TT 脆弱性 Blog

脆弱性情報に関する「個人」の調査・研究のログ

CWE番号 (まとめ)

【目次】

【CWEリスト】

■1-99
CWE No
解説
邦訳
CWE-2 7PK - Environment 7PK - 環境
CWE-11 ASP.NET Misconfiguration: Creating Debug Binary
CWE-13 ASP.NET Misconfiguration: Password in Configuration File
CWE-15 External Control of System or Configuration Setting システム構成または設定の外部制御
CWE-16 Configuration 環境設定
CWE-20 Improper Input Validation 不適切な入力確認
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') パス・トラバーサル
CWE-23 Relative Path Traversal 相対パストラバーサル
CWE-35 Path Traversal: '.../...//' パストラバーサル
CWE-59 Improper Link Resolution Before File Access ('Link Following') リンク解釈の問題
CWE-73 External Control of File Name or Path ファイル名やパス名の外部制御
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') インジェクション
CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) 特殊要素の不適切なサニタイジング
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') コマンドインジェクション
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') OSコマンドインジェクション
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') クロスサイトスクリプティング
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) クロスサイトスクリプティング (Basic XSS)
CWE-83 Improper Neutralization of Script in Attributes in a Web Page
CWE-87 Improper Neutralization of Alternate XSS Syntax 代替 XSS 構文の不適切な無効化
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') 引数の挿入または変更
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQLインジェクション
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') LDAP インジェクション
CWE-91 XML Injection (aka Blind XPath Injection) ブラインド XPath インジェクション
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') CRLF インジェクション
CWE-94 Improper Control of Generation of Code ('Code Injection') コード・インジェクション
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') 静的に保存されたコード内のディレクティブの不適切な無効化
CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') PHP リモートファイルインクルージョン
CWE-99 Improper Control of Resource Identifiers ('Resource Injection') リソースの挿入
■100-199
CWE No
解説
邦訳
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') HTTP レスポンスの分割
CWE-116 Improper Encoding or Escaping of Output 不適切なエンコード、または出力のエスケープ
CWE-117 Improper Output Neutralization for Logs 不適切なログ出力の無効化
CWE-138 Improper Neutralization of Special Elements
CWE-183 Permissive List of Allowed Inputs
CWE-184 Incomplete List of Disallowed Inputs 不完全なブラックリスト
■200-299
CWE No
解説
邦訳
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 情報漏えい
CWE-201 Insertion of Sensitive Information Into Sent Data 送信データへの重要な情報の挿入
CWE-205 Observable Behavioral Discrepancy
CWE-209 Generation of Error Message Containing Sensitive Information エラーメッセージによる情報漏えい
CWE-213 Exposure of Sensitive Information Due to Incompatible Policies
CWE-219 Storage of File with Sensitive Data Under Web Root
CWE-223 Omission of Security-relevant Information
CWE-226 Sensitive Information in Resource Not Removed Before Reuse
CWE-235 Improper Handling of Extra Parameters
CWE-255 Credentials Management Errors 証明書・パスワードの管理
CWE-256 Plaintext Storage of a Password 認証情報の平文保存
CWE-257 Storing Passwords in a Recoverable Format 復元可能な形式でのパスワード保存
CWE-259 Use of Hard-coded Password ハードコードされたパスワードの使用
CWE-260 Password in Configuration File 設定ファイル内のパスワード
CWE-261 Weak Encoding for Password パスワードの弱い暗号の使用
CWE-264 Permissions, Privileges, and Access Controls 認可・権限・アクセス制御
CWE-266 Incorrect Privilege Assignment 不適切な権限設定
CWE-269 Improper Privilege Management 不適切な権限管理
CWE-275 Permission Issues パーミッションの問題
CWE-276 Incorrect Default Permissions 不適切なデフォルトパーミッション
CWE-280 Improper Handling of Insufficient Permissions or Privileges
CWE-284 Improper Access Control 不適切なアクセス制御
CWE-285 Improper Authorization 不適切な認可
CWE-287 Improper Authentication 不適切な認証
CWE-288 Authentication Bypass Using an Alternate Path or Channel 代替パスまたはチャネルを使用した認証回避
CWE-290 Authentication Bypass by Spoofing スプーフィングによる認証回避
CWE-294 Authentication Bypass by Capture-replay Capture-replay による認証回避
CWE-295 Improper Certificate Validation 不正な証明書検証
CWE-296 Improper Following of a Certificate's Chain of Trust
CWE-297 Improper Validation of Certificate with Host Mismatch ホストの不一致による証明書の不適切な検証
■300-399
CWE No
解説
邦訳
CWE-300 Channel Accessible by Non-Endpoint 中間者の問題
CWE-302 Authentication Bypass by Assumed-Immutable Data 認証回避の脆弱性
CWE-304 Missing Critical Step in Authentication
CWE-306 Missing Authentication for Critical Function 重要な機能に対する認証の欠如
CWE-307 Improper Restriction of Excessive Authentication Attempts 過度な認証試行の不適切な制限
CWE-310 Cryptographic Issues 暗号の問題
CWE-311 Missing Encryption of Sensitive Data 重要なデータの暗号化の欠如
CWE-312 Cleartext Storage of Sensitive Information 重要な情報の平文保存
CWE-313 Cleartext Storage in a File or on Disk
