Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-613 |
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
|
| CWE-410 |
Insufficient Resource Pool
The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. |
|
| CWE-655 |
Insufficient Psychological Acceptability
The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose. |
|
| CWE-1339 |
Insufficient Precision or Accuracy of a Real Number
The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result. |
|
| CWE-778 |
Insufficient Logging
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. |
|
| CWE-1100 |
Insufficient Isolation of System-Dependent Functions
The product or code does not isolate system-dependent functionality into separate standalone modules. |
|
| CWE-1107 |
Insufficient Isolation of Symbolic Constant Definitions
The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location. |
|
| CWE-1222 |
Insufficient Granularity of Address Regions Protected by Register Locks
The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process. |
|
| CWE-1220 |
Insufficient Granularity of Access Control
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. |
|
| CWE-332 |
Insufficient Entropy in PRNG
The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat. |
|
| CWE-331 |
Insufficient Entropy
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
|
| CWE-1105 |
Insufficient Encapsulation of Machine-Dependent Functionality
The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code. |
|
| CWE-1061 |
Insufficient Encapsulation
The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend. |
|
| CWE-1118 |
Insufficient Documentation of Error Handling Techniques
The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms. |
|
| CWE-406 |
Insufficient Control of Network Message Volume (Network Amplification)
The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor. |
|
| CWE-691 |
Insufficient Control Flow Management
The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. |
|
| CWE-1076 |
Insufficient Adherence to Expected Conventions
The product's architecture, source code, design, documentation, or other artifact does not follow required conventions. |
|
| CWE-532 |
Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file. |
|
| CWE-538 |
Insertion of Sensitive Information into Externally-Accessible File or Directory
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
|
| CWE-201 |
Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |