1. Home
  2. Weaknesses
  3. CWE-884

CWE-884: CWE Cross-section

ID CWE-884
Type Explicit
Status Incomplete
Detail Web & Social
This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

Relationships

Type # ID Name Abstraction Structure Status
Weakness CWE-14 Compiler Removal of Code to Clear Buffers Variant Simple Draft
Weakness CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Base Simple Stable
Weakness CWE-23 Relative Path Traversal Base Simple Draft
Weakness CWE-36 Absolute Path Traversal Base Simple Draft
Weakness CWE-41 Improper Resolution of Path Equivalence Base Simple Incomplete
Weakness CWE-59 Improper Link Resolution Before File Access ('Link Following') Base Simple Draft
Weakness CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Base Simple Stable
Weakness CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Base Simple Stable
Weakness CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Base Simple Draft
Weakness CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Base Simple Stable
Weakness CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') Base Simple Draft
Weakness CWE-94 Improper Control of Generation of Code ('Code Injection') Base Simple Draft
Weakness CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Variant Simple Incomplete
Weakness CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') Base Simple Draft
Weakness CWE-99 Improper Control of Resource Identifiers ('Resource Injection') Class Simple Draft
Weakness CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Variant Simple Incomplete
Weakness CWE-117 Improper Output Neutralization for Logs Base Simple Draft
Weakness CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Base Simple Incomplete
Weakness CWE-129 Improper Validation of Array Index Variant Simple Draft
Weakness CWE-131 Incorrect Calculation of Buffer Size Base Simple Draft
Weakness CWE-134 Use of Externally-Controlled Format String Base Simple Draft
Weakness CWE-135 Incorrect Calculation of Multi-Byte String Length Base Simple Draft
Weakness CWE-170 Improper Null Termination Base Simple Incomplete
Weakness CWE-173 Improper Handling of Alternate Encoding Variant Simple Draft
Weakness CWE-174 Double Decoding of the Same Data Variant Simple Draft
Weakness CWE-175 Improper Handling of Mixed Encoding Variant Simple Draft
Weakness CWE-179 Incorrect Behavior Order: Early Validation Base Simple Incomplete
Weakness CWE-185 Incorrect Regular Expression Class Simple Draft
Weakness CWE-190 Integer Overflow or Wraparound Base Simple Stable
Weakness CWE-191 Integer Underflow (Wrap or Wraparound) Base Simple Draft
Weakness CWE-193 Off-by-one Error Base Simple Draft
Weakness CWE-203 Observable Discrepancy Base Simple Incomplete
Weakness CWE-209 Generation of Error Message Containing Sensitive Information Base Simple Draft
Weakness CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer Base Simple Incomplete
Weakness CWE-222 Truncation of Security-relevant Information Base Simple Draft
Weakness CWE-223 Omission of Security-relevant Information Base Simple Draft
Weakness CWE-228 Improper Handling of Syntactically Invalid Structure Class Simple Incomplete
Weakness CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') Variant Simple Draft
Weakness CWE-248 Uncaught Exception Base Simple Draft
Weakness CWE-250 Execution with Unnecessary Privileges Base Simple Draft
Weakness CWE-252 Unchecked Return Value Base Simple Draft
Weakness CWE-253 Incorrect Check of Function Return Value Base Simple Incomplete
Weakness CWE-262 Not Using Password Aging Base Simple Draft
Weakness CWE-263 Password Aging with Long Expiration Base Simple Draft
Weakness CWE-266 Incorrect Privilege Assignment Base Simple Draft
Weakness CWE-267 Privilege Defined With Unsafe Actions Base Simple Incomplete
Weakness CWE-268 Privilege Chaining Base Simple Draft
Weakness CWE-270 Privilege Context Switching Error Base Simple Draft
Weakness CWE-271 Privilege Dropping / Lowering Errors Class Simple Incomplete
Weakness CWE-273 Improper Check for Dropped Privileges Base Simple Incomplete
