. 9,"J2EE Misconfiguration: Weak Access Permissions for EJB Methods",Variant,Draft,"If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system.","If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.","::NATURE:ChildOf:CWE ID:266:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:TECHNICAL IMPACT:Other::","","::PHASE:Architecture and Design System Configuration:STRATEGY::EFFECTIVENESS::DESCRIPTION:Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Misconfiguration: Weak Access Permissions::","","",
  685. 90,"Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",Base,Draft,"The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.","","::NATURE:ChildOf:CWE ID:943:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:943:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:943:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Database Server:TECHNOLOGY PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Read Application Data Modify Application Data:NOTE:Confidentiality Integrity Availability Execute Unauthorized Code or Commands Read Application Data Modify Application Data An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::","::REFERENCE:CVE-2005-2301:DESCRIPTION:Server does not properly escape LDAP queries, which allows remote attackers to cause a DoS and possibly conduct an LDAP injection attack.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2301","","","TAXONOMY NAME:PLOVER:ENTRY NAME:LDAP injection::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A2:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:29:ENTRY NAME:LDAP Injection::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::136::","TYPE:Relationship:NOTE:Factors: resultant to special character mismanagement, MAID, or blacklist/whitelist problems. Can be primary to authentication and verification errors.::::TYPE:Research Gap:NOTE:Under-reported. This is likely found very frequently by third party code auditors, but there are very few publicly reported examples.::",
  686. 908,"Use of Uninitialized Resource",Base,Incomplete,"The software uses a resource that has not been properly initialized.","This can have security implications when the associated resource is expected to have certain properties or values.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory Read Application Data:NOTE:Confidentiality Read Memory Read Application Data When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid race conditions (CWE-362) during initialization routines.::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Run or compile the software with settings that generate warnings about uninitialized variables or data.::","::REFERENCE:CVE-2008-4197:DESCRIPTION:Use of uninitialized memory may allow code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4197REFERENCE:CVE-2008-2934:DESCRIPTION:Free of an uninitialized pointer leads to crash and possible code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2934REFERENCE:CVE-2008-0063:DESCRIPTION:Product does not clear memory contents when generating an error message, leading to information leak.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063REFERENCE:CVE-2008-0062:DESCRIPTION:Lack of initialization triggers NULL pointer dereference or double-free.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062REFERENCE:CVE-2008-0081:DESCRIPTION:Uninitialized variable leads to code execution in popular desktop application.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081REFERENCE:CVE-2008-3688:DESCRIPTION:chain: Uninitialized variable leads to infinite loop.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3688REFERENCE:CVE-2008-3475:DESCRIPTION:chain: Improper initialization leads to memory corruption.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3475REFERENCE:CVE-2005-1036:DESCRIPTION:Permission bitmap is not properly initialized, leading to resultant privilege elevation or DoS.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1036REFERENCE:CVE-2008-3597:DESCRIPTION:chain: game server can access player data structures before initialization has happened leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3597REFERENCE:CVE-2009-2692:DESCRIPTION:chain: uninitialized function pointers can be dereferenced allowing code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692REFERENCE:CVE-2009-0949:DESCRIPTION:chain: improper initialization of memory can lead to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949REFERENCE:CVE-2009-3620:DESCRIPTION:chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:EXP33-C:ENTRY NAME:Do not read uninitialized memory:MAPPING FIT:CWE More Abstract::","","",
  687. 909,"Missing Initialization of Resource",Base,Incomplete,"The software does not initialize a critical resource.","Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.","::NATURE:ChildOf:CWE ID:665:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:908:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Memory Read Application Data:NOTE:Confidentiality Read Memory Read Application Data When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid race conditions (CWE-362) during initialization routines.::PHASE:Build and Compilation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Run or compile your software with settings that generate warnings about uninitialized variables or data.::","","","","","","",
  688. 91,"XML Injection (aka Blind XPath Injection)",Base,Draft,"The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.","Within XML, special elements could include reserved words or characters such as <, >, , and &, which could then be used to add new data or modify XML syntax.","::NATURE:ChildOf:CWE ID:74:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Read Application Data Modify Application Data::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:XML injection (aka Blind Xpath injection)::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A2:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A6:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:23:ENTRY NAME:XML Injection::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::250::83::","TYPE:Maintenance:NOTE:The description for this entry is generally applicable to XML, but the name includes blind XPath injection which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652.::::TYPE:Theoretical:NOTE:In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.::::TYPE:Research Gap:NOTE:Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.::",
  689. 910,"Use of Expired File Descriptor",Base,Incomplete,"The software uses or accesses a file descriptor after it has been closed.","After a file descriptor for a particular file or device has been released, it can be reused. The code might not write to the original file, since the reused file descriptor might reference a different file or device.","::NATURE:ChildOf:CWE ID:672:VIEW ID:1000:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::ORDINALITY:Resultant:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Sometimes:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Stale file descriptor:DESCRIPTION:::",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories:NOTE:Confidentiality Read Files or Directories The program could read data from the wrong file.::SCOPE:Availability:TECHNICAL IMPACT:DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Crash, Exit, or Restart Accessing a file descriptor that has been closed can cause a crash.::","","","","","","TAXONOMY NAME:CERT C Secure Coding:ENTRY ID:FIO46-C:ENTRY NAME:Do not access a closed file:MAPPING FIT:Exact::","","",
  690. 911,"Improper Update of Reference Count",Base,Incomplete,"The software uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.","Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. When the reference count reaches zero, the resource can be de-allocated or reused because there are no more objects that use it. If the reference count accidentally reaches zero, then the resource might be released too soon, even though it is still in use. If all objects no longer use the resource, but the reference count is not zero, then the resource might not ever be released.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:672:VIEW ID:1000::NATURE:CanPrecede:CWE ID:772:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:C:LANGUAGE PREVALENCE:Sometimes::LANGUAGE NAME:C++:LANGUAGE PREVALENCE:Sometimes:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"","","","::REFERENCE:CVE-2002-0574:DESCRIPTION:chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0574REFERENCE:CVE-2004-0114:DESCRIPTION:Reference count for shared memory not decremented when a function fails, potentially allowing unprivileged users to read kernel memory.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0114REFERENCE:CVE-2006-3741:DESCRIPTION:chain: improper reference count tracking leads to file descriptor consumption:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3741REFERENCE:CVE-2007-1383:DESCRIPTION:chain: integer overflow in reference counter causes the same variable to be destroyed twice.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1383REFERENCE:CVE-2007-1700:DESCRIPTION:Incorrect reference count calculation leads to improper object destruction and code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1700REFERENCE:CVE-2008-2136:DESCRIPTION:chain: incorrect update of reference count leads to memory leak.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2136REFERENCE:CVE-2008-2785:DESCRIPTION:chain/composite: use of incorrect data type for a reference counter allows an overflow of the counter, leading to a free of memory that is still in use.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785REFERENCE:CVE-2008-5410:DESCRIPTION:Improper reference counting leads to failure of cryptographic operations.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5410REFERENCE:CVE-2009-1709:DESCRIPTION:chain: improper reference counting in a garbage collection routine leads to use-after-free:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709REFERENCE:CVE-2009-3553:DESCRIPTION:chain: reference count not correctly maintained when client disconnects during a large operation, leading to a use-after-free.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3553REFERENCE:CVE-2009-3624:DESCRIPTION:Reference count not always incremented, leading to crash or code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3624REFERENCE:CVE-2010-0176:DESCRIPTION:improper reference counting leads to expired pointer dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0176REFERENCE:CVE-2010-0623:DESCRIPTION:OS kernel increments reference count twice but only decrements once, leading to resource consumption and crash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0623REFERENCE:CVE-2010-2549:DESCRIPTION:OS kernel driver allows code execution:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2549REFERENCE:CVE-2010-4593:DESCRIPTION:improper reference counting leads to exhaustion of IP addresses:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4593REFERENCE:CVE-2011-0695:DESCRIPTION:Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0695REFERENCE:CVE-2012-4787:DESCRIPTION:improper reference counting leads to use-after-free:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4787","","","","","",
  691. 912,"Hidden Functionality",Class,Incomplete,"The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators.","Hidden functionality can take many forms, such as intentionally malicious code, Easter Eggs that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the software's attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.","::NATURE:ChildOf:CWE ID:710:VIEW ID:1000:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Other:SCOPE:Integrity:TECHNICAL IMPACT:Varies by Context Alter Execution Logic::","","::PHASE:Installation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Always verify the integrity of the software that is being installed.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered.::","","","","","","",
  692. 913,"Improper Control of Dynamically-Managed Code Resources",Class,Incomplete,"The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.","Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:664:VIEW ID:1003:ORDINAL:Primary::","","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::SCOPE:Other:SCOPE:Integrity:TECHNICAL IMPACT:Varies by Context Alter Execution Logic::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:For any externally-influenced input, check the input against a white list of acceptable values.::PHASE:Implementation Architecture and Design:STRATEGY:Refactoring:EFFECTIVENESS::DESCRIPTION:Refactor the code so that it does not need to be dynamically managed.::","","","","","","",
  693. 914,"Improper Control of Dynamically-Identified Variables",Base,Incomplete,"The software does not properly restrict reading from or writing to dynamically-identified variables.","Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.","::NATURE:ChildOf:CWE ID:99:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:99:VIEW ID:699::NATURE:ChildOf:CWE ID:913:VIEW ID:1000::NATURE:ChildOf:CWE ID:913:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data An attacker could modify sensitive data or program variables.::SCOPE:Integrity:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::SCOPE:Other:SCOPE:Integrity:TECHNICAL IMPACT:Varies by Context Alter Execution Logic::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:For any externally-influenced input, check the input against a white list of internal program variables that are allowed to be modified.::PHASE:Implementation Architecture and Design:STRATEGY:Refactoring:EFFECTIVENESS::DESCRIPTION:Refactor the code so that internal program variables do not need to be dynamically identified.::","::REFERENCE:CVE-2006-7135:DESCRIPTION:extract issue enables file inclusion:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7135REFERENCE:CVE-2006-7079:DESCRIPTION:extract used for register_globals compatibility layer, enables path traversal:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7079REFERENCE:CVE-2007-0649:DESCRIPTION:extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0649REFERENCE:CVE-2006-6661:DESCRIPTION:extract() enables static code injection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6661REFERENCE:CVE-2006-2828:DESCRIPTION:import_request_variables() buried in include files makes post-disclosure analysis confusing:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2828REFERENCE:CVE-2009-0422:DESCRIPTION:Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0422REFERENCE:CVE-2007-2431:DESCRIPTION:Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2431REFERENCE:CVE-2006-4904:DESCRIPTION:Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4904REFERENCE:CVE-2006-4019:DESCRIPTION:Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4019","","","","","",
  694. 915,"Improperly Controlled Modification of Dynamically-Determined Object Attributes",Base,Incomplete,"The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.","If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.","::NATURE:ChildOf:CWE ID:913:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:913:VIEW ID:699:ORDINAL:Primary::NATURE:PeerOf:CWE ID:502:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Ruby:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:ASP.NET:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Python:LANGUAGE PREVALENCE:Undetermined:::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Mass Assignment:DESCRIPTION:Mass assignment is the name of a feature in Ruby on Rails that allows simultaneous modification of multiple object attributes.::TERM:AutoBinding:DESCRIPTION:The Autobinding term is used in frameworks such as Spring MVC and ASP.NET MVC.::TERM:Object injection:DESCRIPTION:This term seems to be preferred by some PHP application researchers who attack unsafe use of the unserialize() function.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data:NOTE:Integrity Modify Application Data An attacker could modify sensitive data or program variables.::SCOPE:Integrity:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::SCOPE:Other:SCOPE:Integrity:TECHNICAL IMPACT:Varies by Context Alter Execution Logic::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If available, use features of the language or framework that allow specification of whitelists of attributes or fields that are allowed to be modified. If possible, prefer whitelists over black lists. For applications written with Ruby on Rails, use the attr_accessible (whitelist) or attr_protected (blacklist) macros in each class that may be used in mass assignment.::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:For any externally-influenced input, check the input against a white list of internal object attributes or fields that are allowed to be modified.::PHASE:Implementation Architecture and Design:STRATEGY:Refactoring:EFFECTIVENESS::DESCRIPTION:Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.::","::REFERENCE:CVE-2012-2054:DESCRIPTION:Mass assignment allows modification of arbitrary attributes using modified URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2054REFERENCE:CVE-2012-2055:DESCRIPTION:Source version control product allows modification of trusted key using mass assignment.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2055REFERENCE:CVE-2008-7310:DESCRIPTION:Attackers can bypass payment step in e-commerce software.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7310REFERENCE:CVE-2013-1465:DESCRIPTION:Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1465REFERENCE:CVE-2012-3527:DESCRIPTION:Use of PHP unserialize function on untrusted input in content management system might allow code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3527REFERENCE:CVE-2012-0911:DESCRIPTION:Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911REFERENCE:CVE-2012-0911:DESCRIPTION:Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911REFERENCE:CVE-2011-4962:DESCRIPTION:Content management system written in PHP allows code execution through page comments.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4962REFERENCE:CVE-2009-4137:DESCRIPTION:Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4137REFERENCE:CVE-2007-5741:DESCRIPTION:Content management system written in Python interprets untrusted data as pickles, allowing code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5741REFERENCE:CVE-2011-2520:DESCRIPTION:Python script allows local users to execute code via pickled data.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2520REFERENCE:CVE-2005-2875:DESCRIPTION:Python script allows remote attackers to execute arbitrary code using pickled objects.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2875REFERENCE:CVE-2013-0277:DESCRIPTION:Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277REFERENCE:CVE-2011-2894:DESCRIPTION:Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2894REFERENCE:CVE-2012-1833:DESCRIPTION:Grails allows binding of arbitrary parameters to modify arbitrary object properties.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1833REFERENCE:CVE-2010-3258:DESCRIPTION:Incorrect deserialization in web browser allows escaping the sandbox.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3258REFERENCE:CVE-2008-1013:DESCRIPTION:Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1013","","","","","TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",
