Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-1291 |
Public Key Re-Use for Signing both Debug and Production Code
The same public key is used for signing both debug and production code. |
|
| CWE-496 |
Public Data Assigned to Private Array-Typed Field
Assigning public data to a private array is equivalent to giving public access to the array. |
|
| CWE-693 |
Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
|
| CWE-356 |
Product UI does not Warn User of Unsafe Actions
The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system. |
|
| CWE-1269 |
Product Released in Non-Release Configuration
The product released to market is released in pre-production or manufacturing configuration. |
|
| CWE-1037 |
Processor Optimization Removal or Modification of Security-critical Code
The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified. |
|
| CWE-114 |
Process Control
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker. |
|
| CWE-271 |
Privilege Dropping / Lowering Errors
The product does not drop privileges before passing control of a resource to an actor that does not have those privileges. |
|
| CWE-267 |
Privilege Defined With Unsafe Actions
A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. |
|
| CWE-270 |
Privilege Context Switching Error
The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. |
|
| CWE-268 |
Privilege Chaining
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. |
|
| CWE-495 |
Private Data Structure Returned From A Public Method
The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. |
|
| CWE-826 |
Premature Release of Resource During Expected Lifetime
The product releases a resource that is still intended to be used by itself or another actor. |
|
| CWE-341 |
Predictable from Observable State
A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc. |
|
| CWE-343 |
Predictable Value Range from Previous Values
The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated. |
|
| CWE-337 |
Predictable Seed in Pseudo-Random Number Generator (PRNG)
A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. |
|
| CWE-342 |
Predictable Exact Value from Previous Values
An exact value or random number can be precisely predicted by observing previous values. |
|
| CWE-1193 |
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled. |
|
| CWE-1267 |
Policy Uses Obsolete Encoding
The product uses an obsolete encoding mechanism to implement access controls. |
|
| CWE-1268 |
Policy Privileges are not Assigned Consistently Between Control and Data Agents
The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies. |