Category Archives: CWE

Advisories, CWE, Education

Understanding and Mitigating the CVE-2022-41741 Vulnerability in NGINX

Read Time:1 Minute, 48 Second

NGINX, a widely-used open-source web server, has recently been affected by a critical vulnerability – CVE-2022-41741. The vulnerability is specific to NGINX’s module, ngx_http_mp4_module, and can be exploited by a local attacker to corrupt NGINX worker memory resulting in its termination. In this article, we will explain the details of the CVE-2022-41741 vulnerability and provide guidance on how to mitigate the risk.

What is CVE-2022-41741?

CVE-2022-41741 is a vulnerability in NGINX’s module, ngx_http_mp4_module. The vulnerability allows a local attacker to corrupt NGINX worker memory, which can cause its termination or other potential impact, using a specially crafted audio or video file. The attack can be executed only when the mp4 directive is used in the configuration file of NGINX products built with the ngx_http_mp4_module.

What does CVE-2022-41741 affect?

The CVE-2022-41741 vulnerability in NGINX can have a significant impact on the security and stability of the web server. If exploited, the vulnerability can cause NGINX to crash, resulting in downtime and a loss of availability. Furthermore, attackers can also gain access to sensitive information stored in the system by exploiting the vulnerability.

How can you protect yourself from CVE-2022-41741?

To mitigate the risk of CVE-2022-41741, users of NGINX products built with the ngx_http_mp4_module should update their software to the latest version. NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 are all vulnerable to this CVE-2022-41741 vulnerability. Therefore, updating to the latest version will address the vulnerability and prevent attackers from exploiting it.

In summary, the CVE-2022-41741 vulnerability in NGINX’s module, ngx_http_mp4_module, can have severe consequences if exploited. However, updating to the latest version of NGINX will mitigate the risk and prevent attackers from exploiting this vulnerability. Therefore, it is essential to ensure that the web server is updated as soon as possible to avoid any potential security risks.

CWE, Education

CWE

Read Time:1 Minute, 11 Second

CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.

The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities

The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.

Please check our post about Vulnerability Analysis to learn more about CWE usage.

Please find a list of all the CWE below or use the search box above to find a specific CWE.

  • CWE-500 – Public Static Field Not Marked Final

    PRIVACY PRIVACY Description An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. Public static variables can be read without an accessor and changed without a mutator by any classes in the application. When a field is declared public but not final, the…

  • CWE-501 – Trust Boundary Violation

    PRIVACY PRIVACY Description The product mixes trusted and untrusted data in the same data structure or structured message. A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose…

  • CWE-464 – Addition of Data Structure Sentinel

    PRIVACY PRIVACY Description The accidental addition of a data-structure sentinel can cause serious programming logic problems. Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is…

  • CWE-466 – Return of Pointer Value Outside of Expected Range

    PRIVACY PRIVACY Description A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-119 CWE-20   Consequences Confidentiality, Integrity: Read Memory, Modify Memory   Potential Mitigations CVE References

  • CWE-467 – Use of sizeof() on a Pointer Type

    PRIVACY PRIVACY Description The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated. The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the…

  • CWE-468 – Incorrect Pointer Scaling

    PRIVACY PRIVACY Description In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled. Modes of Introduction: – Implementation   Likelihood of Exploit: Medium   Related Weaknesses CWE-682   Consequences Confidentiality, Integrity: Read Memory, Modify Memory Incorrect pointer scaling will often result…

  • CWE-469 – Use of Pointer Subtraction to Determine Size

    PRIVACY PRIVACY Description The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk. Modes of Introduction: – Implementation   Likelihood of Exploit: Medium   Related Weaknesses CWE-682   Consequences Access Control, Integrity, Confidentiality, Availability: Modify Memory,…

  • CWE-47 – Path Equivalence: ‘ filename’ (Leading Space)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of leading space (‘ filedir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41   Consequences…

  • CWE-470 – Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)

    PRIVACY PRIVACY Description The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. If the application uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values…

  • CWE-471 – Modification of Assumed-Immutable Data (MAID)