  695. 916,"Use of Password Hash With Insufficient Computational Effort",Base,Incomplete,"The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.","Many password storage mechanisms compute a hash and store the hash, instead of storing the original password in plaintext. In this design, authentication involves accepting an incoming password, computing its hash, and comparing it to the stored hash. Many hash algorithms are designed to execute quickly with minimal overhead, even cryptographic hashes. However, this efficiency is a problem for password storage, because it can reduce an attacker's workload for brute-force password cracking. If an attacker can obtain the hashes through some other method (such as SQL injection on a database that stores hashes), then the attacker can store the hashes offline and use various techniques to crack the passwords by computing hashes efficiently. Without a built-in workload, modern attacks can compute large numbers of hashes, or even exhaust the entire space of all possible passwords, within a very short amount of time, using massively-parallel computing (such as cloud computing) and GPU, ASIC, or FPGA hardware. In such a scenario, an efficient hash algorithm helps the attacker. There are several properties of a hash scheme that are relevant to its strength against an offline, massively-parallel attack: The amount of CPU time required to compute the hash (stretching) The amount of memory required to compute the hash (memory-hard operations) Including a random value, along with the password, as input to the hash computation (salting) Given a hash, there is no known way of determining a password that produces this hash value, other than by guessing possible passwords (one-way hashing) Relative to the number of all possible hashes that can be generated by the scheme, there is a low likelihood of producing the same hash for multiple different inputs (collision resistance) Note that the security requirements for the software may vary depending on the environment and the value of the passwords. Different schemes might not provide all of these properties, yet may still provide sufficient security for the environment. Conversely, a solution might be very strong in preserving one property, which still being very weak for an attack against another property, or it might not be able to significantly reduce the efficiency of a massively-parallel attack.","::NATURE:ChildOf:CWE ID:327:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:327:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Gain Privileges or Assume Identity:NOTE:Access Control Bypass Protection Mechanism Gain Privileges or Assume Identity If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes.::","::METHOD:Automated Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis::METHOD:Manual Static Analysis - Binary or Bytecode:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies::METHOD:Manual Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)::METHOD:Automated Static Analysis - Source Code:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer::METHOD:Automated Static Analysis:EFFECTIVENESS:SOAR Partial:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker::METHOD:Architecture or Design Review:EFFECTIVENESS:High:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)::","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS:High:DESCRIPTION:Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations (stretching) or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.::PHASE:Implementation Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.::","::REFERENCE:CVE-2008-1526:DESCRIPTION:Router does not use a salt with a hash, making it easier to crack passwords.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1526REFERENCE:CVE-2006-1058:DESCRIPTION:Router does not use a salt with a hash, making it easier to crack passwords.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1058REFERENCE:CVE-2008-4905:DESCRIPTION:Blogging software uses a hard-coded salt when calculating a password hash.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4905REFERENCE:CVE-2002-1657:DESCRIPTION:Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1657REFERENCE:CVE-2001-0967:DESCRIPTION:Server uses a constant salt when encrypting passwords, simplifying brute force attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0967REFERENCE:CVE-2005-0408:DESCRIPTION:chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0408","","","","","",
  696. 917,"Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",Base,Incomplete,"The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.","","::NATURE:ChildOf:CWE ID:77:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:77:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::","","::TERM:EL Injection:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::SCOPE:Integrity:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","","","","","","","TYPE:Relationship:NOTE:In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.::",
  697. 918,"Server-Side Request Forgery (SSRF)",Base,Incomplete,"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.","By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.","::NATURE:ChildOf:CWE ID:441:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:441:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:441:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Undetermined::","","::TERM:XSPA:DESCRIPTION:Cross Site Port Attack::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data::SCOPE:Integrity:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","","::REFERENCE:CVE-2002-1484:DESCRIPTION:Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1484REFERENCE:CVE-2004-2061:DESCRIPTION:CGI script accepts and retrieves incoming URLs.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2061REFERENCE:CVE-2010-1637:DESCRIPTION:Web-based mail program allows internal network scanning using a modified POP3 port number.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1637REFERENCE:CVE-2009-0037:DESCRIPTION:URL-downloading library automatically follows redirects to file:// and scp:// URLs:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037","","","","","TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",
  698. 920,"Improper Restriction of Power Consumption",Base,Incomplete,"The software operates in an environment in which power is a limited resource that cannot be automatically replenished, but the software does not properly restrict the amount of power that its operation consumes.","In environments such as embedded or mobile devices, power can be a limited resource such as a battery, which cannot be automatically replenished by the software itself, and the device might not always be directly attached to a reliable power source. If the software uses too much power too quickly, then this could cause the device (and subsequently, the software) to stop functioning until power is restored, or increase the financial burden on the device owner because of increased power costs. Normal operation of an application will consume power. However, in some cases, an attacker could cause the application to consume more power than intended, using components such as: Display CPU Disk I/O GPS Sound Microphone USB interface","::NATURE:ChildOf:CWE ID:400:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:400:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Availability:TECHNICAL IMPACT:DoS: Resource Consumption (Other) DoS: Crash, Exit, or Restart:NOTE:Availability DoS: Resource Consumption (Other) DoS: Crash, Exit, or Restart The power source could be drained, causing the application - and the entire device - to cease functioning.::","","","","","","","","",
