【目次】
【CWEリスト】
■1-99
| CWE No |
解説 |
邦訳(JVNDBリンク) |
|---|---|---|
| CWE-1 | DEPRECATED: Location | ロケーション |
| CWE-2 | 7PK - Environment | 7PK - 環境 |
| CWE-3 | DEPRECATED: Technology-specific Environment Issues | 削除: 技術固有の環境問題 |
| CWE-4 | DEPRECATED: J2EE Environment Issues | 削除: J2EE環境の問題 |
| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption | J2EEの誤設定: 暗号化しないデータ送信 |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length | J2EEの誤設定: セッションIDの長さが足りない |
| CWE-7 | J2EE Misconfiguration: Missing Custom Error Page | J2EE の設定ミス: カスタムエラーページの欠落 |
| CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote | J2EEの誤設定: リモートで宣言されたエンティティビーン |
| CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | J2EEの誤設定: EJBメソッドへの弱いアクセス許可 |
| CWE-10 | DEPRECATED: ASP.NET Environment Issues | 削除: ASP.NET環境の問題 |
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | ASP.NETの誤設定: デバッグ用バイナリの作成 |
| CWE-12 | ASP.NET Misconfiguration: Missing Custom Error Page | ASP.NETの誤設定: カスタムエラーページの欠落 |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File | ASP.NETの誤設定: 設定ファイルのパスワード |
| CWE-14 | Compiler Removal of Code to Clear Buffers | バッファをクリアするコードのコンパイラによる削除 |
| CWE-15 | External Control of System or Configuration Setting | システム構成または設定の外部制御 |
| CWE-16 | Configuration | 環境設定 |
| CWE-17 | DEPRECATED: Code | コード |
| CWE-18 | DEPRECATED: Source Code | ソースコード |
| CWE-19 | Data Processing Errors | データ処理 |
| CWE-20 | Improper Input Validation | 不適切な入力確認 |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | パス・トラバーサル |
| CWE-23 | Relative Path Traversal | 相対パストラバーサル |
| CWE-35 | Path Traversal: '.../...//' | パストラバーサル |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | リンク解釈の問題 |
| CWE-73 | External Control of File Name or Path | ファイル名やパス名の外部制御 |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | インジェクション |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | 特殊要素の不適切なサニタイジング |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | コマンドインジェクション |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OSコマンドインジェクション |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | クロスサイトスクリプティング |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | クロスサイトスクリプティング (Basic XSS) |
| CWE-83 | Improper Neutralization of Script in Attributes in a Web Page | |
| CWE-87 | Improper Neutralization of Alternate XSS Syntax | 代替 XSS 構文の不適切な無効化 |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | 引数の挿入または変更 |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | SQLインジェクション |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | LDAP インジェクション |
| CWE-91 | XML Injection (aka Blind XPath Injection) | ブラインド XPath インジェクション |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | CRLF インジェクション |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | コード・インジェクション |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | 静的に保存されたコード内のディレクティブの不適切な無効化 |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | PHP リモートファイルインクルージョン |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | リソースの挿入 |
■100-199
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | HTTP レスポンスの分割 |
| CWE-116 | Improper Encoding or Escaping of Output | 不適切なエンコード、または出力のエスケープ |
| CWE-117 | Improper Output Neutralization for Logs | 不適切なログ出力の無効化 |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | バッファエラー |
| CWE-122 | Heap-based Buffer Overflow | ヒープベースのバッファオーバーフロー |
| CWE-134 | Use of Externally-Controlled Format String | 書式文字列の問題 |
| CWE-138 | Improper Neutralization of Special Elements | |
| CWE-183 | Permissive List of Allowed Inputs | |
| CWE-184 | Incomplete List of Disallowed Inputs | 不完全なブラックリスト |
■200-299
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 情報漏えい |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | 送信データへの重要な情報の挿入 |
| CWE-203 | Observable Discrepancy | 観測可能な不一致 |
| CWE-205 | Observable Behavioral Discrepancy | |
| CWE-209 | Generation of Error Message Containing Sensitive Information | エラーメッセージによる情報漏えい |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | |
| CWE-219 | Storage of File with Sensitive Data Under Web Root | |
| CWE-223 | Omission of Security-relevant Information | |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | |
| CWE-235 | Improper Handling of Extra Parameters | |
