Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-1256 |
Improper Restriction of Software Interfaces to Hardware Features
The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels. |
|
| CWE-1259 |
Improper Restriction of Security Token Assignment
The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected. |
|
| CWE-1021 |
Improper Restriction of Rendered UI Layers or Frames
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain. |
|
| CWE-776 |
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
|
| CWE-920 |
Improper Restriction of Power Consumption
The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes. |
|
| CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
|
| CWE-641 |
Improper Restriction of Names for Files and Other Resources
The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name. |
|
| CWE-307 |
Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
|
| CWE-923 |
Improper Restriction of Communication Channel to Intended Endpoints
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. |
|
| CWE-404 |
Improper Resource Shutdown or Release
The product does not release or incorrectly releases a resource before it is made available for re-use. |
|
| CWE-413 |
Improper Resource Locking
The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. |
|
| CWE-41 |
Improper Resolution of Path Equivalence
The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. |
|
| CWE-212 |
Improper Removal of Sensitive Information Before Storage or Transfer
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
|
| CWE-1338 |
Improper Protections Against Hardware Overheating
A hardware device is missing or has inadequate protection features to prevent overheating. |
|
| CWE-1300 |
Improper Protection of Physical Side Channels
The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions. |
|
| CWE-424 |
Improper Protection of Alternate Path
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. |
|
| CWE-1320 |
Improper Protection for Outbound Error Messages and Alert Signals
Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts. |
|
| CWE-1319 |
Improper Protection against Electromagnetic Fault Injection (EM-FI)
The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed. |
|
| CWE-1247 |
Improper Protection Against Voltage and Clock Glitches
The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device. |
|
| CWE-269 |
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |