forked from future-architect/vuls
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathen.go
5145 lines (5143 loc) · 359 KB
/
en.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
package cwe
// Cwe has CWE information
type Cwe struct {
CweID string `json:"cweID"`
Name string `json:"name"`
Description string `json:"description"`
ExtendedDescription string `json:"extendedDescription"`
Lang string `json:"-"`
}
// CweDictEn is the Cwe dictionary
var CweDictEn = map[string]Cwe{
"1004": {
CweID: "1004",
Name: "Sensitive Cookie Without 'HttpOnly' Flag",
Description: "The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.",
ExtendedDescription: "The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.",
Lang: "en",
},
"1007": {
CweID: "1007",
Name: "Insufficient Visual Distinction of Homoglyphs Presented to User",
Description: "The software displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.",
ExtendedDescription: "",
Lang: "en",
},
"102": {
CweID: "102",
Name: "Struts: Duplicate Validation Forms",
Description: "The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.",
ExtendedDescription: "If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.",
Lang: "en",
},
"1021": {
CweID: "1021",
Name: "Improper Restriction of Rendered UI Layers or Frames",
Description: "The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.",
ExtendedDescription: "A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.",
Lang: "en",
},
"1022": {
CweID: "1022",
Name: "Improper Restriction of Cross-Origin Permission to window.opener.location",
Description: "The web application does not restrict or incorrectly restricts modification of its window opener object's location property by an external application from a different origin.",
ExtendedDescription: "By default, many browsers that open a link to an external application with a target specified as a new window/tab provide cross-origin access to the location property via a window.opener object. This enables the external application to choose a location to redirect the calling web application, e.g. for a phishing attack.",
Lang: "en",
},
"1023": {
CweID: "1023",
Name: "Incomplete Comparison with Missing Factors",
Description: "The software performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. This can lead to resultant weaknesses, e.g. by operating on the wrong object.",
ExtendedDescription: "",
Lang: "en",
},
"1024": {
CweID: "1024",
Name: "Comparison of Incompatible Types",
Description: "The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.",
ExtendedDescription: "In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same type as another entity will ensure that the comparison will be performed correctly, but this cannot be guaranteed. In languages that are not strictly typed, such as PHP or JavaScript, there may be implicit casting/conversion to a type that the programmer is unaware of, causing unexpected results; for example, the string '123' might be converted to a number type. See examples.",
Lang: "en",
},
"1025": {
CweID: "1025",
Name: "Comparison Using Wrong Factors",
Description: "The software performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.",
ExtendedDescription: "A common example of this weakness occurs when the code inadvertently extracts the reference to an object, instead of its relevant contents.",
Lang: "en",
},
"103": {
CweID: "103",
Name: "Struts: Incomplete validate() Method Definition",
Description: "The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().",
ExtendedDescription: "If you do not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form.",
Lang: "en",
},
"104": {
CweID: "104",
Name: "Struts: Form Bean Does Not Extend Validation Class",
Description: "If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.",
ExtendedDescription: "",
Lang: "en",
},
"105": {
CweID: "105",
Name: "Struts: Form Field Without Validator",
Description: "The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.",
ExtendedDescription: "Omitting validation for even a single input field may give attackers the leeway they need to compromise the application. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.",
Lang: "en",
},
"106": {
CweID: "106",
Name: "Struts: Plug-in Framework not in Use",
Description: "When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.",
ExtendedDescription: "",
Lang: "en",
},
"107": {
CweID: "107",
Name: "Struts: Unused Validation Form",
Description: "An unused validation form indicates that validation logic is not up-to-date.",
ExtendedDescription: "It is easy for developers to forget to update validation logic when they remove or rename action form mappings. One indication that validation logic is not being properly maintained is the presence of an unused validation form.",
Lang: "en",
},
"108": {
CweID: "108",
Name: "Struts: Unvalidated Action Form",
Description: "Every Action Form must have a corresponding validation form.",
ExtendedDescription: "If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator.",
Lang: "en",
},
"109": {
CweID: "109",
Name: "Struts: Validator Turned Off",
Description: "Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.",
ExtendedDescription: "",
Lang: "en",
},
"11": {
CweID: "11",
Name: "ASP.NET Misconfiguration: Creating Debug Binary",