| CWE-255 | Credentials Management Errors | 証明書・パスワードの管理 |
| CWE-256 | Plaintext Storage of a Password | 認証情報の平文保存 |
| CWE-257 | Storing Passwords in a Recoverable Format | 復元可能な形式でのパスワード保存 |
| CWE-259 | Use of Hard-coded Password | ハードコードされたパスワードの使用 |
| CWE-260 | Password in Configuration File | 設定ファイル内のパスワード |
| CWE-261 | Weak Encoding for Password | パスワードの弱い暗号の使用 |
| CWE-264 | Permissions, Privileges, and Access Controls | 認可・権限・アクセス制御 |
| CWE-266 | Incorrect Privilege Assignment | 不適切な権限設定 |
| CWE-269 | Improper Privilege Management | 不適切な権限管理 |
| CWE-275 | Permission Issues | パーミッションの問題 |
| CWE-276 | Incorrect Default Permissions | 不適切なデフォルトパーミッション |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | |
| CWE-284 | Improper Access Control | 不適切なアクセス制御 |
| CWE-285 | Improper Authorization | 不適切な認可 |
| CWE-287 | Improper Authentication | 不適切な認証 |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | 代替パスまたはチャネルを使用した認証回避 |
| CWE-290 | Authentication Bypass by Spoofing | スプーフィングによる認証回避 |
| CWE-294 | Authentication Bypass by Capture-replay | Capture-replay による認証回避 |
| CWE-295 | Improper Certificate Validation | 不正な証明書検証 |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | ホストの不一致による証明書の不適切な検証 |
■300-399
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-300 | Channel Accessible by Non-Endpoint | 中間者の問題 |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | 認証回避の脆弱性 |
| CWE-304 | Missing Critical Step in Authentication | |
| CWE-306 | Missing Authentication for Critical Function | 重要な機能に対する認証の欠如 |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | 過度な認証試行の不適切な制限 |
| CWE-310 | Cryptographic Issues | 暗号の問題 |
| CWE-311 | Missing Encryption of Sensitive Data | 重要なデータの暗号化の欠如 |
| CWE-312 | Cleartext Storage of Sensitive Information | 重要な情報の平文保存 |
| CWE-313 | Cleartext Storage in a File or on Disk | |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | Cookie における重要な情報の平文保存 |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | メモリにおける平文での重要な情報の保存 |
| CWE-319 | Cleartext Transmission of Sensitive Information | 重要な情報の平文での送信 |
| CWE-321 | Use of Hard-coded Cryptographic Key | ハードコードされた暗号鍵の使用 |
| CWE-322 | Key Exchange without Entity Authentication | エンティティ認証のない鍵交換 |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | |
| CWE-324 | Use of a Key Past its Expiration Date | |
| CWE-325 | Missing Cryptographic Step | 暗号化処理の不備 |
| CWE-326 | Inadequate Encryption Strength | 不適切な暗号強度 |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | 不完全、または危険な暗号アルゴリズムの使用 |
| CWE-328 | Use of Weak Hash | |
| CWE-329 | Generation of Predictable IV with CBC Mode | CBC モードにおけるランダムな初期化ベクトルの不使用 |
| CWE-330 | Use of Insufficiently Random Values | 不十分なランダム値の使用 |
| CWE-331 | Insufficient Entropy | エントロピー不足 |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | PRNG におけるシードの不正な使用 |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) | |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | 暗号における脆弱な PRNG の使用 |
| CWE-340 | Generation of Predictable Numbers or Identifiers | |
| CWE-345 | Insufficient Verification of Data Authenticity | データの信頼性についての不十分な検証 |
| CWE-346 | Origin Validation Error | 同一生成元ポリシー違反 |
| CWE-347 | Improper Verification of Cryptographic Signature | デジタル署名の不適切な検証 |
| CWE-352 | Cross-Site Request Forgery (CSRF) | クロスサイトリクエストフォージェリ |
| CWE-353 | Missing Support for Integrity Check | 完全性チェックの欠如 |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 認可されていないアクターへの個人情報の漏えい |
| CWE-377 | Insecure Temporary File | 安全でない一時ファイル |
| CWE-384 | Session Fixation | セッションの固定化 |
| CWE-388 | 7PK - Errors | エラー処理 |
| CWE-399 | Resource Management Errors | リソース管理の問題 |
■400-499
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-400 | Uncontrolled Resource Consumption | リソースの枯渇 |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | リソースリーク |
| CWE-404 | Improper Resource Shutdown or Release | リソースの不適切なシャットダウンおよびリリース |
| CWE-415 | Double Free | 二重解放 |
| CWE-416 | Use After Free | 解放済みメモリの使用 |
| CWE-419 | Unprotected Primary Channel | 保護されていないプライマリーチャネル |
| CWE-425 | Direct Request ('Forced Browsing') | リクエストの直接送信 |
| CWE-426 | Untrusted Search Path | 信頼できない検索パス |
| CWE-427 | Uncontrolled Search Path Element | 制御されていない検索パスの要素 |
