DATASHEET
CWE Weakness Enforcement (All)
ENFORCEMENT FOR KW 2023.4
Note the CWEs listed are from CWE 4.12
Weaknesses
Rule Id | Description | C/C++ | C# | Java | JavaScript | Python |
|---|---|---|---|---|---|---|
CWE-20 | Improper Input Validation | Yes | Yes | Yes | ||
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Yes | Yes | Yes | ||
CWE-23 | Relative Path Traversal | Yes | ||||
CWE-73 | External Control of File Name or Path | Yes | Yes | |||
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | Yes | ||||
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | Yes | ||||
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Yes | Yes | Yes | ||
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | Yes | Yes | Yes | ||
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | Yes | ||||
CWE-88 | Argument Injection or Modification | Yes | ||||
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | Yes | Yes | Yes | ||
CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | Yes | ||||
CWE-94 | Improper Control of Generation of Code ('Code Injection') | Yes | Yes | Yes | ||
CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | Yes | Yes | |||
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | Yes | ||||
CWE-103 | Struts: Incomplete validate() Method Definition | Yes | ||||
CWE-105 | Struts: Form Field Without Validator | Yes | ||||
CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | Yes | ||||
CWE-114 | Process Control | Yes | Yes | |||
CWE-117 | Improper Output Neutralization for Logs | Yes | ||||
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Yes | Yes | |||
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Yes | ||||
CWE-121 | Stack-based Buffer Overflow | Yes | ||||
CWE-122 | Heap-based Buffer Overflow | Yes | ||||
CWE-124 | Buffer Underwrite | Yes | ||||
CWE-125 | Out-of-bounds Read | Yes | Yes | |||
CWE-127 | Buffer Under-read | Yes | ||||
CWE-129 | Improper Validation of Array Index | Yes | Yes | |||
CWE-131 | Incorrect Calculation of Buffer Size | Yes | ||||
CWE-134 | Use of Externally-Controlled Format String | Yes | ||||
CWE-135 | Incorrect Calculation of Multi-Byte String Length | Yes | ||||
CWE-170 | Improper NULL termination | Yes | ||||
CWE-176 | Improper Handling of Unicode Encoding | Yes | ||||
CWE-190 | Integer Overflow or Wraparound | Yes | Yes | Yes | ||
CWE-192 | Integer Coercion Error | Yes | Yes | |||
CWE-193 | Off-by-one Error | Yes | ||||
CWE-195 | Signed to Unsigned Conversion Error | Yes | ||||
CWE-196 | Unsigned to Signed Conversion Error | Yes | ||||
CWE-197 | Numeric Truncation Error | Yes | ||||
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | Yes | Yes | Yes | ||
CWE-226 | Sensitive Information Uncleared Before Release | Yes | ||||
CWE-242 | Use of Inherently Dangerous Function | Yes | ||||
CWE-245 | J2EE Bad Practices: Direct Management of Connections | Yes | ||||
CWE-246 | J2EE Bad Practices: Direct Use of Sockets | Yes | ||||
CWE-248 | Uncaught Exception | Yes | ||||
CWE-250 | Execution with Unnecessary Privileges | Yes | ||||
CWE-251 | Often Misused: String Management | Yes | ||||
CWE-252 | Unchecked Return Value | Yes | ||||
CWE-253 | Incorrect Check of Function Return Value | Yes | ||||
CWE-256 | Plaintext Storage of a Password | Yes | ||||
CWE-259 | Use of Hard-coded Password | Yes | Yes | |||
CWE-269 | Improper Privilege Management | Yes | Yes | Yes | ||
CWE-272 | Least Privilege Violation | Yes | ||||
CWE-273 | Improper Check for Dropped Privileges | Yes | ||||
CWE-276 | Incorrect Default Permissions | Yes | ||||
CWE-284 | Improper Access Control | Yes | ||||
CWE-287 | Incorrect Authentication | Yes | Yes | |||