Description: "Debugging messages help attackers learn about the system and plan a form of attack.",
ExtendedDescription: "ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.",
Lang: "en",
},
"110": {
CweID: "110",
Name: "Struts: Validator Without Form Field",
Description: "Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.",
ExtendedDescription: "",
Lang: "en",
},
"111": {
CweID: "111",
Name: "Direct Use of Unsafe JNI",
Description: "When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.",
ExtendedDescription: "Many safety features that programmers may take for granted simply do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking.",
Lang: "en",
},
"112": {
CweID: "112",
Name: "Missing XML Validation",
Description: "The software accepts XML from an untrusted source but does not validate the XML against the proper schema.",
ExtendedDescription: "Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.",
Lang: "en",
},
"113": {
CweID: "113",
Name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",
Description: "The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.",
ExtendedDescription: "",
Lang: "en",
},
"114": {
CweID: "114",
Name: "Process Control",
Description: "Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.",
ExtendedDescription: "Process control vulnerabilities take two forms: 1. An attacker can change the command that the program executes: the attacker explicitly controls what the command is. 2. An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.",
Lang: "en",
},
"115": {
CweID: "115",
Name: "Misinterpretation of Input",
Description: "The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.",
ExtendedDescription: "",
Lang: "en",
},
"116": {
CweID: "116",
Name: "Improper Encoding or Escaping of Output",
Description: "The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.",
ExtendedDescription: "",
Lang: "en",
},
"117": {
CweID: "117",
Name: "Improper Output Neutralization for Logs",
Description: "The software does not neutralize or incorrectly neutralizes output that is written to logs.",
ExtendedDescription: "",
Lang: "en",
},
"118": {
CweID: "118",
Name: "Incorrect Access of Indexable Resource ('Range Error')",
Description: "The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.",
ExtendedDescription: "",
Lang: "en",
},
"119": {
CweID: "119",
Name: "Improper Restriction of Operations within the Bounds of a Memory Buffer",
Description: "The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.",
ExtendedDescription: "",
Lang: "en",
},
"12": {
CweID: "12",
Name: "ASP.NET Misconfiguration: Missing Custom Error Page",
Description: "An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.",
ExtendedDescription: "",
Lang: "en",
},
"120": {
CweID: "120",
Name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",
Description: "The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.",
ExtendedDescription: "A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the 'classic' case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.",
Lang: "en",
},
"121": {
CweID: "121",
Name: "Stack-based Buffer Overflow",
Description: "A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).",
ExtendedDescription: "",
Lang: "en",
},
"122": {
CweID: "122",
Name: "Heap-based Buffer Overflow",
Description: "A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().",
ExtendedDescription: "",
Lang: "en",
},
"123": {
CweID: "123",
Name: "Write-what-where Condition",
Description: "Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.",
ExtendedDescription: "",
Lang: "en",
},
"124": {
CweID: "124",
Name: "Buffer Underwrite ('Buffer Underflow')",
Description: "The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.",
ExtendedDescription: "This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.",
Lang: "en",
},
"125": {
CweID: "125",
Name: "Out-of-bounds Read",
Description: "The software reads data past the end, or before the beginning, of the intended buffer.",
ExtendedDescription: "This typically occurs when the pointer or its index is incremented or decremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in corruption of sensitive information, a crash, or code execution among other things.",
Lang: "en",
},
"126": {
CweID: "126",
Name: "Buffer Over-read",
Description: "The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.",
ExtendedDescription: "This typically occurs when the pointer or its index is incremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in exposure of sensitive information or possibly a crash.",
Lang: "en",
},
"127": {
CweID: "127",
Name: "Buffer Under-read",
Description: "The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.",
ExtendedDescription: "This typically occurs when the pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. This may result in exposure of sensitive information or possibly a crash.",
Lang: "en",
},
"128": {
CweID: "128",
Name: "Wrap-around Error",
Description: "Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore 'wraps around' to a very small, negative, or undefined value.",
ExtendedDescription: "",
Lang: "en",
},
"129": {
CweID: "129",
Name: "Improper Validation of Array Index",
Description: "The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.",