| CWE-430 | Deployment of Wrong Handler | |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | 危険なタイプのファイルの無制限アップロード |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | フィルタリング回避 |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') | HTTP リクエストスマグリング |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | ユーザインターフェースにおける重要情報の誤った表示 |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | クラスまたはコードを選択する外部から制御された入力の使用 |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) | 不変と仮定されるデータの変更 |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | 不変と仮定される Web パラメータの外部制御 |
| CWE-494 | Download of Code Without Integrity Check | ダウンロードしたコードの完全性検証不備 |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | 認可されていない制御領域への重要情報の漏えい |
■500-599
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-501 | Trust Boundary Violation | |
| CWE-502 | Deserialization of Untrusted Data | 信頼できないデータのデシリアライゼーション |
| CWE-520 | .NET Misconfiguration: Use of Impersonation | |
| CWE-521 | Weak Password Requirements | 脆弱なパスワードの要求 |
| CWE-522 | Insufficiently Protected Credentials | 認証情報の不十分な保護 |
| CWE-523 | Unprotected Transport of Credentials | 認証情報の保護しない転送 |
| CWE-525 | Use of Web Browser Cache Containing Sensitive Information | |
| CWE-526 | Exposure of Sensitive Information Through Environmental Variables | |
| CWE-532 | Insertion of Sensitive Information into Log File | ログファイルからの情報漏えい |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | ファイルおよびディレクトリ情報の漏えい |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | 重要情報を含む永続 Cookie の使用 |
| CWE-540 | Inclusion of Sensitive Information in Source Code | 重要な情報を含むソースコード |
| CWE-541 | Inclusion of Sensitive Information in an Include File | |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | |
| CWE-548 | Exposure of Information Through Directory Listing | ディレクトリリスティングによる情報漏えい |
| CWE-552 | Files or Directories Accessible to External Parties | 外部からアクセス可能なファイルまたはディレクトリ |
| CWE-564 | SQL Injection: Hibernate | |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | 検証および完全性チェックを行っていない Cookie への依存 |
| CWE-566 | Authorization Bypass Through User-Controlled SQL Primary Key | |
| CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session | |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | GET リクエストにおけるクエリ文字列からの情報漏えい |
■600-699
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | オープンリダイレクト |
| CWE-602 | Client-Side Enforcement of Server-Side Security | サーバ側のセキュリティのクライアント側での実施 |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | 別領域リソースに対する外部からの制御可能な参照 |
| CWE-611 | Improper Restriction of XML External Entity Reference | XML 外部エンティティ参照の不適切な制限 |
| CWE-613 | Insufficient Session Expiration | 不適切なセッション期限 |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | |
| CWE-620 | Unverified Password Change | 未検証のパスワード変更 |
| CWE-639 | Authorization Bypass Through User-Controlled Key | ユーザ制御の鍵による認証回避 |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | パスワードを忘れた場合の脆弱なパスワードリカバリの仕組み |
| CWE-642 | External Control of Critical State Data | 重要な状態データの外部制御 |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | Xpath インジェクション |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax | HTTP ヘッダのスクリプト構文の不適切な無効化 |
| CWE-646 | Reliance on File Name or Extension of Externally-Supplied File | |
| CWE-650 | Trusting HTTP Permission Methods on the Server Side | |
| CWE-651 | Exposure of WSDL File Containing Sensitive Information | |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') | |
| CWE-653 | Improper Isolation or Compartmentalization | |
| CWE-656 | Reliance on Security Through Obscurity | |
| CWE-657 | Violation of Secure Design Principles | セキュリティ設計の原則に反した設計 |
| CWE-664 | Improper Control of a Resource Through its Lifetime | リソースのライフタイムを通じた不適切な管理 |
| CWE-668 | Exposure of Resource to Wrong Sphere | |
| CWE-672 | Operation on a Resource after Expiration or Release | |
| CWE-675 | Multiple Operations on Resource in Single-Operation Context | |
| CWE-693 | Protection Mechanism Failure |
■700-799
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-703 | Improper Check or Handling of Exceptional Conditions | |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference | |
