Category Archives: CWE

Understanding and Mitigating the CVE-2022-41741 Vulnerability in NGINX

Read Time:1 Minute, 48 Second

NGINX, a widely-used open-source web server, has recently been affected by a critical vulnerability – CVE-2022-41741. The vulnerability is specific to NGINX’s module, ngx_http_mp4_module, and can be exploited by a local attacker to corrupt NGINX worker memory resulting in its termination. In this article, we will explain the details of the CVE-2022-41741 vulnerability and provide guidance on how to mitigate the risk.

What is CVE-2022-41741?

CVE-2022-41741 is a vulnerability in NGINX’s module, ngx_http_mp4_module. The vulnerability allows a local attacker to corrupt NGINX worker memory, which can cause its termination or other potential impact, using a specially crafted audio or video file. The attack can be executed only when the mp4 directive is used in the configuration file of NGINX products built with the ngx_http_mp4_module.

What does CVE-2022-41741 affect?

The CVE-2022-41741 vulnerability in NGINX can have a significant impact on the security and stability of the web server. If exploited, the vulnerability can cause NGINX to crash, resulting in downtime and a loss of availability. Furthermore, attackers can also gain access to sensitive information stored in the system by exploiting the vulnerability.

How can you protect yourself from CVE-2022-41741?

To mitigate the risk of CVE-2022-41741, users of NGINX products built with the ngx_http_mp4_module should update their software to the latest version. NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 are all vulnerable to this CVE-2022-41741 vulnerability. Therefore, updating to the latest version will address the vulnerability and prevent attackers from exploiting it.

In summary, the CVE-2022-41741 vulnerability in NGINX’s module, ngx_http_mp4_module, can have severe consequences if exploited. However, updating to the latest version of NGINX will mitigate the risk and prevent attackers from exploiting this vulnerability. Therefore, it is essential to ensure that the web server is updated as soon as possible to avoid any potential security risks.

CWE

Read Time:1 Minute, 11 Second

CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.

The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities

The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.

Please check our post about Vulnerability Analysis to learn more about CWE usage.

Please find a list of all the CWE below or use the search box above to find a specific CWE.

  • CWE-297 – Improper Validation of Certificate with Host Mismatch

    Description The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-923 CWE-295   Consequences Access Control: Gain Privileges or Assume Identity The data…

  • CWE-298 – Improper Validation of Certificate Expiration

    Description A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all…

  • CWE-26 – Path Traversal: ‘/dir/../filename’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “/dir/../filename” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files or Directories,…

  • CWE-260 – Password in Configuration File

    Description The software stores a password in a configuration file that might be accessible to actors who do not know the password. This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password…

  • CWE-261 – Weak Encoding for Password

    Description Obscuring a password with a trivial encoding does not protect the password. Password management issues occur when a password is stored in plaintext in an application’s properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but…

  • CWE-262 – Not Using Password Aging

    Description If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner. Security experts have often recommended that users change their passwords regularly and avoid reusing passwords. Although this can be an effective mitigation, if the expiration window is too short, it can cause…

  • CWE-263 – Password Aging with Long Expiration

    Description Allowing password aging to occur unchecked can result in the possibility of diminished password integrity. Just as neglecting to include functionality for the management of password aging is dangerous, so is allowing password aging to continue unchecked. Passwords must be given a maximum life span, after which a user is required to update with…

  • CWE-266 – Incorrect Privilege Assignment

    Description A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-269 CWE-286   Consequences Access Control: Gain Privileges or Assume Identity A user can access restricted functionality and/or sensitive information that may include administrative…

  • CWE-267 – Privilege Defined With Unsafe Actions

    Description A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-269   Consequences Access Control: Gain Privileges or Assume Identity A user can access restricted functionality…

  • CWE-268 – Privilege Chaining

    Description Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-269   Consequences Access Control: Gain Privileges or Assume Identity…

  • CWE-269 – Improper Privilege Management

    Description The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Medium   Related Weaknesses CWE-284   Consequences Access Control: Gain Privileges or Assume Identity   Potential Mitigations Phase: Architecture and…