  699. 921,"Storage of Sensitive Data in a Mechanism without Access Control",Base,Incomplete,"The software stores sensitive information in a file system or device that does not have built-in access control.","While many modern file systems or devices utilize some form of access control in order to restrict access to data, not all storage mechanisms have this capability. For example, memory cards, floppy disks, CDs, and USB devices are typically made accessible to any user within the system. This can become a problem when sensitive data is stored in these mechanisms in a multi-user environment, because anybody on the system can read or write this data. On Android devices, external storage is typically globally readable and writable by other applications on the device. External storage may also be easily accessible through the mobile device's USB connection or physically accessible through the device's memory card port.","::NATURE:ChildOf:CWE ID:922:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:922:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Files or Directories:NOTE:Confidentiality Read Application Data Read Files or Directories Attackers can read sensitive information by accessing the unrestricted storage mechanism.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data Modify Files or Directories:NOTE:Integrity Modify Application Data Modify Files or Directories Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism.::","","","","","","","","",
  700. 922,"Insecure Storage of Sensitive Information",Class,Incomplete,"The software stores sensitive information without properly limiting read or write access by unauthorized actors.","If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.","::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:664:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION::::PHASE:System Configuration:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data Read Files or Directories:NOTE:Confidentiality Read Application Data Read Files or Directories Attackers can read sensitive information by accessing the unrestricted storage mechanism.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data Modify Files or Directories:NOTE:Integrity Modify Application Data Modify Files or Directories Attackers can read sensitive information by accessing the unrestricted storage mechanism.::","","","","","","","","TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::::TYPE:Maintenance:NOTE:This is a high-level node that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.::",
  701. 923,"Improper Restriction of Communication Channel to Intended Endpoints",Class,Incomplete,"The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.","Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness.","::NATURE:ChildOf:CWE ID:284:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Integrity Confidentiality Gain Privileges or Assume Identity If an attacker can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint.::","","","","","","","","TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",
  702. 924,"Improper Enforcement of Message Integrity During Transmission in a Communication Channel",Class,Incomplete,"The software establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.","A man-in-the-middle (MITM) attacker might be able to modify the message and spoof the endpoint.","::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:345:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Integrity Confidentiality Gain Privileges or Assume Identity If an attackers can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint.::","","","","","","","","TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",
  703. 925,"Improper Verification of Intent by Broadcast Receiver",Variant,Incomplete,"The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.","Certain types of Intents, identified by action string, can only be broadcast by the operating system itself, not by third-party applications. However, when an application registers to receive these implicit system intents, it is also registered to receive any explicit intents. While a malicious application cannot send an implicit system intent, it can send an explicit intent to the target application, which may assume that any received intent is a valid implicit system intent and not an explicit intent from another application. This may lead to unintended behavior.","::NATURE:ChildOf:CWE ID:923:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:923:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","::TERM:Intent Spoofing:DESCRIPTION:::",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Integrity Gain Privileges or Assume Identity Another application can impersonate the operating system and cause the software to perform an unintended action.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Before acting on the Intent, check the Intent Action to make sure it matches the expected System action.::","","","","","","TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",
  704. 926,"Improper Export of Android Application Components",Variant,Incomplete,"The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.","The attacks and consequences of improperly exporting a component may depend on the exported component: If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported.","::NATURE:ChildOf:CWE ID:285:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:285:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","::There are three types of components that can be exported in an Android application. Activity An Activity is an application component that provides a UI for users to interact with. A typical application will have multiple Activity screens that perform different functions, such as a main Activity screen and a separate settings Activity screen. Service A Service is an application component that is started by another component to execute an operation in the background, even after the invoking component is terminated. Services do not have a UI component visible to the user. Content Provider The Content Provider mechanism can be used to share data with other applications or internally within the same application.::","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Availability:SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State DoS: Crash, Exit, or Restart DoS: Instability Varies by Context:NOTE:Availability Integrity Unexpected State DoS: Crash, Exit, or Restart DoS: Instability Varies by Context Other applications, possibly untrusted, can launch the Activity.::SCOPE:Availability:SCOPE:Integrity:TECHNICAL IMPACT:Unexpected State Gain Privileges or Assume Identity DoS: Crash, Exit, or Restart DoS: Instability Varies by Context:NOTE:Availability Integrity Unexpected State Gain Privileges or Assume Identity DoS: Crash, Exit, or Restart DoS: Instability Varies by Context Other applications, possibly untrusted, can bind to the Service.::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data:NOTE:Confidentiality Integrity Read Application Data Modify Application Data Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider.::","","::PHASE:Build and Compilation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:If they do not need to be shared by other applications, explicitly mark components with android:exported=false in the application manifest.::PHASE:Build and Compilation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:If you only intend to use exported components between related apps under your control, use android:protectionLevel=signature in the xml manifest to restrict access to applications signed by you.::PHASE:Build and Compilation Architecture and Design:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Limit Content Provider permissions (read/write) as appropriate.::PHASE:Build and Compilation Architecture and Design:STRATEGY:Separation of Privilege:EFFECTIVENESS::DESCRIPTION:Limit Content Provider permissions (read/write) as appropriate.::","","","","","","",