ExtendedDescription: "",
Lang: "en",
},
"13": {
CweID: "13",
Name: "ASP.NET Misconfiguration: Password in Configuration File",
Description: "Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.",
ExtendedDescription: "",
Lang: "en",
},
"130": {
CweID: "130",
Name: "Improper Handling of Length Parameter Inconsistency",
Description: "The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.",
ExtendedDescription: "If an attacker can manipulate the length parameter associated with an input such that it is inconsistent with the actual length of the input, this can be leveraged to cause the target application to behave in unexpected, and possibly, malicious ways. One of the possible motives for doing so is to pass in arbitrarily large input to the application. Another possible motivation is the modification of application state by including invalid data for subsequent properties of the application. Such weaknesses commonly lead to attacks such as buffer overflows and execution of arbitrary code.",
Lang: "en",
},
"131": {
CweID: "131",
Name: "Incorrect Calculation of Buffer Size",
Description: "The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.",
ExtendedDescription: "",
Lang: "en",
},
"132": {
CweID: "132",
Name: "DEPRECATED (Duplicate): Miscalculated Null Termination",
Description: "This entry has been deprecated because it was a duplicate of CWE-170. All content has been transferred to CWE-170.",
ExtendedDescription: "",
Lang: "en",
},
"134": {
CweID: "134",
Name: "Use of Externally-Controlled Format String",
Description: "The software uses a function that accepts a format string as an argument, but the format string originates from an external source.",
ExtendedDescription: "",
Lang: "en",
},
"135": {
CweID: "135",
Name: "Incorrect Calculation of Multi-Byte String Length",
Description: "The software does not correctly calculate the length of strings that can contain wide or multi-byte characters.",
ExtendedDescription: "",
Lang: "en",
},
"138": {
CweID: "138",
Name: "Improper Neutralization of Special Elements",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.",
ExtendedDescription: "Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If software does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ('less than') as meaning 'read input from a file'.",
Lang: "en",
},
"14": {
CweID: "14",
Name: "Compiler Removal of Code to Clear Buffers",
Description: "Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka 'dead store removal.'",
ExtendedDescription: "",
Lang: "en",
},
"140": {
CweID: "140",
Name: "Improper Neutralization of Delimiters",
Description: "The software does not neutralize or incorrectly neutralizes delimiters.",
ExtendedDescription: "",
Lang: "en",
},
"141": {
CweID: "141",
Name: "Improper Neutralization of Parameter/Argument Delimiters",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.",
Lang: "en",
},
"142": {
CweID: "142",
Name: "Improper Neutralization of Value Delimiters",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.",
Lang: "en",
},
"143": {
CweID: "143",
Name: "Improper Neutralization of Record Delimiters",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.",
Lang: "en",
},
"144": {
CweID: "144",
Name: "Improper Neutralization of Line Delimiters",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.",
Lang: "en",
},
"145": {
CweID: "145",
Name: "Improper Neutralization of Section Delimiters",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.",
ExtendedDescription: "",
Lang: "en",
},
"146": {
CweID: "146",
Name: "Improper Neutralization of Expression/Command Delimiters",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.",
Lang: "en",
},
"147": {
CweID: "147",
Name: "Improper Neutralization of Input Terminators",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.",
ExtendedDescription: "For example, a '.' in SMTP signifies the end of mail message data, whereas a null character can be used for the end of a string.",
Lang: "en",
},
"148": {
CweID: "148",
Name: "Improper Neutralization of Input Leaders",
Description: "The application does not properly handle when a leading character or sequence ('leader') is missing or malformed, or if multiple leaders are used when only one should be allowed.",
ExtendedDescription: "",
Lang: "en",
},
"149": {
CweID: "149",
Name: "Improper Neutralization of Quoting Syntax",
Description: "Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.",
ExtendedDescription: "",
Lang: "en",
},
"15": {
CweID: "15",
Name: "External Control of System or Configuration Setting",
Description: "One or more system settings or configuration elements can be externally controlled by a user.",
ExtendedDescription: "Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.",
Lang: "en",
},
"150": {
CweID: "150",
Name: "Improper Neutralization of Escape, Meta, or Control Sequences",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.",
Lang: "en",
},
"151": {
CweID: "151",
Name: "Improper Neutralization of Comment Delimiters",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.",
ExtendedDescription: "",
Lang: "en",
},
"152": {
CweID: "152",
Name: "Improper Neutralization of Macro Symbols",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.",
ExtendedDescription: "",
Lang: "en",
},
"153": {
