TT 脆弱性 Blog


CWE (まとめ)


CWE-2 7PK - Environment 7PK - 環境
CWE-11 ASP.NET Misconfiguration: Creating Debug Binary
CWE-13 ASP.NET Misconfiguration: Password in Configuration File
CWE-15 External Control of System or Configuration Setting システム構成または設定の外部制御
CWE-16 Configuration 環境設定
CWE-20 Improper Input Validation 不適切な入力確認
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') パス・トラバーサル
CWE-23 Relative Path Traversal 相対パストラバーサル
CWE-35 Path Traversal: '.../...//' パストラバーサル
CWE-59 Improper Link Resolution Before File Access ('Link Following') リンク解釈の問題
CWE-73 External Control of File Name or Path ファイル名やパス名の外部制御
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-83 Improper Neutralization of Script in Attributes in a Web Page
CWE-87 Improper Neutralization of Alternate XSS Syntax
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-91 XML Injection (aka Blind XPath Injection)
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-99 Improper Control of Resource Identifiers ('Resource Injection')
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CWE-116 Improper Encoding or Escaping of Output
CWE-117 Improper Output Neutralization for Logs
CWE-138 Improper Neutralization of Special Elements
CWE-183 Permissive List of Allowed Inputs
CWE-184 Incomplete List of Disallowed Inputs
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-201 Insertion of Sensitive Information Into Sent Data
CWE-205 Observable Behavioral Discrepancy
CWE-209 Generation of Error Message Containing Sensitive Information
CWE-213 Exposure of Sensitive Information Due to Incompatible Policies
CWE-219 Storage of File with Sensitive Data Under Web Root
CWE-223 Omission of Security-relevant Information
CWE-226 Sensitive Information in Resource Not Removed Before Reuse
CWE-235 Improper Handling of Extra Parameters
CWE-255 Credentials Management Errors
CWE-256 Plaintext Storage of a Password
CWE-257 Storing Passwords in a Recoverable Format
CWE-259 Use of Hard-coded Password
CWE-260 Password in Configuration File
CWE-261 Weak Encoding for Password
CWE-264 Permissions, Privileges, and Access Controls
CWE-266 Incorrect Privilege Assignment
CWE-269 Improper Privilege Management
CWE-275 Permission Issues
CWE-276 Incorrect Default Permissions
CWE-280 Improper Handling of Insufficient Permissions or Privileges
CWE-284 Improper Access Control
CWE-285 Improper Authorization
CWE-287 Improper Authentication
CWE-288 Authentication Bypass Using an Alternate Path or Channel
CWE-290 Authentication Bypass by Spoofing
CWE-294 Authentication Bypass by Capture-replay
CWE-295 Improper Certificate Validation
CWE-296 Improper Following of a Certificate's Chain of Trust
CWE-297 Improper Validation of Certificate with Host Mismatch
CWE-300 Channel Accessible by Non-Endpoint
CWE-302 Authentication Bypass by Assumed-Immutable Data
CWE-304 Missing Critical Step in Authentication
CWE-306 Missing Authentication for Critical Function
CWE-307 Improper Restriction of Excessive Authentication Attempts
CWE-310 Cryptographic Issues
CWE-311 Missing Encryption of Sensitive Data
CWE-312 Cleartext Storage of Sensitive Information
CWE-313 Cleartext Storage in a File or on Disk
CWE-315 Cleartext Storage of Sensitive Information in a Cookie
CWE-316 Cleartext Storage of Sensitive Information in Memory
CWE-319 Cleartext Transmission of Sensitive Information
CWE-321 Use of Hard-coded Cryptographic Key
CWE-322 Key Exchange without Entity Authentication
CWE-323 Reusing a Nonce, Key Pair in Encryption
CWE-324 Use of a Key Past its Expiration Date
CWE-325 Missing Cryptographic Step
CWE-326 Inadequate Encryption Strength
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-328 Use of Weak Hash
CWE-329 Generation of Predictable IV with CBC Mode
CWE-330 Use of Insufficiently Random Values
CWE-331 Insufficient Entropy
CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG)
CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-340 Generation of Predictable Numbers or Identifiers
CWE-345 Insufficient Verification of Data Authenticity
CWE-346 Origin Validation Error
CWE-347 Improper Verification of Cryptographic Signature
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-353 Missing Support for Integrity Check
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
CWE-377 Insecure Temporary File
CWE-384 Session Fixation
CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-415 Double Free
CWE-419 Unprotected Primary Channel
CWE-425 Direct Request ('Forced Browsing')
CWE-426 Untrusted Search Path
CWE-430 Deployment of Wrong Handler
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CWE-451 User Interface (UI) Misrepresentation of Critical Information
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-472 External Control of Assumed-Immutable Web Parameter
CWE-494 Download of Code Without Integrity Check
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE-501 Trust Boundary Violation
CWE-502 Deserialization of Untrusted Data
CWE-520 .NET Misconfiguration: Use of Impersonation
CWE-521 Weak Password Requirements
CWE-522 Insufficiently Protected Credentials
CWE-523 Unprotected Transport of Credentials
CWE-525 Use of Web Browser Cache Containing Sensitive Information
CWE-526 Exposure of Sensitive Information Through Environmental Variables
CWE-532 Insertion of Sensitive Information into Log File
CWE-537 Java Runtime Error Message Containing Sensitive Information
