Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-1191 |
On-Chip Debug and Test Interface With Improper Access Control
The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface. |
|
| CWE-484 |
Omitted Break Statement in Switch
The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. |
|
| CWE-223 |
Omission of Security-relevant Information
The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. |
|
| CWE-193 |
Off-by-one Error
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
|
| CWE-448 |
Obsolete Feature in UI
A UI function is obsolete and the product does not warn the user. |
|
| CWE-208 |
Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
|
| CWE-204 |
Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
|
| CWE-206 |
Observable Internal Behavioral Discrepancy
The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points. |
|
| CWE-203 |
Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor. |
|
| CWE-207 |
Observable Behavioral Discrepancy With Equivalent Products
The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker. |
|
| CWE-205 |
Observable Behavioral Discrepancy
The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality. |
|
| CWE-224 |
Obscured Security-relevant Information by Alternate Name
The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name. |
|
| CWE-581 |
Object Model Violation: Just One of Equals and Hashcode Defined
The product does not maintain equal hashcodes for equal objects. |
|
| CWE-197 |
Numeric Truncation Error
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. |
|
| CWE-839 |
Numeric Range Comparison Without Minimum Check
The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum. |
|
| CWE-626 |
Null Byte Interaction Error (Poison Null Byte)
The product does not properly handle null bytes or NUL characters when passing data between different representations or components. |
|
| CWE-262 |
Not Using Password Aging
The product does not have a mechanism in place for managing password aging. |
|
| CWE-638 |
Not Using Complete Mediation
The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time. |
|
| CWE-636 |
Not Failing Securely ('Failing Open')
When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
|
| CWE-455 |
Non-exit on Failed Initialization
The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator. |