    PRIVACY PRIVACY Description The software does not properly protect an assumed-immutable element from being modified by an attacker. This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are…

  • CWE-472 – External Control of Assumed-Immutable Web Parameter

    PRIVACY PRIVACY Description The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. Modes of Introduction: – Implementation     Related Weaknesses CWE-642 CWE-471   Consequences Integrity: Modify Application Data Without appropriate protection mechanisms, the client can easily tamper with cookies…

  • CWE-473 – PHP External Variable Modification

    PRIVACY PRIVACY Description A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise. Modes of Introduction: – Implementation     Related Weaknesses CWE-471 CWE-98   Consequences Integrity: Modify Application Data  …

  • CWE-474 – Use of Function with Inconsistent Implementations

    PRIVACY PRIVACY Description The code uses a function that has inconsistent implementations across operating systems and versions. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-758   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations Phase: Architecture and Design, Requirements Description:  Do not accept inconsistent behavior from the API specifications…

  • CWE-475 – Undefined Behavior for Input to API

    PRIVACY PRIVACY Description The behavior of this function is undefined unless its control parameter is set to a specific value. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-573   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations CVE References

  • CWE-476 – NULL Pointer Dereference

    PRIVACY PRIVACY Description A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions. Modes of Introduction: – Implementation   Likelihood of…

  • CWE-477 – Use of Obsolete Function

    PRIVACY PRIVACY Description The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. Modes of Introduction: – Implementation     Related Weaknesses CWE-710   Consequences Other: Quality Degradation   Potential Mitigations Phase: Implementation Description:  Refer to the documentation for the obsolete function in order to determine…

  • CWE-478 – Missing Default Case in Switch Statement

    PRIVACY PRIVACY Description The code does not have a default case in a switch statement, which might lead to complex logical errors and resultant weaknesses. This flaw represents a common problem in software development, in which not all possible values for a variable are considered or handled by a given process. Because of this, further…

  • CWE-479 – Signal Handler Use of a Non-reentrant Function

    PRIVACY PRIVACY Description The program defines a signal handler that calls a non-reentrant function. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Low   Related Weaknesses CWE-828 CWE-663 CWE-123   Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands It may be possible to execute arbitrary code through the use of a…

  • CWE-48 – Path Equivalence: ‘file name’ (Internal Whitespace)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of internal space (‘file(SPACE)name’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41   Consequences Confidentiality,…

  • CWE-480 – Use of Incorrect Operator

    PRIVACY PRIVACY Description The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. These types of errors are generally the result of a typo. Modes of Introduction: – Implementation   Likelihood of Exploit: Low   Related Weaknesses CWE-670   Consequences Other: Alter Execution Logic This weakness can cause unintended logic…

  • CWE-481 – Assigning instead of Comparing

    PRIVACY PRIVACY Description The code uses an operator for assignment when the intention was to perform a comparison. In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If…

  • CWE-482 – Comparing instead of Assigning

    PRIVACY PRIVACY Description The code uses an operator for comparison when the intention was to perform an assignment. In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused. Modes of Introduction: – Implementation   Likelihood of Exploit: Low   Related Weaknesses CWE-480   Consequences Availability, Integrity:…

  • CWE-443 – DEPRECATED: HTTP response splitting

    PRIVACY PRIVACY Description This weakness can be found at CWE-113. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-444 – Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)

    PRIVACY PRIVACY Description When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of…

  • CWE-446 – UI Discrepancy for Security Feature

    PRIVACY PRIVACY Description The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state. When the user interface does not properly reflect what the user asks of it, then it can lead the user into…

  • CWE-447 – Unimplemented or Unsupported Feature in UI

    PRIVACY PRIVACY Description A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-446 CWE-671   Consequences Other: Varies by Context   Potential Mitigations…

  • CWE-448 – Obsolete Feature in UI

    PRIVACY PRIVACY Description A UI function is obsolete and the product does not warn the user. Modes of Introduction: – Implementation     Related Weaknesses CWE-446   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations Phase: Architecture and Design Description:  Remove the obsolete feature from the UI. Warn the user that the feature…