  705. 927,"Use of Implicit Intent for Sensitive Communication",Variant,Incomplete,"The Android application uses an implicit intent for transmitting sensitive data to other applications.","Since an implicit intent does not specify a particular application to receive the data, any application can process the intent by using an Intent Filter for that intent. This can allow untrusted applications to obtain sensitive data. There are two variations on the standard broadcast intent, ordered and sticky. Ordered broadcast intents are delivered to a series of registered receivers in order of priority as declared by the Receivers. A malicious receiver can give itself a high priority and cause a denial of service by stopping the broadcast from propagating further down the chain. There is also the possibility of malicious data modification, as a receiver may also alter the data within the Intent before passing it on to the next receiver. The downstream components have no way of asserting that the data has not been altered earlier in the chain. Sticky broadcast intents remain accessible after the initial broadcast. An old sticky intent will be broadcast again to any new receivers that register for it in the future, greatly increasing the chances of information exposure over time. Also, sticky broadcasts cannot be protected by permissions that may apply to other kinds of intents. In addition, any broadcast intent may include a URI that references data that the receiving component does not normally have the privileges to access. The sender of the intent can include special privileges that grant the receiver read or write access to the specific URI included in the intent. A malicious receiver that intercepts this intent will also gain those privileges and be able to read or write the resource at the specified URI.","::NATURE:ChildOf:CWE ID:285:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:285:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:668:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Application Data:NOTE:Confidentiality Read Application Data Other applications, possibly untrusted, can read the data that is offered through the Intent.::SCOPE:Integrity:TECHNICAL IMPACT:Varies by Context:NOTE:Integrity Varies by Context The application may handle responses from untrusted applications on the device, which could cause it to perform unexpected or unauthorized actions.::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If the application only requires communication with its own components, then the destination is always known, and an explicit intent could be used.::","","","","","","TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",
  706. 93,"Improper Neutralization of CRLF Sequences ('CRLF Injection')",Base,Draft,"The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.","","::NATURE:ChildOf:CWE ID:74:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:1003:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:117:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Integrity:TECHNICAL IMPACT:Modify Application Data::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Avoid using CRLF as a special sequence.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Appropriately filter or quote CRLF sequences in user-controlled input.::","::REFERENCE:CVE-2002-1771:DESCRIPTION:CRLF injection enables spam proxy (add mail headers) using email address or name.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1771REFERENCE:CVE-2002-1783:DESCRIPTION:CRLF injection in API function arguments modify headers for outgoing requests.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1783REFERENCE:CVE-2004-1513:DESCRIPTION:Spoofed entries in web server log file via carriage returns:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1513REFERENCE:CVE-2006-4624:DESCRIPTION:Chain: inject fake log entries with fake timestamps using CRLF injection:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4624REFERENCE:CVE-2005-1951:DESCRIPTION:Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1951REFERENCE:CVE-2004-1687:DESCRIPTION:Chain: HTTP response splitting via CRLF in parameter related to URL.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1687","","","TAXONOMY NAME:PLOVER:ENTRY NAME:CRLF Injection::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A2:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:24:ENTRY NAME:HTTP Request Splitting::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::15::81::","TYPE:Research Gap:NOTE:Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting.::",
  707. 939,"Improper Authorization in Handler for Custom URL Scheme",Base,Incomplete,"The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.","Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.","::NATURE:ChildOf:CWE ID:862:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:862:VIEW ID:1000:ORDINAL:Primary::","","::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Utilize a user prompt pop-up to authorize potentially harmful actions such as those modifying data or dealing with sensitive information. When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if a whitelist of applications to interface with is appropriate.::","::REFERENCE:CVE-2013-5725:DESCRIPTION:URL scheme has action replace which requires no user prompt and allows remote attackers to perform undesired actions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5725REFERENCE:CVE-2013-5726:DESCRIPTION:URL scheme has action follow and favorite which allows remote attackers to force user to perform undesired actions.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5726","","","","","",
  708. 94,"Improper Control of Generation of Code ('Code Injection')",Class,Draft,"The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.","When software allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the software. Such an alteration could lead to arbitrary code execution. Injection problems encompass a wide variety of issues -- all mitigated in very different ways. For this reason, the most effective way to discuss these weaknesses is to note the distinct features which classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities.","::NATURE:ChildOf:CWE ID:74:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:1003:ORDINAL:Primary::NATURE:ChildOf:CWE ID:913:VIEW ID:1000::NATURE:ChildOf:CWE ID:691:VIEW ID:1000::","",":::LANGUAGE CLASS:Interpreted:LANGUAGE PREVALENCE:Sometimes::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism In some cases, injectable code controls authentication; this may lead to a remote vulnerability.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Injected code can access resources that the attacker is directly prevented from accessing.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities Often the actions performed by injected control code are unlogged.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Refactor your program so that you do not have to dynamically generate code.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Run your code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your software. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. To reduce the likelihood of code injection, use stringent whitelists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.::PHASE:Testing:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::PHASE:Operation:STRATEGY:Compilation or Build Hardening:EFFECTIVENESS::DESCRIPTION:Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's -T switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's -T switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).::","::REFERENCE:CVE-2008-5071:DESCRIPTION:Eval injection in PHP program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5071REFERENCE:CVE-2002-1750:DESCRIPTION:Eval injection in Perl program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1750REFERENCE:CVE-2008-5305:DESCRIPTION:Eval injection in Perl program using an ID that should only contain hyphens and numbers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5305REFERENCE:CVE-2002-1752:DESCRIPTION:Direct code injection into Perl eval function.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1752REFERENCE:CVE-2002-1753:DESCRIPTION:Eval injection in Perl program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1753REFERENCE:CVE-2005-1527:DESCRIPTION:Direct code injection into Perl eval function.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1527REFERENCE:CVE-2005-2837:DESCRIPTION:Direct code injection into Perl eval function.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2837REFERENCE:CVE-2005-1921:DESCRIPTION:MFV. code injection into PHP eval statement using nested constructs that should not be nested.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1921REFERENCE:CVE-2005-2498:DESCRIPTION:MFV. code injection into PHP eval statement using nested constructs that should not be nested.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2498REFERENCE:CVE-2005-3302:DESCRIPTION:Code injection into Python eval statement from a field in a formatted file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3302REFERENCE:CVE-2007-1253:DESCRIPTION:Eval injection in Python program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1253REFERENCE:CVE-2001-1471:DESCRIPTION:chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1471REFERENCE:CVE-2002-0495:DESCRIPTION:Perl code directly injected into CGI library file from parameters to another CGI program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0495REFERENCE:CVE-2005-1876:DESCRIPTION:Direct PHP code injection into supporting template file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1876REFERENCE:CVE-2005-1894:DESCRIPTION:Direct code injection into PHP script that can be accessed by attacker.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1894REFERENCE:CVE-2003-0395:DESCRIPTION:PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0395","","","TAXONOMY NAME:PLOVER:ENTRY ID:CODE:ENTRY NAME:Code Evaluation and Injection::","::35::77::","TYPE:Research Gap:NOTE:Many of these weaknesses are under-studied and under-researched, and terminology is not sufficiently precise.::",
