Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-336 |
Same Seed in Pseudo-Random Number Generator (PRNG)
A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. |
|
| CWE-564 |
SQL Injection: Hibernate
Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. |
|
| CWE-1065 |
Runtime Resource Management Control Element in a Component Built to Run on Application Servers
The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server. |
|
| CWE-323 |
Reusing a Nonce, Key Pair in Encryption
Nonces should be used for the present occasion and only once. |
|
| CWE-375 |
Returning a Mutable Object to an Untrusted Caller
Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. |
|
| CWE-393 |
Return of Wrong Status Code
A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result. |
|
| CWE-562 |
Return of Stack Variable Address
A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. |
|
| CWE-466 |
Return of Pointer Value Outside of Expected Range
A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference. |
|
| CWE-584 |
Return Inside Finally Block
The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. |
|
| CWE-509 |
Replicating Malicious Code (Virus or Worm)
Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product. |
|
| CWE-1330 |
Remanent Data Readable after Memory Erase
Confidential information stored in memory circuits is readable or recoverable after being cleared or erased. |
|
| CWE-654 |
Reliance on a Single Factor in a Security Decision
A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. |
|
| CWE-807 |
Reliance on Untrusted Inputs in a Security Decision
The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
|
| CWE-758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
|
| CWE-656 |
Reliance on Security Through Obscurity
The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. |
|
| CWE-1101 |
Reliance on Runtime Component in Generated Code
The product uses automatically-generated code that cannot be executed without a specific runtime support component. |
|
| CWE-350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action
The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. |
|
| CWE-487 |
Reliance on Package-level Scope
Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. |
|
| CWE-649 |
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified. |
|
| CWE-1102 |
Reliance on Machine-Dependent Data Representation
The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components. |