Category Archives: CWE

Advisories, CWE, Education

Understanding and Mitigating the CVE-2022-41741 Vulnerability in NGINX

Read Time:1 Minute, 48 Second

NGINX, a widely-used open-source web server, has recently been affected by a critical vulnerability – CVE-2022-41741. The vulnerability is specific to NGINX’s module, ngx_http_mp4_module, and can be exploited by a local attacker to corrupt NGINX worker memory resulting in its termination. In this article, we will explain the details of the CVE-2022-41741 vulnerability and provide guidance on how to mitigate the risk.

What is CVE-2022-41741?

CVE-2022-41741 is a vulnerability in NGINX’s module, ngx_http_mp4_module. The vulnerability allows a local attacker to corrupt NGINX worker memory, which can cause its termination or other potential impact, using a specially crafted audio or video file. The attack can be executed only when the mp4 directive is used in the configuration file of NGINX products built with the ngx_http_mp4_module.

What does CVE-2022-41741 affect?

The CVE-2022-41741 vulnerability in NGINX can have a significant impact on the security and stability of the web server. If exploited, the vulnerability can cause NGINX to crash, resulting in downtime and a loss of availability. Furthermore, attackers can also gain access to sensitive information stored in the system by exploiting the vulnerability.

How can you protect yourself from CVE-2022-41741?

To mitigate the risk of CVE-2022-41741, users of NGINX products built with the ngx_http_mp4_module should update their software to the latest version. NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 are all vulnerable to this CVE-2022-41741 vulnerability. Therefore, updating to the latest version will address the vulnerability and prevent attackers from exploiting it.

In summary, the CVE-2022-41741 vulnerability in NGINX’s module, ngx_http_mp4_module, can have severe consequences if exploited. However, updating to the latest version of NGINX will mitigate the risk and prevent attackers from exploiting this vulnerability. Therefore, it is essential to ensure that the web server is updated as soon as possible to avoid any potential security risks.

CWE, Education

CWE

Read Time:1 Minute, 11 Second

CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.

The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities

The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.

Please check our post about Vulnerability Analysis to learn more about CWE usage.

Please find a list of all the CWE below or use the search box above to find a specific CWE.

  • CWE-600 – Uncaught Exception in Servlet

    PRIVACY PRIVACY Description The Servlet does not catch all exceptions, which may reveal sensitive debugging information. When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the…

  • CWE-601 – URL Redirection to Untrusted Site (‘Open Redirect’)

    PRIVACY PRIVACY Description A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL…

  • CWE-565 – Reliance on Cookies without Validation and Integrity Checking

    PRIVACY PRIVACY Description The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed…

  • CWE-566 – Authorization Bypass Through User-Controlled SQL Primary Key

    PRIVACY PRIVACY Description The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-639   Consequences Confidentiality, Integrity, Access Control:…

  • CWE-567 – Unsynchronized Access to Shared Data in a Multithreaded Context

    PRIVACY PRIVACY Description The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-820 CWE-662 CWE-662 CWE-488   Consequences Confidentiality, Integrity, Availability: Read Application Data, Modify Application Data, DoS: Instability,…

  • CWE-568 – finalize() Method Without super.finalize()

    PRIVACY PRIVACY Description The software contains a finalize() method that does not call super.finalize(). The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize(). Modes of Introduction: – Implementation     Related Weaknesses CWE-573 CWE-459   Consequences Other: Quality Degradation   Potential Mitigations Phase: Implementation Description:  Call…

  • CWE-57 – Path Equivalence: ‘fakedir/../realdir/filename’

    PRIVACY PRIVACY Description The software contains protection mechanisms to restrict access to ‘realdir/filename’, but it constructs pathnames using external input in the form of ‘fakedir/../realdir/filename’ that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file. Modes of Introduction: – Implementation     Related Weaknesses CWE-41   Consequences…