  709. 940,"Improper Verification of Source of a Communication Channel",Base,Incomplete,"The software establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.","When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges and access unexpected functionality.","::NATURE:ChildOf:CWE ID:923:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:923:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Access Control:SCOPE:Other:TECHNICAL IMPACT:Gain Privileges or Assume Identity Varies by Context:NOTE:Access Control Other Gain Privileges or Assume Identity Varies by Context An attacker can access any functionality that is inadvertently accessible to the source.::","","::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using a man-in-the-middle attack. When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if a whitelist of applications to interface with is appropriate.::","::REFERENCE:CVE-2000-1218:DESCRIPTION:DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1218REFERENCE:CVE-2005-0877:DESCRIPTION:DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0877REFERENCE:CVE-2001-1452:DESCRIPTION:DNS server caches glue records received from non-delegated name servers:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1452","","","","","TYPE:Relationship:NOTE:While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any user in such cases.::",
  710. 941,"Incorrectly Specified Destination in a Communication Channel",Base,Incomplete,"The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.","Attackers at the destination may be able to spoof trusted servers to steal data or cause a denial of service. There are at least two distinct weaknesses that can cause the software to communicate with an unintended destination: If the software allows an attacker to control which destination is specified, then the attacker can cause it to connect to an untrusted or malicious destination. For example, because UDP is a connectionless protocol, UDP packets can be spoofed by specifying a false source address in the packet; when the server receives the packet and sends a reply, it will specify a destination by using the source of the incoming packet - i.e., the false source. The server can then be tricked into sending traffic to the wrong host, which is effective for hiding the real source of an attack and for conducting a distributed denial of service (DDoS). As another example, server-side request forgery (SSRF) and XML External Entity (XXE) can be used to trick a server into making outgoing requests to hosts that cannot be directly accessed by the attacker due to firewall restrictions. If the software incorrectly specifies the destination, then an attacker who can control this destination might be able to spoof trusted servers. While the most common occurrence is likely due to misconfiguration by an administrator, this can be resultant from other weaknesses. For example, the software might incorrectly parse an e-mail or IP address and send sensitive data to an unintended destination. As another example, an Android application may use a sticky broadcast to communicate with a receiver for a particular application, but since sticky broadcasts can be processed by *any* receiver, this can allow a malicious application to access restricted data that was only intended for a different application.","::NATURE:ChildOf:CWE ID:923:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:923:VIEW ID:699:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:406:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Mobile:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"","","","::REFERENCE:CVE-2013-5211:DESCRIPTION:composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211REFERENCE:CVE-1999-0513:DESCRIPTION:Classic Smurf attack, using spoofed ICMP packets to broadcast addresses.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0513REFERENCE:CVE-1999-1379:DESCRIPTION:DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1379","","","","","TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",
  711. 942,"Overly Permissive Cross-domain Whitelist",Variant,Incomplete,"The software uses a cross-domain policy file that includes domains that should not be trusted.","A cross-domain policy file (crossdomain.xml in Flash and clientaccesspolicy.xml in Silverlight) defines a whitelist of domains from which a server is allowed to make cross-domain requests. When making a cross-domain request, the Flash or Silverlight client will first look for the policy file on the target server. If it is found, and the domain hosting the application is explicitly allowed to make requests, the request is made. Therefore, if a cross-domain policy file includes domains that should not be trusted, such as when using wildcards, then the application could be attacked by these untrusted domains. An overly permissive policy file allows many of the same attacks seen in Cross-Site Scripting (CWE-79). Once the user has executed a malicious Flash or Silverlight application, they are vulnerable to a variety of attacks. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. In many cases, the attack can be launched without the victim even being aware of it.","::NATURE:ChildOf:CWE ID:284:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:284:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:183:VIEW ID:1000::NATURE:ChildOf:CWE ID:668:VIEW ID:1000::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::PARADIGN NAME:Web Based:PARADIGN PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Execute Unauthorized Code or Commands Bypass Protection Mechanism Read Application Data Varies by Context:NOTE:Confidentiality Integrity Availability Access Control Execute Unauthorized Code or Commands Bypass Protection Mechanism Read Application Data Varies by Context An attacker may be able to bypass the web browser's same-origin policy. An attacker can exploit the weakness to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running ActiveX controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content.::","","::PHASE:Architecture and Design:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Avoid using wildcards in the cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.::PHASE:Architecture and Design Operation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.::","::REFERENCE:CVE-2012-2292:DESCRIPTION:Product has a Silverlight cross-domain policy that does not restrict access to another application, which allows remote attackers to bypass the Same Origin Policy.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2292REFERENCE:CVE-2014-2049:DESCRIPTION:The default Flash Cross Domain policies in a product allows remote attackers to access user files.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2049REFERENCE:CVE-2007-6243:DESCRIPTION:Chain: Adobe Flash Player does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243REFERENCE:CVE-2008-4822:DESCRIPTION:Chain: Adobe Flash Player and earlier does not properly interpret policy files, which allows remote attackers to bypass a non-root domain policy.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4822REFERENCE:CVE-2010-3636:DESCRIPTION:Chain: Adobe Flash Player does not properly handle unspecified encodings during the parsing of a cross-domain policy file, which allows remote web servers to bypass intended access restrictions via unknown vectors.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3636","","","","","",
  712. 943,"Improper Neutralization of Special Elements in Data Query Logic",Class,Incomplete,"The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.","Depending on the capabilities of the query language, an attacker could inject additional logic into the query to: Modify the intended selection criteria, thus changing which data entities (e.g., records) are returned, modified, or otherwise manipulated Append additional commands to the query Return more entities than intended Return fewer entities than intended Cause entities to be sorted in an unexpected way The ability to execute additional commands or change which entities are returned has obvious risks. But when the application logic depends on the order or number of entities, this can also lead to vulnerabilities. For example, if the application query expects to return only one entity that specifies an administrative user, but an attacker can change which entities are returned, this could cause the logic to return information for a regular user and incorrectly assume that the user has administrative privileges. While this weakness is most commonly associated with SQL injection, there are many other query languages that are also subject to injection attacks, including HTSQL, LDAP, DQL, XQuery, Xpath, and NoSQL languages.","::NATURE:ChildOf:CWE ID:74:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:1003:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism Read Application Data Modify Application Data Varies by Context::","","","::REFERENCE:CVE-2014-2503:DESCRIPTION:Injection using Documentum Query Language (DQL):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2503REFERENCE:CVE-2014-2508:DESCRIPTION:Injection using Documentum Query Language (DQL):LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2508","","","","","TYPE:Relationship:NOTE:It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.::::TYPE:Maintenance:NOTE:This entry will be made more comprehensive in future CWE versions.::",