  • CWE-449 – The UI Performs the Wrong Action

    PRIVACY PRIVACY Description The UI performs the wrong action with respect to the user’s request. Modes of Introduction: – Implementation     Related Weaknesses CWE-446   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations Phase: Testing Description:  Perform extensive functionality testing of the UI. The UI should behave as specified. CVE References CVE-2001-1387…

  • CWE-45 – Path Equivalence: ‘file…name’ (Multiple Internal Dot)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of multiple internal dot (‘file…dir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-44 CWE-165  …

  • CWE-450 – Multiple Interpretations of UI Input

    PRIVACY PRIVACY Description The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-357   Consequences Other: Varies by Context   Potential Mitigations Phase: Implementation Description:  Phase: Implementation Description:  Inputs should be decoded…

  • CWE-451 – User Interface (UI) Misrepresentation of Critical Information

    PRIVACY PRIVACY Description The user interface (UI) does not properly represent critical information to the user, allowing the information – or its source – to be obscured or spoofed. This is often a component in phishing attacks. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-684 CWE-221 CWE-346   Consequences Non-Repudiation, Access…

  • CWE-453 – Insecure Default Variable Initialization

    PRIVACY PRIVACY Description The software, by default, initializes an internal variable with an insecure or less secure value than is possible. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-1188   Consequences Integrity: Modify Application Data An attacker could gain access to and modify sensitive data or system information.   Potential Mitigations…

  • CWE-454 – External Initialization of Trusted Variables or Data Stores

    PRIVACY PRIVACY Description The software initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. A software system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an…

  • CWE-455 – Non-exit on Failed Initialization

    PRIVACY PRIVACY Description The software does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error, which can cause the software to execute in a less secure fashion than intended by the administrator. Modes of Introduction: – Architecture and Design    …

  • CWE-456 – Missing Initialization of a Variable

    PRIVACY PRIVACY Description The software does not initialize critical variables, which causes the execution environment to use unexpected values. Modes of Introduction: – Implementation     Related Weaknesses CWE-909 CWE-665 CWE-665 CWE-89 CWE-120 CWE-98 CWE-457   Consequences Integrity, Other: Unexpected State, Quality Degradation, Varies by Context The uninitialized data may be invalid, causing logic errors…

  • CWE-457 – Use of Uninitialized Variable

    PRIVACY PRIVACY Description The code uses a variable that has not been initialized, leading to unpredictable or unintended results. In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control…

  • CWE-458 – DEPRECATED: Incorrect Initialization

    PRIVACY PRIVACY Description This weakness has been deprecated because its name and description did not match. The description duplicated CWE-454, while the name suggested a more abstract initialization problem. Please refer to CWE-665 for the more abstract problem. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-459 – Incomplete Cleanup

    PRIVACY PRIVACY Description The software does not properly “clean up” and remove temporary or supporting resources after they have been used. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-404 CWE-404   Consequences Other, Confidentiality, Integrity: Other, Read Application Data, Modify Application Data, DoS: Resource Consumption (Other) It is possible to overflow…

  • CWE-46 – Path Equivalence: ‘filename ‘ (Trailing Space)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of trailing space (‘filedir ‘) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-162 CWE-289…

  • CWE-460 – Improper Cleanup on Thrown Exception

    PRIVACY PRIVACY Description The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent…

  • CWE-462 – Duplicate Key in Associative List (Alist)

    PRIVACY PRIVACY Description Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. A duplicate key entry — if the alist is designed properly — could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries…

  • CWE-463 – Deletion of Data Structure Sentinel

    PRIVACY PRIVACY Description The accidental deletion of a data-structure sentinel can cause serious programming logic problems. Often times data-structure sentinels are used to mark structure of the data structure. A common example of this is the null character at the end of strings. Another common example is linked lists which may contain a sentinel to…

  • CWE-422 – Unprotected Windows Messaging Channel (‘Shatter’)

    PRIVACY PRIVACY Description The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-420 CWE-360   Consequences…