CWE-290 | Authentication Bypass by Spoofing | Yes | ||||
CWE-295 | Improper Certificate Validation | Yes | Yes | Yes | ||
CWE-306 | Missing Authentication for Critical Function | Yes | ||||
CWE-307 | Improper Restriction of Excessive Authentication Attempts | Yes | ||||
CWE-311 | Missing Encryption of Sensitive Data | Yes | Yes | |||
CWE-312 | Cleartext Storage of Sensitive Information | Yes | ||||
CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | Yes | ||||
CWE-321 | Use of Hard-coded Cryptographic Key | Yes | ||||
CWE-326 | Inadequate Encryption Strength | Yes | Yes | |||
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | Yes | Yes | Yes | ||
CWE-330 | Use of Insufficiently Random Values | Yes | ||||
CWE-352 | Cross-Site Request Forgery | Yes | Yes | |||
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | Yes | ||||
CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | Yes | ||||
CWE-369 | Divide By Zero | Yes | Yes | |||
CWE-374 | Passing Mutable Objects to an Untrusted Method | Yes | ||||
CWE-377 | Insecure Temporary File | Yes | ||||
CWE-382 | J2EE Bad Practices: Use of System.exit() | Yes | ||||
CWE-383 | J2EE Bad Practices: Direct Use of Threads | Yes | ||||
CWE-384 | Session Fixation | Yes | ||||
CWE-390 | Detection of Error Condition Without Action | Yes | ||||
CWE-391 | Unchecked Error Condition" | Yes | Yes | |||
CWE-394 | Unexpected Status Code or Return Value | Yes | ||||
CWE-396 | Declaration of Catch for Generic Exception | Yes | ||||
CWE-398 | Indicator of Poor Code Quality | Yes | ||||
CWE-400 | Uncontrolled Resource Consumption | Yes | Yes | Yes | ||
CWE-401 | Missing Release of Memory after Effective Lifetime | Yes | ||||
CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | Yes | ||||
CWE-404 | Improper Resource Shutdown or Release | Yes | Yes | Yes | ||
CWE-412 | Unrestricted Externally Accessible Lock | Yes | ||||
CWE-413 | Improper Resource Locking | Yes | ||||
CWE-415 | Double Free | Yes | ||||
CWE-416 | Use After Free | Yes | Yes | |||
CWE-421 | Race Condition During Access to Alternate Channel | Yes | ||||
CWE-426 | Untrusted Search Path | Yes | Yes | Yes | ||
CWE-434 | Unrestricted Upload of File with Dangerous Type | Yes | ||||
CWE-457 | Use of Uninitialized Variable | Yes | ||||
CWE-459 | Incomplete Cleanup | Yes | ||||
CWE-464 | Addition of Data Structure Sentinel | Yes | ||||
CWE-467 | Use of sizeof() on a Pointer Type | Yes | ||||
CWE-468 | Incorrect Pointer Scaling | Yes | ||||
CWE-472 | External Control of Assumed-Immutable Web Parameter | Yes | ||||
CWE-476 | NULL Pointer Dereference | Yes | Yes | Yes | ||
CWE-478 | Missing Default Case in Switch Statement | Yes | ||||
CWE-480 | Use of Incorrect Operator | Yes | ||||
CWE-481 | Assigning instead of Comparing | Yes | ||||
CWE-482 | Comparing instead of Assigning | Yes | ||||
CWE-484 | Omitted Break Statement in Switch | Yes | ||||
CWE-486 | Comparison of Classes by Name | Yes | ||||
CWE-489 | Leftover Debug Code | Yes | ||||
CWE-493 | Critical Public Variable Without Final Modifier | Yes | ||||
CWE-497 | Exposure of System Data to an Unauthorized Control Sphere | Yes | Yes | |||
CWE-500 | Public Static Field Not Marked Final | Yes | ||||
CWE-501 | Trust Boundary Violation | Yes | ||||
CWE-502 | Deserialization of Untrusted Data | Yes | Yes | |||
CWE-522 | Insufficiently Protected Credentials | Yes | Yes | |||
CWE-539 | Use of Persistent Cookies Containing Sensitive Information | Yes | ||||
CWE-548 | Information Exposure Through Directory Listing | Yes | ||||
CWE-561 | Dead Code | Yes | ||||
CWE-562 | Return of Stack Variable Address | Yes | Yes | |||