  • CWE-570 – Expression is Always False

    PRIVACY PRIVACY Description The software contains an expression that will always evaluate to false. Modes of Introduction: – Implementation     Related Weaknesses CWE-710 CWE-561   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations Phase: Testing Description:  Use Static Analysis tools to spot such conditions. CVE References

  • CWE-571 – Expression is Always True

    PRIVACY PRIVACY Description The software contains an expression that will always evaluate to true. Modes of Introduction: – Implementation     Related Weaknesses CWE-710 CWE-561   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations Phase: Testing Description:  Use Static Analysis tools to spot such conditions. CVE References

  • CWE-572 – Call to Thread run() instead of start()

    PRIVACY PRIVACY Description The program calls a thread’s run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. In most cases a direct call to a Thread object’s run() method is a bug. The programmer intended to begin a new thread of control,…

  • CWE-573 – Improper Following of Specification by Caller

    PRIVACY PRIVACY Description The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. When leveraging external functionality, such as an API, it is important that the caller does so in accordance with the requirements of the external functionality or else unintended behaviors may result,…

  • CWE-574 – EJB Bad Practices: Use of Synchronization Primitives

    PRIVACY PRIVACY Description The program violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following…

  • CWE-575 – EJB Bad Practices: Use of AWT Swing

    PRIVACY PRIVACY Description The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline:…

  • CWE-576 – EJB Bad Practices: Use of Java I/O

    PRIVACY PRIVACY Description The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following…

  • CWE-577 – EJB Bad Practices: Use of Sockets

    PRIVACY PRIVACY Description The program violates the Enterprise JavaBeans (EJB) specification by using sockets. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline:…

  • CWE-578 – EJB Bad Practices: Use of Class Loader

    PRIVACY PRIVACY Description The program violates the Enterprise JavaBeans (EJB) specification by using the class loader. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following…

  • CWE-579 – J2EE Bad Practices: Non-serializable Object Stored in Session

    PRIVACY PRIVACY Description The application stores a non-serializable object as an HttpSession attribute, which can hurt reliability. A J2EE application can make use of multiple JVMs in order to improve application reliability and performance. In order to make the multiple JVMs appear as a single application to the end user, the J2EE container can replicate…

  • CWE-58 – Path Equivalence: Windows 8.3 Filename

    PRIVACY PRIVACY Description The software contains a protection mechanism that restricts access to a long filename on a Windows operating system, but the software does not properly restrict access to the equivalent short “8.3” filename. On later Windows operating systems, a file can have a “long name” and a short name that is compatible with…

  • CWE-580 – clone() Method Without super.clone()

    PRIVACY PRIVACY Description The software contains a clone() method that does not call super.clone() to obtain the new object. All implementations of clone() should obtain the new object by calling super.clone(). If a class does not follow this convention, a subclass’s clone() method will return an object of the wrong type. Modes of Introduction: –…

  • CWE-581 – Object Model Violation: Just One of Equals and Hashcode Defined

    PRIVACY PRIVACY Description The software does not maintain equal hashcodes for equal objects. Java objects are expected to obey a number of invariants related to equality. One of these invariants is that equal objects must have equal hashcodes. In other words, if a.equals(b) == true then a.hashCode() == b.hashCode(). Modes of Introduction: – Implementation  …

  • CWE-582 – Array Declared Public, Final, and Static

    PRIVACY PRIVACY Description The program declares an array public, final, and static, which is not sufficient to prevent the array’s contents from being modified. Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the…

  • CWE-583 – finalize() Method Declared Public

    PRIVACY PRIVACY Description The program violates secure coding principles for mobile code by declaring a finalize() method public. A program should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker…

  • CWE-545 – DEPRECATED: Use of Dynamic Class Loading

    PRIVACY PRIVACY Description This weakness has been deprecated because it partially overlaps CWE-470, it describes legitimate programmer behavior, and other portions will need to be integrated into other entries. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-546 – Suspicious Comment

    PRIVACY PRIVACY Description The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses. Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures,…

  • CWE-547 – Use of Hard-coded, Security-relevant Constants

    PRIVACY PRIVACY Description The program uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. If the developer does not find all occurrences of the hard-coded constants, an incorrect policy decision may be made if one of the constants is not changed.…