CweID: "153",
Name: "Improper Neutralization of Substitution Characters",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.",
ExtendedDescription: "",
Lang: "en",
},
"154": {
CweID: "154",
Name: "Improper Neutralization of Variable Name Delimiters",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, an injected delimiter may cause the process to take unexpected actions that result in an attack. Example: '$' for an environment variable.",
Lang: "en",
},
"155": {
CweID: "155",
Name: "Improper Neutralization of Wildcards or Matching Symbols",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, an injected element may cause the process to take unexpected actions.",
Lang: "en",
},
"156": {
CweID: "156",
Name: "Improper Neutralization of Whitespace",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.",
ExtendedDescription: "This can include space, tab, etc.",
Lang: "en",
},
"157": {
CweID: "157",
Name: "Failure to Sanitize Paired Delimiters",
Description: "The software does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.",
ExtendedDescription: "",
Lang: "en",
},
"158": {
CweID: "158",
Name: "Improper Neutralization of Null Byte or NUL Character",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, an injected NUL character or null byte may cause the software to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.",
Lang: "en",
},
"159": {
CweID: "159",
Name: "Failure to Sanitize Special Element",
Description: "Weaknesses in this attack-focused category do not properly filter and interpret special elements in user-controlled input which could cause adverse effect on the software behavior and integrity.",
ExtendedDescription: "",
Lang: "en",
},
"160": {
CweID: "160",
Name: "Improper Neutralization of Leading Special Elements",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, improperly handled leading special elements may cause the process to take unexpected actions that result in an attack.",
Lang: "en",
},
"161": {
CweID: "161",
Name: "Improper Neutralization of Multiple Leading Special Elements",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, improperly handled multiple leading special elements may cause the process to take unexpected actions that result in an attack.",
Lang: "en",
},
"162": {
CweID: "162",
Name: "Improper Neutralization of Trailing Special Elements",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, improperly handled trailing special elements may cause the process to take unexpected actions that result in an attack.",
Lang: "en",
},
"163": {
CweID: "163",
Name: "Improper Neutralization of Multiple Trailing Special Elements",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, improperly handled multiple trailing special elements may cause the process to take unexpected actions that result in an attack.",
Lang: "en",
},
"164": {
CweID: "164",
Name: "Improper Neutralization of Internal Special Elements",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, improperly handled internal special elements may cause the process to take unexpected actions that result in an attack.",
Lang: "en",
},
"165": {
CweID: "165",
Name: "Improper Neutralization of Multiple Internal Special Elements",
Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
ExtendedDescription: "As data is parsed, improperly handled multiple internal special elements may cause the process to take unexpected actions that result in an attack.",
Lang: "en",
},
"166": {
CweID: "166",
Name: "Improper Handling of Missing Special Element",
Description: "The software receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.",
ExtendedDescription: "",
Lang: "en",
},
"167": {
CweID: "167",
Name: "Improper Handling of Additional Special Element",
Description: "The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is missing.",
ExtendedDescription: "",
Lang: "en",
},
"168": {
CweID: "168",
Name: "Improper Handling of Inconsistent Special Elements",
Description: "The software does not handle when an inconsistency exists between two or more special characters or reserved words.",
ExtendedDescription: "An example of this problem would be if paired characters appear in the wrong order, or if the special characters are not properly nested.",
Lang: "en",
},
"170": {
CweID: "170",
Name: "Improper Null Termination",
Description: "The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.",
ExtendedDescription: "Null termination errors frequently occur in two different ways. An off-by-one error could cause a null to be written out of bounds, leading to an overflow. Or, a program could use a strncpy() function call incorrectly, which prevents a null terminator from being added at all. Other scenarios are possible.",
Lang: "en",
},
"172": {
CweID: "172",
Name: "Encoding Error",
Description: "The software does not properly encode or decode the data, resulting in unexpected values.",
ExtendedDescription: "",
Lang: "en",
},
"173": {
CweID: "173",
Name: "Improper Handling of Alternate Encoding",
Description: "The software does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.",
ExtendedDescription: "",
Lang: "en",
},
"174": {
CweID: "174",
Name: "Double Decoding of the Same Data",
Description: "The software decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.",
ExtendedDescription: "",
Lang: "en",
},
"175": {
CweID: "175",
Name: "Improper Handling of Mixed Encoding",
Description: "The software does not properly handle when the same input uses several different (mixed) encodings.",
ExtendedDescription: "",
Lang: "en",
},
"176": {
CweID: "176",
Name: "Improper Handling of Unicode Encoding",
Description: "The software does not properly handle when an input contains Unicode encoding.",
ExtendedDescription: "",
Lang: "en",
},
"177": {
CweID: "177",
Name: "Improper Handling of URL Encoding (Hex Encoding)",
Description: "The software does not properly handle when all or part of an input has been URL encoded.",
ExtendedDescription: "",
Lang: "en",
},
"178": {
CweID: "178",
Name: "Improper Handling of Case Sensitivity",
Description: "The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.",
ExtendedDescription: "",
Lang: "en",
},
"179": {
CweID: "179",
Name: "Incorrect Behavior Order: Early Validation",
Description: "The software validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.",
ExtendedDescription: "Software needs to validate data at the proper time, after data has been canonicalized and cleansed. Early validation is susceptible to various manipulations that result in dangerous inputs that are produced by canonicalization and cleansing.",
Lang: "en",
},
"180": {
CweID: "180",
Name: "Incorrect Behavior Order: Validate Before Canonicalize",
Description: "The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.",
ExtendedDescription: "This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.",
Lang: "en",
},
"181": {
CweID: "181",
Name: "Incorrect Behavior Order: Validate Before Filter",
Description: "The software validates data before it has been filtered, which prevents the software from detecting data that becomes invalid after the filtering step.",
ExtendedDescription: "This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.",
Lang: "en",
},
"182": {
CweID: "182",
Name: "Collapse of Data into Unsafe Value",
Description: "The software filters data in a way that causes it to be reduced or 'collapsed' into an unsafe value that violates an expected security property.",
ExtendedDescription: "",
Lang: "en",
},
"183": {
CweID: "183",
Name: "Permissive Whitelist",
Description: "An application uses a 'whitelist' of acceptable values, but the whitelist includes at least one unsafe value, leading to resultant weaknesses.",
ExtendedDescription: "",
Lang: "en",
},
"184": {
CweID: "184",
Name: "Incomplete Blacklist",
Description: "An application uses a 'blacklist' of prohibited values, but the blacklist is incomplete.",
ExtendedDescription: "If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.",
Lang: "en",
},
"185": {
CweID: "185",
Name: "Incorrect Regular Expression",
Description: "The software specifies a regular expression in a way that causes data to be improperly matched or compared.",
ExtendedDescription: "When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data.",
Lang: "en",
},
"186": {
CweID: "186",
Name: "Overly Restrictive Regular Expression",
Description: "A regular expression is overly restrictive, which prevents dangerous values from being detected.",
ExtendedDescription: "",
Lang: "en",
},
"187": {
CweID: "187",
Name: "Partial Comparison",
Description: "The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.",
ExtendedDescription: "For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.",
Lang: "en",
},
"188": {
CweID: "188",
Name: "Reliance on Data/Memory Layout",
Description: "The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.",
ExtendedDescription: "",
Lang: "en",
},
"190": {
CweID: "190",
Name: "Integer Overflow or Wraparound",
Description: "The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.",
ExtendedDescription: "An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.",
Lang: "en",
},
"191": {
CweID: "191",
Name: "Integer Underflow (Wrap or Wraparound)",
Description: "The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.",
ExtendedDescription: "This can happen in signed and unsigned cases.",
Lang: "en",
},
"192": {
CweID: "192",
Name: "Integer Coercion Error",
Description: "Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.",
ExtendedDescription: "Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions.",
Lang: "en",
},
"193": {
CweID: "193",
Name: "Off-by-one Error",
Description: "A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.",
ExtendedDescription: "",
Lang: "en",
},
"194": {
CweID: "194",
Name: "Unexpected Sign Extension",
Description: "The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.",
ExtendedDescription: "",
Lang: "en",
},
"195": {
CweID: "195",
Name: "Signed to Unsigned Conversion Error",
Description: "The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.",
ExtendedDescription: "",
Lang: "en",
},
"196": {
CweID: "196",
Name: "Unsigned to Signed Conversion Error",
Description: "The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.",
ExtendedDescription: "Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic.",
Lang: "en",
},
"197": {
CweID: "197",
Name: "Numeric Truncation Error",
Description: "Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.",
ExtendedDescription: "When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.",