  • CWE-27 – Path Traversal: ‘dir/../../filename’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal “../” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files…

  • CWE-270 – Privilege Context Switching Error

    Description The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-269   Consequences Access Control: Gain Privileges or Assume Identity A user can assume the identity of another user with separate…

  • CWE-271 – Privilege Dropping / Lowering Errors

    Description The software does not drop privileges before passing control of a resource to an actor that does not have those privileges. In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread…

  • CWE-272 – Least Privilege Violation

    Description The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-271   Consequences Access Control, Confidentiality: Gain Privileges or Assume Identity, Read Application Data, Read Files or Directories An attacker may be able…

  • CWE-273 – Improper Check for Dropped Privileges

    Description The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users. In Windows based environments that have access control, impersonation is used so that…

  • CWE-274 – Improper Handling of Insufficient Privileges

    Description The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-703 CWE-269 CWE-271 CWE-280   Consequences Other: Other, Alter Execution Logic   Potential Mitigations CVE References CVE-2001-1564 System limits are not properly…

  • CWE-276 – Incorrect Default Permissions

    Description During installation, installed file permissions are set to allow anyone to modify those files. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Medium   Related Weaknesses CWE-732 CWE-732   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations Phase: Architecture and Design, Operation Description:  The architecture needs to…

  • CWE-277 – Insecure Inherited Permissions

    Description A product defines a set of insecure permissions that are inherited by objects that are created by the program. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-732   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations Phase: Architecture and Design, Operation Description:  Very carefully manage the…

  • CWE-278 – Insecure Preserved Inherited Permissions

    Description A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-732   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations Phase: Architecture and Design, Operation Description: …

  • CWE-279 – Incorrect Execution-Assigned Permissions

    Description While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user. Modes of Introduction: – Implementation     Related Weaknesses CWE-732   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations Phase: Architecture and Design,…

  • CWE-28 – Path Traversal: ‘..filedir’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “..” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files or Directories,…

  • CWE-239 – Failure to Handle Incomplete Element

    Description The software does not properly handle when a particular element is not completely specified. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-237 CWE-404   Consequences Integrity, Other: Varies by Context, Unexpected State   Potential Mitigations CVE References CVE-2002-1532 HTTP GET without rnrn CRLF sequences causes product to wait indefinitely and…

  • CWE-24 – Path Traversal: ‘../filedir’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “../” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files…

  • CWE-240 – Improper Handling of Inconsistent Structural Elements

    Description The software does not handle or incorrectly handles when two or more structural elements should be consistent, but are not. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-237 CWE-707   Consequences Integrity, Other: Varies by Context, Unexpected State   Potential Mitigations CVE References

  • CWE-241 – Improper Handling of Unexpected Data Type

    Description The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-228   Consequences Integrity, Other: Varies by Context, Unexpected State   Potential Mitigations…

  • CWE-242 – Use of Inherently Dangerous Function

    Description The program calls a function that can never be guaranteed to work safely. Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of…

  • CWE-243 – Creation of chroot Jail Without Changing Working Directory

    Description The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail. Improper use of chroot() may allow attackers to escape from the chroot jail. The chroot() function call does not change the process’s current working…

  • CWE-244 – Improper Clearing of Heap Memory Before Release (‘Heap Inspection’)

    Description Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a “heap inspection” attack that reads…

  • CWE-245 – J2EE Bad Practices: Direct Management of Connections

    Description The J2EE application directly manages connections, instead of using the container’s connection management facilities. The J2EE standard forbids the direct management of connections. It requires that applications use the container’s resource management facilities to obtain connections to resources. Every major web application container provides pooled database connection management as part of its resource management…

  • CWE-246 – J2EE Bad Practices: Direct Use of Sockets

    Description The J2EE application directly uses sockets instead of using framework method calls. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-695   Consequences Other: Quality Degradation   Potential Mitigations Phase: Architecture and Design Description:  Use framework method calls instead of using sockets directly. CVE References