CWE-563 | Assignment to Variable without Use | Yes | ||||
CWE-567 | Unsynchronized Access to Shared Data in a Multithreaded Context | Yes | ||||
CWE-568 | finalize() Method Without super.finalize() | Yes | ||||
CWE-570 | Expression is Always False | Yes | Yes | Yes | ||
CWE-571 | Expression is Always True | Yes | Yes | |||
CWE-576 | EJB Bad Practices: Use of Java I/O | Yes | ||||
CWE-580 | clone() Method Without super.clone() | Yes | ||||
CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined | Yes | ||||
CWE-583 | finalize() Method Declared Public | Yes | ||||
CWE-590 | Free of Memory not on the Heap | Yes | ||||
CWE-595 | Comparison of Object References Instead of Object Contents | Yes | ||||
CWE-596 | Incorrect Semantic Object Comparison | Yes | ||||
CWE-606 | Unchecked Input for Loop Condition | Yes | ||||
CWE-611 | Improper Restriction of XML External Entity Reference | Yes | Yes | Yes | ||
CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | Yes | Yes | |||
CWE-628 | Function Call with Incorrectly Specified Arguments | Yes | ||||
CWE-665 | Improper Initialization | Yes | ||||
CWE-667 | Improper Lockin | Yes | ||||
CWE-672 | Operation on a Resource after Expiration or Release | Yes | Yes | |||
CWE-676 | Use of Potentially Dangerous Function | Yes | ||||
CWE-681 | Incorrect Conversion between Numeric Types | Yes | ||||
CWE-682 | Incorrect Calculation | Yes | ||||
CWE-686 | Function Call With Incorrect Argument Type | Yes | ||||
CWE-690 | Unchecked Return Value to NULL Pointer Dereference | Yes | ||||
CWE-704 | Incorrect Type Conversion or Cast | Yes | Yes | |||
CWE-732 | Incorrect Permission Assignment for Critical Resource | Yes | Yes | Yes | ||
CWE-754 | Improper Check for Unusual or Exceptional Conditions | Yes | ||||
CWE-759 | Use of a One-Way Hash without a Salt | Yes | ||||
CWE-762 | Mismatched Memory Management Routines | Yes | ||||
CWE-764 | Multiple Locks of a Critical Resource | Yes | ||||
CWE-765 | Multiple Unlocks of a Critical Resource | Yes | ||||
CWE-768 | Incorrect Short Circuit Evaluation | Yes | ||||
CWE-772 | Missing Release of Resource after Effective Lifetime | Yes | Yes | Yes | ||
CWE-783 | Operator Precedence Logic Error | Yes | ||||
CWE-786 | Access of Memory Location Before Start of Buffer | Yes | ||||
CWE-787 | Out-of-bounds Write | Yes | Yes | |||
CWE-788 | Access of Memory Location After End of Buffer | Yes | ||||
CWE-798 | Use of Hard-coded Credentials | Yes | ||||
CWE-805 | Buffer Access with Incorrect Length Value | Yes | ||||
CWE-806 | Buffer Access Using Size of Source Buffer | Yes | ||||
CWE-807 | Reliance on Untrusted Inputs in a Security Decision | Yes | ||||
CWE-822 | Untrusted Pointer Dereference | Yes | ||||
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | Yes | ||||
CWE-832 | Missing Lock | Yes | ||||
CWE-833 | Deadlock | Yes | ||||
CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | Yes | ||||
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | Yes | ||||
CWE-862 | Missing Authorization | Yes | Yes | |||
CWE-896 | SFP Primary Cluster: Tainted Input | Yes | Yes | |||
CWE 910 | Use of Expired File Descriptor | Yes | ||||
CWE-918 | Server-Side Request Forgery (SSRF) | Yes | ||||
CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | Yes | ||||
CWE-1032 | Security Misconfiguration | Yes | ||||
CWE-1035 | OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities | Yes | ||||
CWE-1037 | Processor Optimization Removal or Modification of Security-critical Code | Yes | ||||
CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations | Yes | ||||
CWE-1335 | Incorrect Bitwise Shift of Integer | Yes |