Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-831 |
Signal Handler Function Associated with Multiple Signals
The product defines a function that is used as a handler for more than one signal. |
|
| CWE-384 |
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
|
| CWE-536 |
Servlet Runtime Error Message Containing Sensitive Information
A servlet error message indicates that there exists an unhandled exception in the web application code and may provide useful information to an attacker. |
|
| CWE-550 |
Server-generated Error Message Containing Sensitive Information
Certain conditions, such as network failure, will cause a server error message to be displayed. |
|
| CWE-918 |
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
|
| CWE-1070 |
Serializable Data Element Containing non-Serializable Item Elements
The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable. |
|
| CWE-499 |
Serializable Class Containing Sensitive Data
The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. |
|
| CWE-1281 |
Sequence of Processor Instructions Leads to Unexpected Behavior
Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed. |
|
| CWE-1243 |
Sensitive Non-Volatile Information Not Protected During Debug
Access to security-sensitive information stored in fuses is not limited during debug. |
|
| CWE-226 |
Sensitive Information in Resource Not Removed Before Reuse
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
|
| CWE-1272 |
Sensitive Information Uncleared Before Debug/Power State Transition
The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions. |
|
| CWE-591 |
Sensitive Data Storage in Improperly Locked Memory
The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors. |
|
| CWE-1275 |
Sensitive Cookie with Improper SameSite Attribute
The SameSite attribute for sensitive cookies is not set, or an insecure value is used. |
|
| CWE-614 |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set. |
|
| CWE-1004 |
Sensitive Cookie Without 'HttpOnly' Flag
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. |
|
| CWE-1248 |
Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
The security-sensitive hardware module contains semiconductor defects. |
|
| CWE-210 |
Self-generated Error Message Containing Sensitive Information
The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. |
|
| CWE-757 |
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. |
|
| CWE-1233 |
Security-Sensitive Hardware Controls with Missing Lock Bit Protection
The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration. |
|
| CWE-1328 |
Security Version Number Mutable to Older Versions
Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions. |