  713. 95,"Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",Base,Incomplete,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).","This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.","::NATURE:ChildOf:CWE ID:94:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:94:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:JavaScript:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Python:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Ruby:LANGUAGE PREVALENCE:Undetermined:::LANGUAGE CLASS:Interpreted:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories Read Application Data:NOTE:Confidentiality Read Files or Directories Read Application Data The injected code could access restricted data / files.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism In some cases, injectable code controls authentication; this may lead to a remote vulnerability.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Injected code can access resources that the attacker is directly prevented from accessing.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Other Execute Unauthorized Code or Commands Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities Often the actions performed by injected control code are unlogged.::","","::PHASE:Architecture and Design Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:If possible, refactor your code so that it does not need to use eval() at all.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control. Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.::","::REFERENCE:CVE-2008-5071:DESCRIPTION:Eval injection in PHP program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5071REFERENCE:CVE-2002-1750:DESCRIPTION:Eval injection in Perl program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1750REFERENCE:CVE-2008-5305:DESCRIPTION:Eval injection in Perl program using an ID that should only contain hyphens and numbers.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5305REFERENCE:CVE-2002-1752:DESCRIPTION:Direct code injection into Perl eval function.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1752REFERENCE:CVE-2002-1753:DESCRIPTION:Eval injection in Perl program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1753REFERENCE:CVE-2005-1527:DESCRIPTION:Direct code injection into Perl eval function.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1527REFERENCE:CVE-2005-2837:DESCRIPTION:Direct code injection into Perl eval function.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2837REFERENCE:CVE-2005-1921:DESCRIPTION:MFV. code injection into PHP eval statement using nested constructs that should not be nested.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1921REFERENCE:CVE-2005-2498:DESCRIPTION:MFV. code injection into PHP eval statement using nested constructs that should not be nested.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2498REFERENCE:CVE-2005-3302:DESCRIPTION:Code injection into Python eval statement from a field in a formatted file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3302REFERENCE:CVE-2007-1253:DESCRIPTION:Eval injection in Python program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1253REFERENCE:CVE-2001-1471:DESCRIPTION:chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1471REFERENCE:CVE-2007-2713:DESCRIPTION:Chain: Execution after redirect triggers eval injection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2713","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Direct Dynamic Code Evaluation ('Eval Injection')::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A3:ENTRY NAME:Malicious File Execution:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:OWASP Top Ten 2004:ENTRY ID:A6:ENTRY NAME:Injection Flaws:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::::TAXONOMY NAME:CERT Perl Secure Coding:ENTRY ID:IDS35-PL:ENTRY NAME:Do not invoke the eval form with a string argument:MAPPING FIT:Exact::","::35::","TYPE:Other:NOTE:Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.::::TYPE:Research Gap:NOTE:This issue is probably under-reported. Most relevant CVEs have been for Perl and PHP, but eval injection applies to most interpreted languages. Javascript eval injection is likely to be heavily under-reported.::",
  714. 96,"Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",Base,Draft,"The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.","","::NATURE:ChildOf:CWE ID:94:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:94:VIEW ID:699:ORDINAL:Primary::","::ORDINALITY:Primary:DESCRIPTION:::","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Undetermined::LANGUAGE NAME:Perl:LANGUAGE PREVALENCE:Undetermined:::LANGUAGE CLASS:Interpreted:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Files or Directories Read Application Data:NOTE:Confidentiality Read Files or Directories Read Application Data The injected code could access restricted data / files.::SCOPE:Access Control:TECHNICAL IMPACT:Bypass Protection Mechanism:NOTE:Access Control Bypass Protection Mechanism In some cases, injectable code controls authentication; this may lead to a remote vulnerability.::SCOPE:Access Control:TECHNICAL IMPACT:Gain Privileges or Assume Identity:NOTE:Access Control Gain Privileges or Assume Identity Injected code can access resources that the attacker is directly prevented from accessing.::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:SCOPE:Other:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Other Execute Unauthorized Code or Commands Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.::SCOPE:Non-Repudiation:TECHNICAL IMPACT:Hide Activities:NOTE:Non-Repudiation Hide Activities Often the actions performed by injected control code are unlogged.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::PHASE:Implementation:STRATEGY:Output Encoding:EFFECTIVENESS::DESCRIPTION:Perform proper output validation and escaping to neutralize all code syntax from data written to code files.::","::REFERENCE:CVE-2002-0495:DESCRIPTION:Perl code directly injected into CGI library file from parameters to another CGI program.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0495REFERENCE:CVE-2005-1876:DESCRIPTION:Direct PHP code injection into supporting template file.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1876REFERENCE:CVE-2005-1894:DESCRIPTION:Direct code injection into PHP script that can be accessed by attacker.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1894REFERENCE:CVE-2003-0395:DESCRIPTION:PHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0395REFERENCE:CVE-2007-6652:DESCRIPTION:chain: execution after redirect allows non-administrator to perform static code injection.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6652","","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:Direct Static Code Injection::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::35::73::77::81::85::","TYPE:Relationship:NOTE:HTML injection (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.::",
  715. 97,"Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",Variant,Draft,"The software generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.","","::NATURE:ChildOf:CWE ID:96:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:96:VIEW ID:699:ORDINAL:Primary::","",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands::","","::PHASE:Implementation:STRATEGY::EFFECTIVENESS::DESCRIPTION:Utilize an appropriate mix of whitelist and blacklist parsing to filter server-side include syntax from all input.::","","","","TAXONOMY NAME:PLOVER:ENTRY NAME:Server-Side Includes (SSI) Injection::::TAXONOMY NAME:WASC:ENTRY ID:36:ENTRY NAME:SSI Injection::","::101::35::","TYPE:Relationship:NOTE:This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.::",