  • CWE-247 – DEPRECATED: Reliance on DNS Lookups in a Security Decision

    Description This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-248 – Uncaught Exception

    Description An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive information. Modes of Introduction: – Implementation     Related Weaknesses CWE-705 CWE-703 CWE-703 CWE-703   Consequences Availability, Confidentiality: DoS: Crash, Exit, or Restart, Read Application Data…

  • CWE-249 – DEPRECATED: Often Misused: Path Manipulation

    Description This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. This entry was deprecated for several reasons. The primary reason is over-loading of the “path manipulation” term and the description. The original description for this entry was the same…

  • CWE-25 – Path Traversal: ‘/../filedir’

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “/../” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation     Related Weaknesses CWE-23   Consequences Confidentiality, Integrity: Read Files or Directories,…

  • CWE-250 – Execution with Unnecessary Privileges

    Description The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. Modes of Introduction: – Implementation   Likelihood of Exploit: Medium   Related Weaknesses CWE-657 CWE-269   Consequences Confidentiality, Integrity, Availability, Access Control: Gain Privileges or Assume…

  • CWE-252 – Unchecked Return Value

    Description The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. Two common programmer assumptions are “this function call can never fail” and “it doesn’t matter if this function call fails”. If an attacker can force the function to fail or otherwise…

  • CWE-253 – Incorrect Check of Function Return Value

    Description The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function. Modes of Introduction: –…

  • CWE-256 – Plaintext Storage of a Password

    Description Storing a password in plaintext may result in a system compromise. Password management issues occur when a password is stored in plaintext in an application’s properties, configuration file, or memory. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. In some contexts, even…

  • CWE-257 – Storing Passwords in a Recoverable Format

    Description The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system…

  • CWE-258 – Empty Password in Configuration File

    Description Using an empty string as a password is insecure. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-260 CWE-521   Consequences Access Control: Gain Privileges or Assume Identity   Potential Mitigations Phase: System Configuration Description:  Passwords should be at least eight characters long — the longer the…

  • CWE-259 – Use of Hard-coded Password

    Description The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. Modes of Introduction: – Implementation   Likelihood of Exploit: High   Related Weaknesses CWE-798 CWE-798 CWE-798 CWE-321 CWE-257   Consequences Access Control: Gain Privileges or Assume Identity If hard-coded passwords are used, it…

  • CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

    Description The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted…

  • CWE-220 – Storage of File With Sensitive Data Under FTP Root

    Description The application stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties. Various Unix FTP servers require a password file that is under the FTP root, due to use of chroot. Modes of Introduction: – Operation     Related Weaknesses CWE-552   Consequences Confidentiality:…

  • CWE-221 – Information Loss or Omission

    Description The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-664   Consequences Non-Repudiation:…

  • CWE-222 – Truncation of Security-relevant Information

    Description The application truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-221   Consequences Non-Repudiation: Hide Activities The source of an attack will be difficult or impossible to determine. This…

  • CWE-223 – Omission of Security-relevant Information

    Description The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-221   Consequences Non-Repudiation: Hide Activities The source of an attack will be difficult or…

  • CWE-224 – Obscured Security-relevant Information by Alternate Name

    Description The software records security-relevant information according to an alternate name of the affected entity, instead of the canonical name. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-221   Consequences Non-Repudiation, Access Control: Hide Activities, Gain Privileges or Assume Identity   Potential Mitigations CVE References CVE-2002-0725 Attacker performs malicious actions on…

  • CWE-225 – DEPRECATED: General Information Management Problems

    Description This weakness can be found at CWE-199. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-226 – Sensitive Information in Resource Not Removed Before Reuse

    Description The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or “zeroize” the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. Modes of Introduction:…

  • CWE-228 – Improper Handling of Syntactically Invalid Structure

    Description The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. Modes of Introduction: – Implementation     Related Weaknesses CWE-703 CWE-707   Consequences Integrity, Availability: Unexpected State, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU) If an input is syntactically invalid, then processing…