CWE-315 Cleartext Storage of Sensitive Information in a Cookie Cookie における重要な情報の平文保存
CWE-316 Cleartext Storage of Sensitive Information in Memory メモリにおける平文での重要な情報の保存
CWE-319 Cleartext Transmission of Sensitive Information 重要な情報の平文での送信
CWE-321 Use of Hard-coded Cryptographic Key ハードコードされた暗号鍵の使用
CWE-322 Key Exchange without Entity Authentication エンティティ認証のない鍵交換
CWE-323 Reusing a Nonce, Key Pair in Encryption
CWE-324 Use of a Key Past its Expiration Date
CWE-325 Missing Cryptographic Step 暗号化処理の不備
CWE-326 Inadequate Encryption Strength 不適切な暗号強度
CWE-327 Use of a Broken or Risky Cryptographic Algorithm 不完全、または危険な暗号アルゴリズムの使用
CWE-328 Use of Weak Hash
CWE-329 Generation of Predictable IV with CBC Mode CBC モードにおけるランダムな初期化ベクトルの不使用
CWE-330 Use of Insufficiently Random Values 不十分なランダム値の使用
CWE-331 Insufficient Entropy エントロピー不足
CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) PRNG におけるシードの不正な使用
CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG)
CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) 暗号における脆弱な PRNG の使用
CWE-340 Generation of Predictable Numbers or Identifiers
CWE-345 Insufficient Verification of Data Authenticity データの信頼性についての不十分な検証
CWE-346 Origin Validation Error 同一生成元ポリシー違反
CWE-347 Improper Verification of Cryptographic Signature デジタル署名の不適切な検証
CWE-352 Cross-Site Request Forgery (CSRF) クロスサイトリクエストフォージェリ
CWE-353 Missing Support for Integrity Check 完全性チェックの欠如
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor 認可されていないアクターへの個人情報の漏えい
CWE-377 Insecure Temporary File 安全でない一時ファイル
CWE-384 Session Fixation セッションの固定化
■400-499
CWE No
解説
邦訳
CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-415 Double Free 二重解放
CWE-416 Use After Free 解放済みメモリの使用
CWE-419 Unprotected Primary Channel
CWE-425 Direct Request ('Forced Browsing') リクエストの直接送信
CWE-426 Untrusted Search Path 信頼できない検索パス
CWE-430 Deployment of Wrong Handler
CWE-434 Unrestricted Upload of File with Dangerous Type 危険なタイプのファイルの無制限アップロード
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') フィルタリング回避
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') HTTP リクエストスマグリング
CWE-451 User Interface (UI) Misrepresentation of Critical Information ユーザインターフェースにおける重要情報の誤った表示
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') クラスまたはコードを選択する外部から制御された入力の使用
CWE-471 Modification of Assumed-Immutable Data (MAID) 不変と仮定されるデータの変更
CWE-472 External Control of Assumed-Immutable Web Parameter 不変と仮定される Web パラメータの外部制御
CWE-494 Download of Code Without Integrity Check ダウンロードしたコードの完全性検証不備
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere 認可されていない制御領域への重要情報の漏えい
■500-599
CWE No
解説
邦訳
CWE-501 Trust Boundary Violation
CWE-502 Deserialization of Untrusted Data 信頼できないデータのデシリアライゼーション
CWE-520 .NET Misconfiguration: Use of Impersonation
CWE-521 Weak Password Requirements 脆弱なパスワードの要求
CWE-522 Insufficiently Protected Credentials 認証情報の不十分な保護
CWE-523 Unprotected Transport of Credentials 認証情報の保護しない転送
CWE-525 Use of Web Browser Cache Containing Sensitive Information
CWE-526 Exposure of Sensitive Information Through Environmental Variables
CWE-532 Insertion of Sensitive Information into Log File ログファイルからの情報漏えい
CWE-537 Java Runtime Error Message Containing Sensitive Information
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory ファイルおよびディレクトリ情報の漏えい
CWE-539 Use of Persistent Cookies Containing Sensitive Information 重要情報を含む永続 Cookie の使用
CWE-540 Inclusion of Sensitive Information in Source Code 重要な情報を含むソースコード
CWE-541 Inclusion of Sensitive Information in an Include File
CWE-547 Use of Hard-coded, Security-relevant Constants
CWE-548 Exposure of Information Through Directory Listing ディレクトリリスティングによる情報漏えい
CWE-552 Files or Directories Accessible to External Parties 外部からアクセス可能なファイルまたはディレクトリ
CWE-564 SQL Injection: Hibernate
CWE-565 Reliance on Cookies without Validation and Integrity Checking 検証および完全性チェックを行っていない Cookie への依存
CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key
CWE-579 J2EE Bad Practices: Non-serializable Object Stored in Session
CWE-598 Use of GET Request Method With Sensitive Query Strings GET リクエストにおけるクエリ文字列からの情報漏えい
■600-699
CWE No
解説
邦訳
CWE-601 URL Redirection to Untrusted Site ('Open Redirect') オープンリダイレクト
CWE-602 Client-Side Enforcement of Server-Side Security サーバ側のセキュリティのクライアント側での実施
CWE-610 Externally Controlled Reference to a Resource in Another Sphere 別領域リソースに対する外部からの制御可能な参照
CWE-611 Improper Restriction of XML External Entity Reference XML 外部エンティティ参照の不適切な制限
CWE-613 Insufficient Session Expiration 不適切なセッション期限
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-620 Unverified Password Change 未検証のパスワード変更
CWE-639 Authorization Bypass Through User-Controlled Key ユーザ制御の鍵による認証回避
