Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-272 |
Least Privilege Violation
The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. |
|
| CWE-1089 |
Large Data Table with Excessive Number of Indices
The product uses a large data table that contains an excessively large number of indices. |
|
| CWE-671 |
Lack of Administrator Control over Security
The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. |
|
| CWE-322 |
Key Exchange without Entity Authentication
The product performs a key exchange with an actor without verifying the identity of that actor. |
|
| CWE-537 |
Java Runtime Error Message Containing Sensitive Information
In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. |
|
| CWE-9 |
J2EE Misconfiguration: Weak Access Permissions for EJB Methods
If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product. |
|
| CWE-555 |
J2EE Misconfiguration: Plaintext Password in Configuration File
The J2EE application stores a plaintext password in a configuration file. |
|
| CWE-7 |
J2EE Misconfiguration: Missing Custom Error Page
The default error page of a web application should not display sensitive information about the product. |
|
| CWE-6 |
J2EE Misconfiguration: Insufficient Session-ID Length
The J2EE application is configured to use an insufficient session ID length. |
|
| CWE-8 |
J2EE Misconfiguration: Entity Bean Declared Remote
When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities. |
|
| CWE-5 |
J2EE Misconfiguration: Data Transmission Without Encryption
Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. |
|
| CWE-594 |
J2EE Framework: Saving Unserializable Objects to Disk
When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully. |
|
| CWE-382 |
J2EE Bad Practices: Use of System.exit()
A J2EE application uses System.exit(), which also shuts down its container. |
|
| CWE-579 |
J2EE Bad Practices: Non-serializable Object Stored in Session
The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability. |
|
| CWE-383 |
J2EE Bad Practices: Direct Use of Threads
Thread management in a Web application is forbidden in some circumstances and is always highly error prone. |
|
| CWE-246 |
J2EE Bad Practices: Direct Use of Sockets
The J2EE application directly uses sockets instead of using framework method calls. |
|
| CWE-245 |
J2EE Bad Practices: Direct Management of Connections
The J2EE application directly manages connections, instead of using the container's connection management facilities. |
|
| CWE-1164 |
Irrelevant Code
The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness. |
|
| CWE-1056 |
Invokable Control Element with Variadic Parameters
A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments. |
|
| CWE-1064 |
Invokable Control Element with Signature Containing an Excessive Number of Parameters
The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments. |