Lang: "en",
},
"198": {
CweID: "198",
Name: "Use of Incorrect Byte Ordering",
Description: "The software receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.",
ExtendedDescription: "",
Lang: "en",
},
"20": {
CweID: "20",
Name: "Improper Input Validation",
Description: "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
ExtendedDescription: "When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.",
Lang: "en",
},
"200": {
CweID: "200",
Name: "Information Exposure",
Description: "An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.",
ExtendedDescription: "",
Lang: "en",
},
"201": {
CweID: "201",
Name: "Information Exposure Through Sent Data",
Description: "The accidental exposure of sensitive information through sent data refers to the transmission of data which are either sensitive in and of itself or useful in the further exploitation of the system through standard data channels.",
ExtendedDescription: "",
Lang: "en",
},
"202": {
CweID: "202",
Name: "Exposure of Sensitive Data Through Data Queries",
Description: "When trying to keep information confidential, an attacker can often infer some of the information by using statistics.",
ExtendedDescription: "In situations where data should not be tied to individual users, but a large number of users should be able to make queries that 'scrub' the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.",
Lang: "en",
},
"203": {
CweID: "203",
Name: "Information Exposure Through Discrepancy",
Description: "The product behaves differently or sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.",
ExtendedDescription: "",
Lang: "en",
},
"204": {
CweID: "204",
Name: "Response Discrepancy Information Exposure",
Description: "The software provides different responses to incoming requests in a way that allows an actor to determine system state information that is outside of that actor's control sphere.",
ExtendedDescription: "This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).",
Lang: "en",
},
"205": {
CweID: "205",
Name: "Information Exposure Through Behavioral Discrepancy",
Description: "The product's actions indicate important differences based on (1) the internal state of the product or (2) differences from other products in the same class.",
ExtendedDescription: "For example, attacks such as OS fingerprinting rely heavily on both behavioral and response discrepancies.",
Lang: "en",
},
"206": {
CweID: "206",
Name: "Information Exposure of Internal State Through Behavioral Inconsistency",
Description: "Two separate operations in a product cause the product to behave differently in a way that is observable to an attacker and reveals security-relevant information about the internal state of the product, such as whether a particular operation was successful or not.",
ExtendedDescription: "",
Lang: "en",
},
"207": {
CweID: "207",
Name: "Information Exposure Through an External Behavioral Inconsistency",
Description: "The product behaves differently than other products like it, in a way that is observable to an attacker and exposes security-relevant information about which product is being used.",
ExtendedDescription: "",
Lang: "en",
},
"208": {
CweID: "208",
Name: "Information Exposure Through Timing Discrepancy",
Description: "Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.",
ExtendedDescription: "",
Lang: "en",
},
"209": {
CweID: "209",
Name: "Information Exposure Through an Error Message",
Description: "The software generates an error message that includes sensitive information about its environment, users, or associated data.",
ExtendedDescription: "The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of '..' sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.",
Lang: "en",
},
"210": {
CweID: "210",
Name: "Information Exposure Through Self-generated Error Message",
Description: "The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.",
ExtendedDescription: "",
Lang: "en",
},
"211": {
CweID: "211",
Name: "Information Exposure Through Externally-Generated Error Message",
Description: "The software performs an operation that triggers an external diagnostic or error message that is not directly generated by the software, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information.",
ExtendedDescription: "",
Lang: "en",
},
"212": {
CweID: "212",
Name: "Improper Cross-boundary Removal of Sensitive Data",
Description: "The software uses a resource that contains sensitive data, but it does not properly remove that data before it stores, transfers, or shares the resource with actors in another control sphere.",
ExtendedDescription: "",
Lang: "en",
},
"213": {
CweID: "213",
Name: "Intentional Information Exposure",
Description: "A product's design or configuration explicitly requires the publication of information that could be regarded as sensitive by an administrator.",
ExtendedDescription: "",
Lang: "en",
},
"214": {
CweID: "214",
Name: "Information Exposure Through Process Environment",
Description: "A process is invoked with sensitive arguments, environment variables, or other elements that can be seen by other processes on the operating system.",
ExtendedDescription: "Many operating systems allow a user to list information about processes that are owned by other users. This information could include command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.",