  • CWE-423 – DEPRECATED: Proxied Trusted Channel

    PRIVACY PRIVACY Description This entry has been deprecated because it was a duplicate of CWE-441. All content has been transferred to CWE-441. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-424 – Improper Protection of Alternate Path

    PRIVACY PRIVACY Description The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-693 CWE-638   Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity   Potential Mitigations Phase: Architecture and Design…

  • CWE-425 – Direct Request (‘Forced Browsing’)

    PRIVACY PRIVACY Description The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path. Modes…

  • CWE-426 – Untrusted Search Path

    PRIVACY PRIVACY Description The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application’s direct control. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-642 CWE-668 CWE-673 CWE-427 CWE-428   Consequences Integrity, Confidentiality, Availability, Access Control: Gain…

  • CWE-427 – Uncontrolled Search Path Element

    PRIVACY PRIVACY Description The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. Modes of Introduction: – Implementation     Related Weaknesses CWE-668 CWE-668   Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands   Potential Mitigations…

  • CWE-428 – Unquoted Search Path or Element

    PRIVACY PRIVACY Description The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a…

  • CWE-43 – Path Equivalence: ‘filename….’ (Multiple Trailing Dot)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of multiple trailing dot (‘filedir….’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-42 CWE-163  …

  • CWE-430 – Deployment of Wrong Handler

    PRIVACY PRIVACY Description The wrong “handler” is assigned to process an object. An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically “determining” type of the object even if it is contradictory to an explicitly specified type. Modes of Introduction: – Implementation  …

  • CWE-431 – Missing Handler

    PRIVACY PRIVACY Description A handler is not available or implemented. When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution. Modes of Introduction: – Implementation     Related Weaknesses CWE-691 CWE-433   Consequences Other: Varies by…

  • CWE-432 – Dangerous Signal Handler not Disabled During Sensitive Operations

    PRIVACY PRIVACY Description The application uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running. During the execution of a signal handler, it can be interrupted by another handler when a different…

  • CWE-433 – Unparsed Raw Web Content Delivery

    PRIVACY PRIVACY Description The software stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. If code is stored in a file with an extension such as “.inc” or “.pl”, and the web server does not have a handler for that extension, then…

  • CWE-434 – Unrestricted Upload of File with Dangerous Type

    PRIVACY PRIVACY Description The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment. Modes of Introduction: – Implementation   Likelihood of Exploit: Medium   Related Weaknesses CWE-669 CWE-669 CWE-351 CWE-436 CWE-430   Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands Arbitrary code…

  • CWE-435 – Improper Interaction Between Multiple Correctly-Behaving Entities

    PRIVACY PRIVACY Description An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses. When a system or process combines multiple independent components, this often produces new, emergent…

  • CWE-436 – Interpretation Conflict

    PRIVACY PRIVACY Description Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B’s state. This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is…

  • CWE-437 – Incomplete Model of Endpoint Features

    PRIVACY PRIVACY Description A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint’s features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model. Modes of Introduction: – Architecture and Design     Related Weaknesses…

  • CWE-439 – Behavioral Change in New Version or Environment

    PRIVACY PRIVACY Description A’s behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-435   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations CVE References CVE-2002-1976 Linux kernel 2.2…

  • CWE-44 – Path Equivalence: ‘file.name’ (Internal Dot)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of internal dot (‘file.ordir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41   Consequences Confidentiality,…

  • CWE-440 – Expected Behavior Violation

    PRIVACY PRIVACY Description A feature, API, or function does not perform according to its specification. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-684   Consequences Other: Quality Degradation, Varies by Context   Potential Mitigations CVE References CVE-2003-0187 Program uses large timeouts on “undeserving” to compensate for inconsistency of support for linked…

  • CWE-441 – Unintended Proxy or Intermediary (‘Confused Deputy’)

    PRIVACY PRIVACY Description The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product’s control sphere. This causes the product to appear to be the source of…

  • CWE-401 – Missing Release of Memory after Effective Lifetime

    PRIVACY PRIVACY Description The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no…

  • CWE-402 – Transmission of Private Resources into a New Sphere (‘Resource Leak’)