CWE-640 Weak Password Recovery Mechanism for Forgotten Password パスワードを忘れた場合の脆弱なパスワードリカバリの仕組み
CWE-642 External Control of Critical State Data 重要な状態データの外部制御
CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection') Xpath インジェクション
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax HTTP ヘッダのスクリプト構文の不適切な無効化
CWE-646 Reliance on File Name or Extension of Externally-Supplied File
CWE-650 Trusting HTTP Permission Methods on the Server Side
CWE-651 Exposure of WSDL File Containing Sensitive Information
CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
CWE-653 Improper Isolation or Compartmentalization
CWE-656 Reliance on Security Through Obscurity
CWE-657 Violation of Secure Design Principles セキュリティ設計の原則に反した設計
CWE-668 Exposure of Resource to Wrong Sphere
CWE-672 Operation on a Resource after Expiration or Release
CWE-675 Multiple Operations on Resource in Single-Operation Context
CWE-693 Protection Mechanism Failure
■700-799
CWE No
解説
邦訳
CWE-703 Improper Check or Handling of Exceptional Conditions
CWE-706 Use of Incorrectly-Resolved Name or Reference
CWE-720 OWASP Top Ten 2007 Category A9 - Insecure Communications
CWE-756 Missing Custom Error Page
CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CWE-759 Use of a One-Way Hash without a Salt
CWE-760 Use of a One-Way Hash with a Predictable Salt
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-778 Insufficient Logging
CWE-780 Use of RSA Algorithm without OAEP
CWE-784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
CWE-798 Use of Hard-coded Credentials ハードコードされた認証情報の使用
CWE-799 Improper Control of Interaction Frequency
■800-899
CWE No
解説
邦訳
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CWE-818 OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-830 Inclusion of Web Functionality from an Untrusted Source
CWE-840 Business Logic Errors
CWE-841 Improper Enforcement of Behavioral Workflow
CWE-862 Missing Authorization
CWE-863 Incorrect Authorization
■900-999
CWE No
解説
邦訳
CWE-913 Improper Control of Dynamically-Managed Code Resources
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-916 Use of Password Hash With Insufficient Computational Effort
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CWE-918 Server-Side Request Forgery (SSRF)
CWE-922 Insecure Storage of Sensitive Information
CWE-927 Use of Implicit Intent for Sensitive Communication
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-940 Improper Verification of Source of a Communication Channel
CWE-942 Permissive Cross-domain Policy with Untrusted Domains
■1000-1999
CWE No
解説
邦訳
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag
CWE-1021 Improper Restriction of Rendered UI Layers or Frames
CWE-1032 OWASP Top Ten 2017 Category A6 - Security Misconfiguration
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-1104 Use of Unmaintained Third Party Components
CWE-1173 Improper Use of Validation Framework
CWE-1174 ASP.NET Misconfiguration: Improper Model Validation
CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
CWE-1191 On-Chip Debug and Test Interface With Improper Access Control
CWE-1201 Core and Compute Issues
CWE-1216 Lockout Mechanism Errors
CWE-1231 Improper Prevention of Lock Bit Modification
CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1239 Improper Zeroization of Hardware Register
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State
CWE-1247 Improper Protection Against Voltage and Clock Glitches
CWE-1253 Incorrect Selection of Fuse Values
CWE-1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
CWE-1256 Improper Restriction of Software Interfaces to Hardware Features
CWE-1259 Improper Restriction of Security Token Assignment
CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges
CWE-1262 Improper Access Control for Register Interface
CWE-1263 Improper Physical Access Control
CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1273 Device Unlock Credential Sharing
CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code
CWE-1275 Sensitive Cookie with Improper SameSite Attribute
CWE-1277 Firmware Not Updateable
CWE-1289 Improper Validation of Unsafe Equivalence in Input
CWE-1300 Improper Protection of Physical Side Channels
CWE-1301 Insufficient or Incomplete Data Removal within Hardware Component
CWE-1302 Missing Security Identifier
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1331 Improper Isolation of Shared Resources in Network On Chip (NoC)
CWE-1332 Improper Handling of Faults that Lead to Instruction Skips
CWE-1333 Inefficient Regular Expression Complexity

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 2006 - 2022