  • CWE-548 – Exposure of Information Through Directory Listing

    PRIVACY PRIVACY Description A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible. Modes of Introduction: – Implementation    …

  • CWE-549 – Missing Password Field Masking

    PRIVACY PRIVACY Description The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords. Modes of Introduction: – Implementation     Related Weaknesses CWE-522   Consequences Access Control: Bypass Protection Mechanism   Potential Mitigations Phase: Implementation, Requirements Description:  Recommendations include requiring all password fields in your web application…

  • CWE-55 – Path Equivalence: ‘/./’ (Single Dot Directory)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of single dot directory exploit (‘/./’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41  …

  • CWE-550 – Server-generated Error Message Containing Sensitive Information

    PRIVACY PRIVACY Description Certain conditions, such as network failure, will cause a server error message to be displayed. While error messages in and of themselves are not dangerous, per se, it is what an attacker can glean from them that might cause eventual problems. Modes of Introduction: – Implementation     Related Weaknesses CWE-209  …

  • CWE-551 – Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

    PRIVACY PRIVACY Description If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker…

  • CWE-552 – Files or Directories Accessible to External Parties

    PRIVACY PRIVACY Description The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a “root” directory that is accessible to the server’s users. Applications may store sensitive files underneath this root without also using access…

  • CWE-553 – Command Shell in Externally Accessible Directory

    PRIVACY PRIVACY Description A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server. Modes of Introduction: – Implementation     Related Weaknesses CWE-552   Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands   Potential Mitigations…

  • CWE-554 – ASP.NET Misconfiguration: Not Using Input Validation Framework

    PRIVACY PRIVACY Description The ASP.NET application does not use an input validation framework. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-1173   Consequences Integrity: Unexpected State Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.   Potential Mitigations Phase: Architecture and Design Description:  CVE References

  • CWE-555 – J2EE Misconfiguration: Plaintext Password in Configuration File

    PRIVACY PRIVACY Description The J2EE application stores a plaintext password in a configuration file. Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-260   Consequences…

  • CWE-556 – ASP.NET Misconfiguration: Use of Identity Impersonation

    PRIVACY PRIVACY Description Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges. The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration. Modes of Introduction: – Implementation…

  • CWE-558 – Use of getlogin() in Multithreaded Application

    PRIVACY PRIVACY Description The application uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. The getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process,…

  • CWE-56 – Path Equivalence: ‘filedir*’ (Wildcard)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of asterisk wildcard (‘filedir*’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-155   Consequences…

  • CWE-560 – Use of umask() with chmod-style Argument

    PRIVACY PRIVACY Description The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod(). Modes of Introduction: – Implementation     Related Weaknesses CWE-687   Consequences Confidentiality, Integrity, Access Control: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism   Potential Mitigations Phase: Implementation Description: …

  • CWE-561 – Dead Code

    PRIVACY PRIVACY Description The software contains dead code, which can never be executed. Dead code is source code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed. Modes of Introduction: – Implementation     Related Weaknesses CWE-1164   Consequences Other:…

  • CWE-562 – Return of Stack Variable Address

    PRIVACY PRIVACY Description A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely…

  • CWE-563 – Assignment to Variable without Use

    PRIVACY PRIVACY Description The variable’s value is assigned but never used, making it a dead store. After the assignment, the variable is either assigned another value or goes out of scope. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug. Modes of…

  • CWE-564 – SQL Injection: Hibernate

    PRIVACY PRIVACY Description Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-89 CWE-89 CWE-89   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data  …

  • CWE-527 – Exposure of Version-Control Repository to an Unauthorized Control Sphere

    PRIVACY PRIVACY Description The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server…

  • CWE-528 – Exposure of Core Dump File to an Unauthorized Control Sphere

    PRIVACY PRIVACY Description The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. Modes of Introduction: – Operation     Related Weaknesses CWE-552   Consequences Confidentiality: Read Application Data, Read Files or Directories   Potential Mitigations Phase: System Configuration Description: …