Weakness CWE-283 Unverified Ownership Base Simple Draft
Weakness CWE-290 Authentication Bypass by Spoofing Base Simple Incomplete
Weakness CWE-294 Authentication Bypass by Capture-replay Base Simple Incomplete
Weakness CWE-296 Improper Following of a Certificate's Chain of Trust Base Simple Draft
Weakness CWE-299 Improper Check for Certificate Revocation Base Simple Draft
Weakness CWE-300 Channel Accessible by Non-Endpoint Class Simple Draft
Weakness CWE-301 Reflection Attack in an Authentication Protocol Base Simple Draft
Weakness CWE-304 Missing Critical Step in Authentication Base Simple Draft
Weakness CWE-306 Missing Authentication for Critical Function Base Simple Draft
Weakness CWE-307 Improper Restriction of Excessive Authentication Attempts Base Simple Draft
Weakness CWE-308 Use of Single-factor Authentication Base Simple Draft
Weakness CWE-312 Cleartext Storage of Sensitive Information Base Simple Draft
Weakness CWE-319 Cleartext Transmission of Sensitive Information Base Simple Draft
Weakness CWE-322 Key Exchange without Entity Authentication Base Simple Draft
Weakness CWE-323 Reusing a Nonce, Key Pair in Encryption Base Simple Incomplete
Weakness CWE-325 Missing Cryptographic Step Base Simple Draft
Weakness CWE-327 Use of a Broken or Risky Cryptographic Algorithm Class Simple Draft
Weakness CWE-331 Insufficient Entropy Base Simple Draft
Weakness CWE-334 Small Space of Random Values Base Simple Draft
Weakness CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) Base Simple Draft
Weakness CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Base Simple Draft
Weakness CWE-341 Predictable from Observable State Base Simple Draft
Weakness CWE-347 Improper Verification of Cryptographic Signature Base Simple Draft
Weakness CWE-348 Use of Less Trusted Source Base Simple Draft
Weakness CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data Base Simple Draft
Weakness CWE-352 Cross-Site Request Forgery (CSRF) Compound Composite Stable
Weakness CWE-353 Missing Support for Integrity Check Base Simple Draft
Weakness CWE-354 Improper Validation of Integrity Check Value Base Simple Draft
Weakness CWE-364 Signal Handler Race Condition Base Simple Incomplete
Weakness CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Base Simple Incomplete
Weakness CWE-369 Divide By Zero Base Simple Draft
Weakness CWE-390 Detection of Error Condition Without Action Base Simple Draft
Weakness CWE-392 Missing Report of Error Condition Base Simple Draft
Weakness CWE-393 Return of Wrong Status Code Base Simple Draft
Weakness CWE-400 Uncontrolled Resource Consumption Class Simple Draft
Weakness CWE-406 Insufficient Control of Network Message Volume (Network Amplification) Class Simple Incomplete
Weakness CWE-407 Inefficient Algorithmic Complexity Class Simple Incomplete
Weakness CWE-408 Incorrect Behavior Order: Early Amplification Base Simple Draft
Weakness CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) Base Simple Incomplete
Weakness CWE-434 Unrestricted Upload of File with Dangerous Type Base Simple Draft
Weakness CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Base Simple Incomplete
Weakness CWE-451 User Interface (UI) Misrepresentation of Critical Information Class Simple Draft
Weakness CWE-453 Insecure Default Variable Initialization Variant Simple Draft
Weakness CWE-454 External Initialization of Trusted Variables or Data Stores Base Simple Draft
Weakness CWE-455 Non-exit on Failed Initialization Base Simple Draft
Weakness CWE-456 Missing Initialization of a Variable Variant Simple Draft
Weakness CWE-467 Use of sizeof() on a Pointer Type Variant Simple Draft
Weakness CWE-468 Incorrect Pointer Scaling Base Simple Incomplete
Weakness CWE-469 Use of Pointer Subtraction to Determine Size Base Simple Draft
Weakness CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Base Simple Draft
Weakness CWE-476 NULL Pointer Dereference Base Simple Stable
Weakness CWE-478 Missing Default Case in Multiple Condition Expression Base Simple Draft
Weakness CWE-480 Use of Incorrect Operator Base Simple Draft
Weakness CWE-483 Incorrect Block Delimitation Base Simple Draft
