Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-1357 |
Reliance on Insufficiently Trustworthy Component
The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability. |
|
| CWE-291 |
Reliance on IP Address for Authentication
The product uses an IP address for authentication. |
|
| CWE-1428 |
Reliance on HTTP instead of HTTPS
The product provides or relies on use of HTTP communications when HTTPS is available. |
|
| CWE-646 |
Reliance on File Name or Extension of Externally-Supplied File
The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. |
|
| CWE-188 |
Reliance on Data/Memory Layout
The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. |
|
| CWE-784 |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision
The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. |
|
| CWE-565 |
Reliance on Cookies without Validation and Integrity Checking
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. |
|
| CWE-1329 |
Reliance on Component That is Not Updateable
The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs. |
|
| CWE-763 |
Release of Invalid Pointer or Reference
The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly. |
|
| CWE-23 |
Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
|
| CWE-777 |
Regular Expression without Anchors
The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through. |
|
| CWE-301 |
Reflection Attack in an Authentication Protocol
Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user. |
|
| CWE-617 |
Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
|
| CWE-366 |
Race Condition within a Thread
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. |
|
| CWE-1223 |
Race Condition for Write-Once Attributes
A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue. |
|
| CWE-363 |
Race Condition Enabling Link Following
The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file. |
|
| CWE-421 |
Race Condition During Access to Alternate Channel
The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors. |
|
| CWE-491 |
Public cloneable() Method Without Final ('Object Hijack')
A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. |
|
| CWE-607 |
Public Static Final Field References Mutable Object
A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package. |
|
| CWE-500 |
Public Static Field Not Marked Final
An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. |