  • CWE-529 – Exposure of Access Control List Files to an Unauthorized Control Sphere

    PRIVACY PRIVACY Description The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere. Exposure of these access control list files may give the attacker information about the configuration of the site or system. This information may then be used to bypass…

  • CWE-53 – Path Equivalence: ‘multiple\internalbackslash’

    PRIVACY PRIVACY Description A software system that accepts path input in the form of multiple internal backslash (‘multipletrailing\slash’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-165  …

  • CWE-530 – Exposure of Backup File to an Unauthorized Control Sphere

    PRIVACY PRIVACY Description A backup file is stored in a directory or archive that is made accessible to unauthorized actors. Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the…

  • CWE-531 – Inclusion of Sensitive Information in Test Code

    PRIVACY PRIVACY Description Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions. Modes of Introduction: – Testing     Related Weaknesses CWE-540   Consequences…

  • CWE-532 – Insertion of Sensitive Information into Log File

    PRIVACY PRIVACY Description Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Medium   Related Weaknesses CWE-538 CWE-200   Consequences Confidentiality: Read Application Data Logging sensitive user data often provides…

  • CWE-533 – DEPRECATED: Information Exposure Through Server Log Files

    PRIVACY PRIVACY Description This entry has been deprecated because its abstraction was too low-level. See CWE-532. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-534 – DEPRECATED: Information Exposure Through Debug Log Files

    PRIVACY PRIVACY Description This entry has been deprecated because its abstraction was too low-level. See CWE-532. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-535 – Exposure of Information Through Shell Error Message

    PRIVACY PRIVACY Description A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-211  …

  • CWE-536 – Servlet Runtime Error Message Containing Sensitive Information

    PRIVACY PRIVACY Description A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. Modes of Introduction: – Implementation     Related Weaknesses CWE-211   Consequences Confidentiality: Read Application Data The error message may contain the location of the file in which…

  • CWE-537 – Java Runtime Error Message Containing Sensitive Information

    PRIVACY PRIVACY Description In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. Modes of Introduction: – Implementation     Related Weaknesses CWE-211   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Implementation Description:  Do not expose sensitive error information to…

  • CWE-538 – Insertion of Sensitive Information into Externally-Accessible File or Directory

    PRIVACY PRIVACY Description The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. Modes of Introduction: – Implementation     Related Weaknesses CWE-200   Consequences Confidentiality: Read Files or Directories   Potential Mitigations Phase: Architecture and…

  • CWE-539 – Use of Persistent Cookies Containing Sensitive Information

    PRIVACY PRIVACY Description The web application uses persistent cookies, but the cookies contain sensitive information. Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what…

  • CWE-54 – Path Equivalence: ‘filedir’ (Trailing Backslash)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of trailing backslash (‘filedir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-162   Consequences…

  • CWE-540 – Inclusion of Sensitive Information in Source Code

    PRIVACY PRIVACY Description Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic…

  • CWE-541 – Inclusion of Sensitive Information in an Include File

    PRIVACY PRIVACY Description If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. Modes of Introduction: – Implementation     Related Weaknesses CWE-540   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Architecture and Design Description:  Do not store…

  • CWE-542 – DEPRECATED: Information Exposure Through Cleanup Log Files

    PRIVACY PRIVACY Description This entry has been deprecated because its abstraction was too low-level. See CWE-532. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-543 – Use of Singleton Pattern Without Synchronization in a Multithreaded Context

    PRIVACY PRIVACY Description The software uses the singleton pattern when creating a resource within a multithreaded environment. The use of a singleton pattern may not be thread-safe. Modes of Introduction: – Implementation     Related Weaknesses CWE-820 CWE-662 CWE-662   Consequences Other, Integrity: Other, Modify Application Data   Potential Mitigations Phase: Architecture and Design Description: …