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE-539 Use of Persistent Cookies Containing Sensitive Information
CWE-540 Inclusion of Sensitive Information in Source Code
CWE-541 Inclusion of Sensitive Information in an Include File
CWE-547 Use of Hard-coded, Security-relevant Constants
CWE-548 Exposure of Information Through Directory Listing
CWE-552 Files or Directories Accessible to External Parties
CWE-564 SQL Injection: Hibernate
CWE-565 Reliance on Cookies without Validation and Integrity Checking
CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key
CWE-579 J2EE Bad Practices: Non-serializable Object Stored in Session
CWE-598 Use of GET Request Method With Sensitive Query Strings
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-602 Client-Side Enforcement of Server-Side Security
CWE-610 Externally Controlled Reference to a Resource in Another Sphere
CWE-611 Improper Restriction of XML External Entity Reference
CWE-613 Insufficient Session Expiration
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-620 Unverified Password Change
CWE-639 Authorization Bypass Through User-Controlled Key
CWE-640 Weak Password Recovery Mechanism for Forgotten Password
CWE-642 External Control of Critical State Data
CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax
CWE-646 Reliance on File Name or Extension of Externally-Supplied File
CWE-650 Trusting HTTP Permission Methods on the Server Side
CWE-651 Exposure of WSDL File Containing Sensitive Information
CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
CWE-653 Improper Isolation or Compartmentalization
CWE-656 Reliance on Security Through Obscurity
CWE-657 Violation of Secure Design Principles
CWE-668 Exposure of Resource to Wrong Sphere
CWE-672 Operation on a Resource after Expiration or Release
CWE-675 Multiple Operations on Resource in Single-Operation Context
CWE-693 Protection Mechanism Failure
CWE-703 Improper Check or Handling of Exceptional Conditions
CWE-706 Use of Incorrectly-Resolved Name or Reference
CWE-720 OWASP Top Ten 2007 Category A9 - Insecure Communications
CWE-756 Missing Custom Error Page
CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CWE-759 Use of a One-Way Hash without a Salt
CWE-760 Use of a One-Way Hash with a Predictable Salt
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-778 Insufficient Logging
CWE-780 Use of RSA Algorithm without OAEP
CWE-784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
CWE-798 Use of Hard-coded Credentials
CWE-799 Improper Control of Interaction Frequency
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CWE-818 OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-830 Inclusion of Web Functionality from an Untrusted Source
CWE-840 Business Logic Errors
CWE-841 Improper Enforcement of Behavioral Workflow
CWE-862 Missing Authorization
CWE-863 Incorrect Authorization
CWE-913 Improper Control of Dynamically-Managed Code Resources
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-916 Use of Password Hash With Insufficient Computational Effort
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CWE-918 Server-Side Request Forgery (SSRF)
CWE-922 Insecure Storage of Sensitive Information
CWE-927 Use of Implicit Intent for Sensitive Communication
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-940 Improper Verification of Source of a Communication Channel
CWE-942 Permissive Cross-domain Policy with Untrusted Domains
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag
CWE-1021 Improper Restriction of Rendered UI Layers or Frames
CWE-1032 OWASP Top Ten 2017 Category A6 - Security Misconfiguration
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-1104 Use of Unmaintained Third Party Components
CWE-1173 Improper Use of Validation Framework
CWE-1174 ASP.NET Misconfiguration: Improper Model Validation
CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
CWE-1191 On-Chip Debug and Test Interface With Improper Access Control
CWE-1201 Core and Compute Issues
CWE-1216 Lockout Mechanism Errors
CWE-1231 Improper Prevention of Lock Bit Modification
CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1239 Improper Zeroization of Hardware Register
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State
CWE-1247 Improper Protection Against Voltage and Clock Glitches
CWE-1253 Incorrect Selection of Fuse Values
CWE-1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
CWE-1256 Improper Restriction of Software Interfaces to Hardware Features
CWE-1259 Improper Restriction of Security Token Assignment
CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges
CWE-1262 Improper Access Control for Register Interface
CWE-1263 Improper Physical Access Control
CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1273 Device Unlock Credential Sharing
CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code
CWE-1275 Sensitive Cookie with Improper SameSite Attribute
CWE-1277 Firmware Not Updateable
CWE-1289 Improper Validation of Unsafe Equivalence in Input
CWE-1300 Improper Protection of Physical Side Channels
CWE-1301 Insufficient or Incomplete Data Removal within Hardware Component
CWE-1302 Missing Security Identifier
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1331 Improper Isolation of Shared Resources in Network On Chip (NoC)
CWE-1332 Improper Handling of Faults that Lead to Instruction Skips
CWE-1333 Inefficient Regular Expression Complexity

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 2006 - 2022