    PRIVACY PRIVACY Description The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-668   Consequences Confidentiality: Read Application Data   Potential Mitigations CVE References

  • CWE-403 – Exposure of File Descriptor to Unintended Control Sphere (‘File Descriptor Leak’)

    PRIVACY PRIVACY Description A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process,…

  • CWE-404 – Improper Resource Shutdown or Release

    PRIVACY PRIVACY Description The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time…

  • CWE-405 – Asymmetric Resource Consumption (Amplification)

    PRIVACY PRIVACY Description Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. This situation is amplified if the software allows malicious users or attackers to consume more resources than their access level permits. Exploiting such a weakness can lead to asymmetric resource consumption, aiding in amplification attacks against…

  • CWE-406 – Insufficient Control of Network Message Volume (Network Amplification)

    PRIVACY PRIVACY Description The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor. In the absence of a policy to restrict asymmetric resource consumption, the application or system cannot distinguish between legitimate transmissions and…

  • CWE-407 – Inefficient Algorithmic Complexity

    PRIVACY PRIVACY Description An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Low   Related…

  • CWE-408 – Incorrect Behavior Order: Early Amplification

    PRIVACY PRIVACY Description The software allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-405 CWE-696   Consequences Availability: DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) System resources,…

  • CWE-409 – Improper Handling of Highly Compressed Data (Data Amplification)

    PRIVACY PRIVACY Description The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a “decompression bomb,” a small ZIP file that can produce a large amount of data when it is decompressed. Modes of Introduction: – Architecture…

  • CWE-41 – Improper Resolution of Path Equivalence

    PRIVACY PRIVACY Description The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. Path equivalence is usually employed in order to circumvent access controls expressed…

  • CWE-410 – Insufficient Resource Pool

    PRIVACY PRIVACY Description The software’s resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. Frequently the consequence is a “flood” of connection or sessions. Modes of Introduction: – Architecture and Design    …

  • CWE-412 – Unrestricted Externally Accessible Lock

    PRIVACY PRIVACY Description The software properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control. This prevents the software from acting on associated resources or performing other behaviors that are controlled by the presence of the…

  • CWE-413 – Improper Resource Locking

    PRIVACY PRIVACY Description The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource. When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the software. This might violate the software’s assumption that the…

  • CWE-414 – Missing Lock Check

    PRIVACY PRIVACY Description A product does not check to see if a lock is present before performing sensitive operations on a resource. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-667   Consequences Integrity, Availability: Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart   Potential Mitigations Phase: Architecture and Design,…

  • CWE-415 – Double Free

    PRIVACY PRIVACY Description The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls…

  • CWE-416 – Use After Free

    PRIVACY PRIVACY Description Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-825 CWE-672 CWE-672 CWE-672 CWE-120 CWE-123   Consequences Integrity: Modify Memory The use of previously freed memory may…

  • CWE-419 – Unprotected Primary Channel

    PRIVACY PRIVACY Description The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-923   Consequences Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism   Potential Mitigations Phase: Architecture and Design Description:  Do…

  • CWE-42 – Path Equivalence: ‘filename.’ (Trailing Dot)

    PRIVACY PRIVACY Description A software system that accepts path input in the form of trailing dot (‘filedir.’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-41 CWE-162   Consequences…

  • CWE-420 – Unprotected Alternate Channel

    PRIVACY PRIVACY Description The software protects a primary channel, but it does not use the same level of protection for an alternate channel. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-923   Consequences Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism   Potential Mitigations Phase: Architecture and Design Description: …

  • CWE-421 – Race Condition During Access to Alternate Channel

    PRIVACY PRIVACY Description The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors. This creates a race condition that allows an attacker to access the channel before the authorized user does. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-420 CWE-362  …

  • CWE-377 – Insecure Temporary File

    PRIVACY PRIVACY Description Creating and using insecure temporary files can leave application and system data vulnerable to attack. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-668   Consequences Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories   Potential Mitigations CVE References

  • CWE-378 – Creation of Temporary File With Insecure Permissions

    PRIVACY PRIVACY Description Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-377   Consequences Confidentiality: Read Application Data If the temporary file can be read…