  716. 98,"Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')",Base,Draft,"The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.","In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.","::NATURE:ChildOf:CWE ID:706:VIEW ID:1000::NATURE:ChildOf:CWE ID:829:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:829:VIEW ID:1000:ORDINAL:Primary::NATURE:CanPrecede:CWE ID:94:VIEW ID:1000::NATURE:CanPrecede:CWE ID:94:VIEW ID:699::NATURE:CanAlsoBe:CWE ID:426:VIEW ID:1000::NATURE:PeerOf:CWE ID:216:VIEW ID:1000::","","::LANGUAGE NAME:PHP:LANGUAGE PREVALENCE:Often::","","::TERM:Remote file include:DESCRIPTION:::TERM:RFI:DESCRIPTION:The Remote File Inclusion (RFI) acronym is often used by vulnerability researchers.::TERM:Local file inclusion:DESCRIPTION:This term is frequently used in cases in which remote download is disabled, or when the first part of the filename is not under the attacker's control, which forces use of relative path traversal (CWE-23) attack techniques to access files that may contain previously-injected PHP code, such as web access logs.::",":::PHASE:Implementation:DESCRIPTION::::PHASE:Architecture and Design:DESCRIPTION:::","",,"::SCOPE:Integrity:SCOPE:Confidentiality:SCOPE:Availability:TECHNICAL IMPACT:Execute Unauthorized Code or Commands:NOTE:Integrity Confidentiality Availability Execute Unauthorized Code or Commands The attacker may be able to specify arbitrary code to be executed from a remote location. Alternatively, it may be possible to use normal program behavior to insert php code into files on the local machine which can then be included and force the code to execute since php ignores everything in the file except for the content between php specifiers.::","::METHOD:Manual Analysis:EFFECTIVENESS:High:DESCRIPTION:Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.::METHOD:Automated Static Analysis:EFFECTIVENESS::DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the software. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.::","::PHASE:Architecture and Design:STRATEGY:Libraries or Frameworks:EFFECTIVENESS::DESCRIPTION:Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.::PHASE:Architecture and Design:STRATEGY:Enforcement by Conversion:EFFECTIVENESS::DESCRIPTION:When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to inbox.txt and ID 2 could map to profile.txt. Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.::PHASE:Architecture and Design:STRATEGY::EFFECTIVENESS::DESCRIPTION:For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.::PHASE:Architecture and Design Operation:STRATEGY:Sandbox or Jail:EFFECTIVENESS:Limited:DESCRIPTION:Run the code in a jail or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.::PHASE:Architecture and Design Operation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single . character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as / to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering / is insufficient protection if the filesystem also supports the use of as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if ../ sequences are removed from the .../...// string in a sequential fashion, two instances of ../ would be removed from the original string, but the remaining characters would still form the ../ string.::PHASE:Architecture and Design Operation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately. This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.::PHASE:Architecture and Design Implementation:STRATEGY:Attack Surface Reduction:EFFECTIVENESS::DESCRIPTION:Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components.::PHASE:Operation:STRATEGY:Firewall:EFFECTIVENESS:Moderate:DESCRIPTION:Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.::PHASE:Operation Implementation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:Develop and run your code in the most recent versions of PHP available, preferably PHP 6 or later. Many of the highly risky features in earlier PHP interpreters have been removed, restricted, or disabled by default.::PHASE:Operation Implementation:STRATEGY:Environment Hardening:EFFECTIVENESS::DESCRIPTION:When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. Often, programmers do not protect direct access to files intended only to be included by core programs. These include files may assume that critical variables have already been initialized by the calling program. As a result, the use of register_globals combined with the ability to directly access the include file may allow attackers to conduct file inclusion attacks. This remains an extremely common pattern as of 2009.::PHASE:Operation:STRATEGY:Environment Hardening:EFFECTIVENESS:High:DESCRIPTION:Set allow_url_fopen to false, which limits the ability to include files from remote locations.::","::REFERENCE:CVE-2004-0285:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0285REFERENCE:CVE-2004-0030:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0030REFERENCE:CVE-2004-0068:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0068REFERENCE:CVE-2005-2157:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2157REFERENCE:CVE-2005-2162:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2162REFERENCE:CVE-2005-2198:DESCRIPTION:Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2198REFERENCE:CVE-2004-0128:DESCRIPTION:Modification of assumed-immutable variable in configuration script leads to file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0128REFERENCE:CVE-2005-1864:DESCRIPTION:PHP file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1864REFERENCE:CVE-2005-1869:DESCRIPTION:PHP file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1869REFERENCE:CVE-2005-1870:DESCRIPTION:PHP file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1870REFERENCE:CVE-2005-2154:DESCRIPTION:PHP local file inclusion.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2154REFERENCE:CVE-2002-1704:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1704REFERENCE:CVE-2002-1707:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1707REFERENCE:CVE-2005-1964:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1964REFERENCE:CVE-2005-1681:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1681REFERENCE:CVE-2005-2086:DESCRIPTION:PHP remote file include.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2086REFERENCE:CVE-2004-0127:DESCRIPTION:Directory traversal vulnerability in PHP include statement.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0127REFERENCE:CVE-2005-1971:DESCRIPTION:Directory traversal vulnerability in PHP include statement.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1971REFERENCE:CVE-2005-3335:DESCRIPTION:PHP file inclusion issue, both remote and local; local include uses .. and %00 characters as a manipulation, but many remote file inclusion issues probably have this vector.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3335REFERENCE:CVE-2009-1936:DESCRIPTION:chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal.:LINK:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1936","","File or Directory::","TAXONOMY NAME:PLOVER:ENTRY NAME:PHP File Include::::TAXONOMY NAME:OWASP Top Ten 2007:ENTRY ID:A3:ENTRY NAME:Malicious File Execution:MAPPING FIT:CWE More Specific::::TAXONOMY NAME:WASC:ENTRY ID:5:ENTRY NAME:Remote File Inclusion::","::193::","TYPE:Relationship:NOTE:This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems.::::TYPE:Research Gap:NOTE:Under-researched and under-reported. Other interpreted languages with require and include functionality could also product vulnerable applications, but as of 2007, PHP has been the focus. Any web-accessible language that uses executable file extensions is likely to have this type of issue, such as ASP, since .asp extensions are typically executable. Languages such as Perl are less likely to exhibit these problems because the .pl extension isn't always configured to be executable by the web server.::",
  717. 99,"Improper Control of Resource Identifiers ('Resource Injection')",Base,Draft,"The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.","A resource injection issue occurs when the following two conditions are met: An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attacker, or transmit sensitive information to a third-party server. This may enable an attacker to access or modify otherwise protected system resources.","::NATURE:ChildOf:CWE ID:74:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:699:ORDINAL:Primary::NATURE:ChildOf:CWE ID:74:VIEW ID:1003:ORDINAL:Primary::NATURE:PeerOf:CWE ID:706:VIEW ID:1000::NATURE:CanAlsoBe:CWE ID:73:VIEW ID:1000::","::ORDINALITY:Primary:DESCRIPTION:::",":::LANGUAGE CLASS:Language-Independent:LANGUAGE PREVALENCE:Undetermined::","","::TERM:Insecure Direct Object Reference:DESCRIPTION:OWASP uses this term, although it is effectively the same as resource injection.::",":::PHASE:Architecture and Design:DESCRIPTION::::PHASE:Implementation:DESCRIPTION:::","",,"::SCOPE:Confidentiality:SCOPE:Integrity:TECHNICAL IMPACT:Read Application Data Modify Application Data Read Files or Directories Modify Files or Directories:NOTE:Confidentiality Integrity Read Application Data Modify Application Data Read Files or Directories Modify Files or Directories An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.::","","::PHASE:Implementation:STRATEGY:Input Validation:EFFECTIVENESS::DESCRIPTION:Assume all input is malicious. Use an accept known good input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, boat may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as red or blue. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.::","","","","TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Resource Injection::::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP24:ENTRY NAME:Tainted input to command::","::10::240::75::","TYPE:Relationship:NOTE:Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).::::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::::TYPE:Other:NOTE:A resource injection issue occurs when the following two conditions are met: An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attacker, or transmit sensitive information to a third-party server. Note: Resource injection that involves resources stored on the filesystem goes by the name path manipulation and is reported in a separate category. See the path manipulation description for further details of this vulnerability.::",