  • CWE-544 – Missing Standardized Error Handling Mechanism

    PRIVACY PRIVACY Description The software does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses. If the application handles error messages individually, on a one-by-one basis, this is likely to result in inconsistent error handling. The causes of errors may be lost. Also, detailed…

  • CWE-502 – Deserialization of Untrusted Data

    PRIVACY PRIVACY Description The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred (“serialization”), then extracting the serialized data to reconstruct the original…

  • CWE-506 – Embedded Malicious Code

    PRIVACY PRIVACY Description The application contains code that appears to be malicious in nature. Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. It generally…

  • CWE-507 – Trojan Horse

    PRIVACY PRIVACY Description The software appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator. Modes of Introduction: – Implementation     Related Weaknesses CWE-506   Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or…

  • CWE-508 – Non-Replicating Malicious Code

    PRIVACY PRIVACY Description Non-replicating malicious code only resides on the target system or software that is attacked; it does not attempt to spread to other systems. Modes of Introduction: – Implementation     Related Weaknesses CWE-507   Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands   Potential Mitigations Phase: Operation Description:  Antivirus software can…

  • CWE-509 – Replicating Malicious Code (Virus or Worm)

    PRIVACY PRIVACY Description Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or software. Modes of Introduction: – Implementation     Related Weaknesses CWE-507   Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands   Potential Mitigations Phase: Operation Description:  Antivirus software scans…

  • CWE-51 – Path Equivalence: ‘/multiple//internal/slash’

    PRIVACY PRIVACY Description A software system that accepts path input in the form of multiple internal slash (‘/multiple//internal/slash/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41   Consequences…

  • CWE-510 – Trapdoor

    PRIVACY PRIVACY Description A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-506   Consequences Confidentiality, Integrity, Availability, Access Control: Execute Unauthorized Code or Commands,…

  • CWE-511 – Logic/Time Bomb

    PRIVACY PRIVACY Description The software contains code that is designed to disrupt the legitimate operation of the software (or its environment) when a certain time passes, or when a certain logical condition is met. When the time bomb or logic bomb is detonated, it may perform a denial of service such as crashing the system,…

  • CWE-512 – Spyware

    PRIVACY PRIVACY Description The software collects personally identifiable information about a human user or the user’s activities, but the software accesses this information using other resources besides itself, and it does not require that user’s explicit approval or direct input into the software. “Spyware” is a commonly used term with many definitions and interpretations. In…

  • CWE-514 – Covert Channel

    PRIVACY PRIVACY Description A covert channel is a path that can be used to transfer information in a way not intended by the system’s designers. Typically the system has not given authorization for the transmission and has no knowledge of its occurrence. Modes of Introduction: – Implementation     Related Weaknesses CWE-1229   Consequences Confidentiality,…

  • CWE-515 – Covert Storage Channel

    PRIVACY PRIVACY Description A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information. Covert storage channels occur when out-of-band data is stored in messages…

  • CWE-516 – DEPRECATED: Covert Timing Channel

    PRIVACY PRIVACY Description This weakness can be found at CWE-385. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-52 – Path Equivalence: ‘/multiple/trailing/slash//’

    PRIVACY PRIVACY Description A software system that accepts path input in the form of multiple trailing slash (‘/multiple/trailing/slash//’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-163 CWE-289…

  • CWE-520 – .NET Misconfiguration: Use of Impersonation

    PRIVACY PRIVACY Description Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. .NET server applications can optionally execute using the identity of the user authenticated to the client. The intention of this functionality is to…

  • CWE-521 – Weak Password Requirements

    PRIVACY PRIVACY Description The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this…

  • CWE-522 – Insufficiently Protected Credentials

    PRIVACY PRIVACY Description The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-287 CWE-287 CWE-668   Consequences Access Control: Gain Privileges or Assume Identity An attacker could gain access to user accounts…

  • CWE-523 – Unprotected Transport of Credentials

    PRIVACY PRIVACY Description Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. SSL (Secure Socket Layer) provides data confidentiality and integrity to HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping or altering message contents. Modes of Introduction:…