  • CWE-379 – Creation of Temporary File in Directory with Insecure Permissions

    PRIVACY PRIVACY Description The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file’s existence or otherwise access that file. On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is…

  • CWE-38 – Path Traversal: ‘absolutepathnamehere’

    PRIVACY PRIVACY Description A software system that accepts input in the form of a backslash absolute path (‘absolutepathnamehere’) without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation     Related Weaknesses CWE-36   Consequences Confidentiality, Integrity: Read Files or Directories,…

  • CWE-382 – J2EE Bad Practices: Use of System.exit()

    PRIVACY PRIVACY Description A J2EE application uses System.exit(), which also shuts down its container. It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks. Modes of Introduction: –…

  • CWE-383 – J2EE Bad Practices: Direct Use of Threads

    PRIVACY PRIVACY Description Thread management in a Web application is forbidden in some circumstances and is always highly error prone. Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the…

  • CWE-384 – Session Fixation

    PRIVACY PRIVACY Description Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-610 CWE-610 CWE-346 CWE-472 CWE-441   Consequences Access Control: Gain Privileges or Assume Identity   Potential…

  • CWE-385 – Covert Timing Channel

    PRIVACY PRIVACY Description Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Medium   Related Weaknesses CWE-514   Consequences Confidentiality, Other: Read Application Data,…

  • CWE-386 – Symbolic Name not Mapping to Correct Object

    PRIVACY PRIVACY Description A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-706 CWE-367 CWE-610 CWE-486   Consequences Access Control: Gain Privileges or Assume Identity The attacker can gain access to otherwise…

  • CWE-39 – Path Traversal: ‘C:dirname’

    PRIVACY PRIVACY Description An attacker can inject a drive letter or Windows volume letter (‘C:dirname’) into a software system to potentially redirect access to an unintended location or arbitrary file. Modes of Introduction: – Implementation     Related Weaknesses CWE-36   Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands The attacker may be able…

  • CWE-390 – Detection of Error Condition Without Action

    PRIVACY PRIVACY Description The software detects a specific error, but takes no actions to handle the error. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Medium   Related Weaknesses CWE-755 CWE-401   Consequences Integrity, Other: Varies by Context, Unexpected State, Alter Execution Logic An attacker could utilize an ignored error condition to…

  • CWE-391 – Unchecked Error Condition

    PRIVACY PRIVACY Description [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Medium   Related Weaknesses CWE-754 CWE-703 CWE-703   Consequences Integrity, Other: Varies by Context,…

  • CWE-392 – Missing Report of Error Condition

    PRIVACY PRIVACY Description The software encounters an error but does not provide a status code or return value to indicate that an error has occurred. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-684 CWE-703 CWE-703 CWE-703   Consequences Integrity, Other: Varies by Context, Unexpected State Errors that are not properly reported…

  • CWE-393 – Return of Wrong Status Code

    PRIVACY PRIVACY Description A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result. This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the…

  • CWE-394 – Unexpected Status Code or Return Value

    PRIVACY PRIVACY Description The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-754   Consequences Integrity, Other: Unexpected State, Alter Execution Logic   Potential Mitigations CVE…

  • CWE-395 – Use of NullPointerException Catch to Detect NULL Pointer Dereference

    PRIVACY PRIVACY Description Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer. Modes of Introduction: – Implementation     Related Weaknesses CWE-705 CWE-755   Consequences Availability: DoS: Resource Consumption (CPU)   Potential Mitigations Phase: Architecture and Design, Implementation Description:  Do not extensively rely on catching exceptions…

  • CWE-396 – Declaration of Catch for Generic Exception

    PRIVACY PRIVACY Description Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. Multiple catch blocks can get ugly and repetitive, but “condensing” catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point…

  • CWE-397 – Declaration of Throws for Generic Exception

    PRIVACY PRIVACY Description Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. Declaring a method to throw Exception or Throwable makes it difficult for callers to perform proper error handling and error recovery. Java’s exception mechanism, for example, is set up to make it easy for callers…