-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathcwe-common.json
More file actions
131 lines (131 loc) · 7.95 KB
/
cwe-common.json
File metadata and controls
131 lines (131 loc) · 7.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
{
"cwe-common": [
"CWE-20 Improper Input Validation",
"CWE-129 Improper Validation of Array Index",
"CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",
"CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",
"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"CWE-91 XML Injection (aka Blind XPath Injection)",
"CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",
"CWE-94 Improper Control of Generation of Code ('Code Injection')",
"CWE-116 Improper Encoding or Escaping of Output",
"CWE-838 Inappropriate Encoding for Output Context",
"CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",
"CWE-125 Out-of-bounds Read",
"CWE-787 Out-of-bounds Write",
"CWE-824 Access of Uninitialized Pointer",
"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"CWE-203 Observable Discrepancy",
"CWE-209 Generation of Error Message Containing Sensitive Information",
"CWE-532 Insertion of Sensitive Information into Log File",
"CWE-269 Improper Privilege Management",
"CWE-287 Improper Authentication",
"CWE-290 Authentication Bypass by Spoofing",
"CWE-294 Authentication Bypass by Capture-replay",
"CWE-295 Improper Certificate Validation",
"CWE-306 Missing Authentication for Critical Function",
"CWE-307 Improper Restriction of Excessive Authentication Attempts",
"CWE-521 Weak Password Requirements",
"CWE-522 Insufficiently Protected Credentials",
"CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"CWE-798 Use of Hard-coded Credentials",
"CWE-311 Missing Encryption of Sensitive Data",
"CWE-312 Cleartext Storage of Sensitive Information",
"CWE-319 Cleartext Transmission of Sensitive Information",
"CWE-326 Inadequate Encryption Strength",
"CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"CWE-916 Use of Password Hash With Insufficient Computational Effort",
"CWE-330 Use of Insufficiently Random Values",
"CWE-331 Insufficient Entropy",
"CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",
"CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"CWE-345 Insufficient Verification of Data Authenticity",
"CWE-346 Origin Validation Error",
"CWE-347 Improper Verification of Cryptographic Signature",
"CWE-352 Cross-Site Request Forgery (CSRF)",
"CWE-354 Improper Validation of Integrity Check Value",
"CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",
"CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')",
"CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"CWE-400 Uncontrolled Resource Consumption",
"CWE-770 Allocation of Resources Without Limits or Throttling",
"CWE-920 Improper Restriction of Power Consumption",
"CWE-404 Improper Resource Shutdown or Release",
"CWE-401 Missing Release of Memory after Effective Lifetime",
"CWE-459 Incomplete Cleanup",
"CWE-763 Release of Invalid Pointer or Reference",
"CWE-772 Missing Release of Resource after Effective Lifetime",
"CWE-436 Interpretation Conflict",
"CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')",
"CWE-610 Externally Controlled Reference to a Resource in Another Sphere",
"CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"CWE-384 Session Fixation",
"CWE-601 URL Redirection to Untrusted Site ('Open Redirect')",
"CWE-611 Improper Restriction of XML External Entity Reference",
"CWE-918 Server-Side Request Forgery (SSRF)",
"CWE-662 Improper Synchronization",
"CWE-667 Improper Locking",
"CWE-665 Improper Initialization",
"CWE-1188 Insecure Default Initialization of Resource",
"CWE-908 Use of Uninitialized Resource",
"CWE-909 Missing Initialization of Resource",
"CWE-668 Exposure of Resource to Wrong Sphere",
"CWE-134 Use of Externally-Controlled Format String",
"CWE-426 Untrusted Search Path",
"CWE-427 Uncontrolled Search Path Element",
"CWE-428 Unquoted Search Path or Element",
"CWE-552 Files or Directories Accessible to External Parties",
"CWE-669 Incorrect Resource Transfer Between Spheres",
"CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer",
"CWE-434 Unrestricted Upload of File with Dangerous Type",
"CWE-494 Download of Code Without Integrity Check",
"CWE-565 Reliance on Cookies without Validation and Integrity Checking",
"CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"CWE-670 Always-Incorrect Control Flow Implementation",
"CWE-617 Reachable Assertion",
"CWE-672 Operation on a Resource after Expiration or Release",
"CWE-415 Double Free",
"CWE-416 Use After Free",
"CWE-613 Insufficient Session Expiration",
"CWE-674 Uncontrolled Recursion",
"CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",
"CWE-682 Incorrect Calculation",
"CWE-131 Incorrect Calculation of Buffer Size",
"CWE-190 Integer Overflow or Wraparound",
"CWE-191 Integer Underflow (Wrap or Wraparound)",
"CWE-193 Off-by-one Error",
"CWE-369 Divide By Zero",
"CWE-697 Incorrect Comparison",
"CWE-704 Incorrect Type Conversion or Cast",
"CWE-681 Incorrect Conversion between Numeric Types",
"CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')",
"CWE-706 Use of Incorrectly-Resolved Name or Reference",
"CWE-178 Improper Handling of Case Sensitivity",
"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"CWE-59 Improper Link Resolution Before File Access ('Link Following')",
"CWE-732 Incorrect Permission Assignment for Critical Resource",
"CWE-276 Incorrect Default Permissions",
"CWE-281 Improper Preservation of Permissions",
"CWE-754 Improper Check for Unusual or Exceptional Conditions",
"CWE-252 Unchecked Return Value",
"CWE-273 Improper Check for Dropped Privileges",
"CWE-476 NULL Pointer Dereference",
"CWE-755 Improper Handling of Exceptional Conditions",
"CWE-834 Excessive Iteration",
"CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')",
"CWE-862 Missing Authorization",
"CWE-425 Direct Request ('Forced Browsing')",
"CWE-863 Incorrect Authorization",
"CWE-639 Authorization Bypass Through User-Controlled Key",
"CWE-913 Improper Control of Dynamically-Managed Code Resources",
"CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",
"CWE-502 Deserialization of Untrusted Data",
"CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"CWE-922 Insecure Storage of Sensitive Information"
]
}