Weakness CWE-484 Omitted Break Statement in Switch Base Simple Draft
Weakness CWE-486 Comparison of Classes by Name Variant Simple Draft
Weakness CWE-494 Download of Code Without Integrity Check Base Simple Draft
Weakness CWE-495 Private Data Structure Returned From A Public Method Variant Simple Draft
Weakness CWE-496 Public Data Assigned to Private Array-Typed Field Variant Simple Incomplete
Weakness CWE-498 Cloneable Class Containing Sensitive Information Variant Simple Draft
Weakness CWE-499 Serializable Class Containing Sensitive Data Variant Simple Draft
Weakness CWE-502 Deserialization of Untrusted Data Base Simple Draft
Weakness CWE-521 Weak Password Requirements Base Simple Draft
Weakness CWE-522 Insufficiently Protected Credentials Class Simple Incomplete
Weakness CWE-546 Suspicious Comment Variant Simple Draft
Weakness CWE-547 Use of Hard-coded, Security-relevant Constants Base Simple Draft
Weakness CWE-561 Dead Code Base Simple Draft
Weakness CWE-563 Assignment to Variable without Use Base Simple Draft
Weakness CWE-567 Unsynchronized Access to Shared Data in a Multithreaded Context Base Simple Draft
Weakness CWE-587 Assignment of a Fixed Address to a Pointer Variant Simple Draft
Weakness CWE-595 Comparison of Object References Instead of Object Contents Variant Simple Incomplete
Weakness CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Base Simple Draft
Weakness CWE-602 Client-Side Enforcement of Server-Side Security Class Simple Draft
Weakness CWE-605 Multiple Binds to the Same Port Variant Simple Draft
Weakness CWE-617 Reachable Assertion Base Simple Draft
Weakness CWE-621 Variable Extraction Error Variant Simple Incomplete
Weakness CWE-627 Dynamic Variable Evaluation Variant Simple Incomplete
Weakness CWE-628 Function Call with Incorrectly Specified Arguments Base Simple Draft
Weakness CWE-642 External Control of Critical State Data Class Simple Draft
Weakness CWE-648 Incorrect Use of Privileged APIs Base Simple Incomplete
Weakness CWE-667 Improper Locking Class Simple Draft
Weakness CWE-672 Operation on a Resource after Expiration or Release Class Simple Draft
Weakness CWE-674 Uncontrolled Recursion Class Simple Draft
Weakness CWE-676 Use of Potentially Dangerous Function Base Simple Draft
Weakness CWE-681 Incorrect Conversion between Numeric Types Base Simple Draft
Weakness CWE-698 Execution After Redirect (EAR) Base Simple Incomplete
Weakness CWE-708 Incorrect Ownership Assignment Base Simple Incomplete
Weakness CWE-732 Incorrect Permission Assignment for Critical Resource Class Simple Draft
Weakness CWE-756 Missing Custom Error Page Base Simple Incomplete
Weakness CWE-763 Release of Invalid Pointer or Reference Base Simple Incomplete
Weakness CWE-770 Allocation of Resources Without Limits or Throttling Base Simple Incomplete
Weakness CWE-772 Missing Release of Resource after Effective Lifetime Base Simple Draft
Weakness CWE-783 Operator Precedence Logic Error Base Simple Draft
Weakness CWE-786 Access of Memory Location Before Start of Buffer Base Simple Incomplete
Weakness CWE-788 Access of Memory Location After End of Buffer Base Simple Incomplete
Weakness CWE-798 Use of Hard-coded Credentials Base Simple Draft
Weakness CWE-805 Buffer Access with Incorrect Length Value Base Simple Incomplete
Weakness CWE-807 Reliance on Untrusted Inputs in a Security Decision Base Simple Incomplete
Weakness CWE-822 Untrusted Pointer Dereference Base Simple Incomplete
Weakness CWE-825 Expired Pointer Dereference Base Simple Incomplete
Weakness CWE-829 Inclusion of Functionality from Untrusted Control Sphere Base Simple Incomplete
Weakness CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Base Simple Incomplete
Weakness CWE-838 Inappropriate Encoding for Output Context Base Simple Incomplete
Weakness CWE-839 Numeric Range Comparison Without Minimum Check Base Simple Incomplete
Weakness CWE-841 Improper Enforcement of Behavioral Workflow Base Simple Incomplete
Weakness CWE-862 Missing Authorization Class Simple Incomplete
Weakness CWE-863 Incorrect Authorization Class Simple Incomplete