| CWE-720 | OWASP Top Ten 2007 Category A9 - Insecure Communications | |
| CWE-755 | Improper Handling of Exceptional Conditions | 例外的な状態における不適切な処理 |
| CWE-756 | Missing Custom Error Page | |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | |
| CWE-759 | Use of a One-Way Hash without a Salt | |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | |
| CWE-772 | Missing Release of Resource after Effective Lifetime | 有効なライフタイム後のリソースの解放の欠如 |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | |
| CWE-778 | Insufficient Logging | |
| CWE-780 | Use of RSA Algorithm without OAEP | |
| CWE-784 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision | |
| CWE-787 | Out-of-bounds Write | 境界外書き込み |
| CWE-798 | Use of Hard-coded Credentials | ハードコードされた認証情報の使用 |
| CWE-799 | Improper Control of Interaction Frequency |
■800-899
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | |
| CWE-818 | OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection | |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | |
| CWE-830 | Inclusion of Web Functionality from an Untrusted Source | |
| CWE-840 | Business Logic Errors | ビジネスロジックのエラー |
| CWE-841 | Improper Enforcement of Behavioral Workflow | Behavioral Workflowの不適切な実施 |
| CWE-862 | Missing Authorization | 認証の欠如 |
| CWE-863 | Incorrect Authorization | 不正な認証 |
■900-999
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | |
| CWE-918 | Server-Side Request Forgery (SSRF) | |
| CWE-922 | Insecure Storage of Sensitive Information | |
| CWE-927 | Use of Implicit Intent for Sensitive Communication | |
| CWE-937 | OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities | |
| CWE-940 | Improper Verification of Source of a Communication Channel | |
| CWE-942 | Permissive Cross-domain Policy with Untrusted Domains |
■1000-1999
| CWE No |
解説 |
邦訳 |
|---|---|---|
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | |
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames | |
| CWE-1032 | OWASP Top Ten 2017 Category A6 - Security Misconfiguration | |
| CWE-1035 | OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities | |
| CWE-1104 | Use of Unmaintained Third Party Components | |
| CWE-1173 | Improper Use of Validation Framework | |
| CWE-1174 | ASP.NET Misconfiguration: Improper Model Validation | |
| CWE-1189 | Improper Isolation of Shared Resources on System-on-a-Chip (SoC) | |
| CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control | |
| CWE-1201 | Core and Compute Issues | |
| CWE-1216 | Lockout Mechanism Errors | |
| CWE-1231 | Improper Prevention of Lock Bit Modification | |
| CWE-1233 | Security-Sensitive Hardware Controls with Missing Lock Bit Protection | |
| CWE-1239 | Improper Zeroization of Hardware Register | |
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | |
| CWE-1244 | Internal Asset Exposed to Unsafe Debug Access Level or State | |
| CWE-1247 | Improper Protection Against Voltage and Clock Glitches | |
| CWE-1253 | Incorrect Selection of Fuse Values | |
| CWE-1255 | Comparison Logic is Vulnerable to Power Side-Channel Attacks | |
| CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features | |
| CWE-1259 | Improper Restriction of Security Token Assignment | |
| CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges | |
| CWE-1262 | Improper Access Control for Register Interface | |
| CWE-1263 | Improper Physical Access Control | |
| CWE-1272 | Sensitive Information Uncleared Before Debug/Power State Transition | |
| CWE-1273 | Device Unlock Credential Sharing | |
| CWE-1274 | Improper Access Control for Volatile Memory Containing Boot Code | |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | |
| CWE-1277 | Firmware Not Updateable | |
| CWE-1289 | Improper Validation of Unsafe Equivalence in Input | |
| CWE-1300 | Improper Protection of Physical Side Channels | |
| CWE-1301 | Insufficient or Incomplete Data Removal within Hardware Component | |
| CWE-1302 | Missing Security Identifier | |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |
| CWE-1331 | Improper Isolation of Shared Resources in Network On Chip (NoC) | |
| CWE-1332 | Improper Handling of Faults that Lead to Instruction Skips | |
| CWE-1333 | Inefficient Regular Expression Complexity |