  • CWE-524 – Use of Cache Containing Sensitive Information

    PRIVACY PRIVACY Description The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data,…

  • CWE-525 – Use of Web Browser Cache Containing Sensitive Information

    PRIVACY PRIVACY Description The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. Modes of Introduction: – Implementation     Related Weaknesses CWE-524   Consequences Confidentiality: Read Application Data Browsers often store information in a client-side cache, which can…

  • CWE-526 – Exposure of Sensitive Information Through Environmental Variables

    PRIVACY PRIVACY Description Environmental variables may contain sensitive information about a remote server. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-497   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Architecture and Design Description:  Protect information stored in environment variable from being exposed to the user. CVE References

  • CWE-483 – Incorrect Block Delimitation

    PRIVACY PRIVACY Description The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to…

  • CWE-484 – Omitted Break Statement in Switch

    PRIVACY PRIVACY Description The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. This can lead to critical code executing in situations where it should not. Modes of Introduction:…

  • CWE-486 – Comparison of Classes by Name

    PRIVACY PRIVACY Description The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name. If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects…

  • CWE-487 – Reliance on Package-level Scope

    PRIVACY PRIVACY Description Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature. Modes of Introduction: – Implementation   Likelihood of…

  • CWE-488 – Exposure of Data Element to Wrong Session

    PRIVACY PRIVACY Description The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. Modes of Introduction: – Implementation     Related Weaknesses CWE-668   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Architecture and Design Description:  Protect the application’s…

  • CWE-489 – Active Debug Code

    PRIVACY PRIVACY Description The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. A common development practice is to add “back door” code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the…

  • CWE-49 – Path Equivalence: ‘filename/’ (Trailing Slash)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of trailing slash (‘filedir/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-162   Consequences…

  • CWE-491 – Public cloneable() Method Without Final (‘Object Hijack’)

    PRIVACY PRIVACY Description A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. Modes of Introduction: – Implementation     Related Weaknesses CWE-668   Consequences Integrity, Other: Unexpected State, Varies by Context…

  • CWE-492 – Use of Inner Class Containing Sensitive Data

    PRIVACY PRIVACY Description Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers. Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class…

  • CWE-493 – Critical Public Variable Without Final Modifier

    PRIVACY PRIVACY Description The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This…

  • CWE-494 – Download of Code Without Integrity Check

    PRIVACY PRIVACY Description The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit. Modes of Introduction: – Architecture and…

  • CWE-495 – Private Data Structure Returned From A Public Method

    PRIVACY PRIVACY Description The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. Modes of Introduction: – Implementation     Related Weaknesses CWE-664   Consequences Integrity: Modify Application Data The contents of the data structure can be modified from…

  • CWE-496 – Public Data Assigned to Private Array-Typed Field

    PRIVACY PRIVACY Description Assigning public data to a private array is equivalent to giving public access to the array. Modes of Introduction: – Implementation     Related Weaknesses CWE-664   Consequences Integrity: Modify Application Data The contents of the array can be modified from outside the intended scope.   Potential Mitigations Phase: Implementation Description:  Do…

  • CWE-497 – Exposure of Sensitive System Information to an Unauthorized Control Sphere

    PRIVACY PRIVACY Description The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does. Modes of Introduction: – Implementation     Related Weaknesses CWE-200   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase:…

  • CWE-498 – Cloneable Class Containing Sensitive Information

    PRIVACY PRIVACY Description The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running…

  • CWE-499 – Serializable Class Containing Sensitive Data

    PRIVACY PRIVACY Description The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by…

  • CWE-5 – J2EE Misconfiguration: Data Transmission Without Encryption

    PRIVACY PRIVACY Description Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. Modes of Introduction: – Implementation     Related Weaknesses CWE-319   Consequences Confidentiality: Read Application Data Integrity: Modify Application…

  • CWE-50 – Path Equivalence: ‘//multiple/leading/slash’

    PRIVACY PRIVACY Description A software system that accepts path input in the form of multiple leading slash (‘//multiple/leading/slash’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-161  …