Lang: "en",
},
"215": {
CweID: "215",
Name: "Information Exposure Through Debug Information",
Description: "The application contains debugging code that can expose sensitive information to untrusted parties.",
ExtendedDescription: "",
Lang: "en",
},
"216": {
CweID: "216",
Name: "Containment Errors (Container Errors)",
Description: "This tries to cover various problems in which improper data are included within a 'container.'",
ExtendedDescription: "",
Lang: "en",
},
"217": {
CweID: "217",
Name: "DEPRECATED: Failure to Protect Stored Data from Modification",
Description: "This weakness has been deprecated because it incorporated and confused multiple weaknesses. The issues formerly covered in this weakness can be found at CWE-766 and CWE-767.",
ExtendedDescription: "",
Lang: "en",
},
"218": {
CweID: "218",
Name: "DEPRECATED (Duplicate): Failure to provide confidentiality for stored data",
Description: "This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493.",
ExtendedDescription: "",
Lang: "en",
},
"219": {
CweID: "219",
Name: "Sensitive Data Under Web Root",
Description: "The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.",
ExtendedDescription: "",
Lang: "en",
},
"22": {
CweID: "22",
Name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
ExtendedDescription: "",
Lang: "en",
},
"220": {
CweID: "220",
Name: "Sensitive Data Under FTP Root",
Description: "The application stores sensitive data under the FTP document root with insufficient access control, which might make it accessible to untrusted parties.",
ExtendedDescription: "",
Lang: "en",
},
"221": {
CweID: "221",
Name: "Information Loss or Omission",
Description: "The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.",
ExtendedDescription: "This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event.",
Lang: "en",
},
"222": {
CweID: "222",
Name: "Truncation of Security-relevant Information",
Description: "The application truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.",
ExtendedDescription: "",
Lang: "en",
},
"223": {
CweID: "223",
Name: "Omission of Security-relevant Information",
Description: "The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.",
ExtendedDescription: "",
Lang: "en",
},
"224": {
CweID: "224",
Name: "Obscured Security-relevant Information by Alternate Name",
Description: "The software records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.",
ExtendedDescription: "",
Lang: "en",
},
"225": {
CweID: "225",
Name: "DEPRECATED (Duplicate): General Information Management Problems",
Description: "This weakness can be found at CWE-199.",
ExtendedDescription: "",
Lang: "en",
},
"226": {
CweID: "226",
Name: "Sensitive Information Uncleared Before Release",
Description: "The software does not fully clear previously used information in a data structure, file, or other resource, before making that resource available to a party in another control sphere.",
ExtendedDescription: "This typically results from new data that is not as long as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, it may allow unintended actors to read the data when the memory is reallocated.",
Lang: "en",
},
"228": {
CweID: "228",
Name: "Improper Handling of Syntactically Invalid Structure",
Description: "The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.",
ExtendedDescription: "",
Lang: "en",
},
"229": {
CweID: "229",
Name: "Improper Handling of Values",
Description: "The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.",
ExtendedDescription: "",
Lang: "en",
},
"23": {
CweID: "23",
Name: "Relative Path Traversal",
Description: "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as '..' that can resolve to a location that is outside of that directory.",
ExtendedDescription: "This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.",
Lang: "en",
},
"230": {
CweID: "230",
Name: "Improper Handling of Missing Values",
Description: "The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.",
ExtendedDescription: "",
Lang: "en",
},
"231": {
CweID: "231",
Name: "Improper Handling of Extra Values",
Description: "The software does not handle or incorrectly handles when more values are provided than expected.",
ExtendedDescription: "",
Lang: "en",
},
"232": {
CweID: "232",
Name: "Improper Handling of Undefined Values",
Description: "The software does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.",
ExtendedDescription: "",
Lang: "en",
},
"233": {
CweID: "233",
Name: "Improper Handling of Parameters",
Description: "The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.",
ExtendedDescription: "",
Lang: "en",
},
"234": {
CweID: "234",
Name: "Failure to Handle Missing Parameter",
Description: "If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.",
ExtendedDescription: "",
Lang: "en",
},
"235": {
CweID: "235",
Name: "Improper Handling of Extra Parameters",
Description: "The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.",
ExtendedDescription: "",
Lang: "en",
},
"236": {
CweID: "236",
Name: "Improper Handling of Undefined Parameters",
Description: "The software does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.",
ExtendedDescription: "",
Lang: "en",
},