  • CWE-229 – Improper Handling of Values

    Description The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-228   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-23 – Relative Path Traversal

    Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as “..” that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside…

  • CWE-230 – Improper Handling of Missing Values

    Description The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null. Modes of Introduction: – Implementation     Related Weaknesses CWE-229   Consequences Integrity: Unexpected State   Potential Mitigations CVE References CVE-2002-0422 Blank Host header…

  • CWE-231 – Improper Handling of Extra Values

    Description The software does not handle or incorrectly handles when more values are provided than expected. Modes of Introduction: – Implementation     Related Weaknesses CWE-229 CWE-120   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-232 – Improper Handling of Undefined Values

    Description The software does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-229   Consequences Integrity: Unexpected State   Potential Mitigations CVE References CVE-2000-1003 Client crash when server returns unknown driver…

  • CWE-233 – Improper Handling of Parameters

    Description The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-228   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-234 – Failure to Handle Missing Parameter

    Description If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-233   Consequences…

  • CWE-235 – Improper Handling of Extra Parameters

    Description The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. Modes of Introduction: – Implementation     Related Weaknesses CWE-233   Consequences Integrity: Unexpected State   Potential Mitigations CVE References CVE-2003-1014 MIE. multiple gateway/security products allow restriction bypass using multiple…

  • CWE-236 – Improper Handling of Undefined Parameters

    Description The software does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-233   Consequences Integrity: Unexpected State   Potential Mitigations CVE References CVE-2002-1488 Crash in IRC client via PART message…

  • CWE-237 – Improper Handling of Structural Elements

    Description The software does not handle or incorrectly handles inputs that are related to complex structures. Modes of Introduction:     Related Weaknesses CWE-228   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-238 – Improper Handling of Incomplete Structural Elements

    Description The software does not handle or incorrectly handles when a particular structural element is not completely specified. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-237   Consequences Integrity: Unexpected State   Potential Mitigations CVE References

  • CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

    Description The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-668   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Architecture and Design Description:  CVE References CVE-2001-1483 Enumeration of…

  • CWE-201 – Insertion of Sensitive Information Into Sent Data

    Description The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as…

  • CWE-202 – Exposure of Sensitive Information Through Data Queries

    Description When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be tied to individual users, but a large number of users should be able to make queries that “scrub” the identity of users, it may be possible to get information…

  • CWE-203 – Observable Discrepancy

    Description The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Discrepancies can take many forms, and variations may be detectable in timing, control…

  • CWE-204 – Observable Response Discrepancy

    Description The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can…

  • CWE-205 – Observable Behavioral Discrepancy

    Description The product’s behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality. Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of…

  • CWE-206 – Observable Internal Behavioral Discrepancy

    Description The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points. Ideally, a product should provide as little information as possible to an attacker. Any hints that the attacker may be…

  • CWE-207 – Observable Behavioral Discrepancy With Equivalent Products

    Description The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker. For many kinds of products, multiple products may be available that perform the same functionality, such as a…

  • CWE-208 – Observable Timing Discrepancy

    Description Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. In security-relevant contexts, even small variations in timing can be exploited by…

  • CWE-209 – Generation of Error Message Containing Sensitive Information

    Description The software generates an error message that includes sensitive information about its environment, users, or associated data. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-200 CWE-200 CWE-755   Consequences Confidentiality: Read Application Data Often this will either reveal sensitive information which may be used for a…

  • CWE-210 – Self-generated Error Message Containing Sensitive Information

    Description The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-209   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Implementation, Build and Compilation Description:  Debugging information should not make its way into a…

  • CWE-211 – Externally-Generated Error Message Containing Sensitive Information

    Description The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information. Modes of Introduction: – Architecture and Design     Related…

  • CWE-212 – Improper Removal of Sensitive Information Before Storage or Transfer

    Description The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-669 CWE-669 CWE-201   Consequences Confidentiality: Read Files or Directories, Read Application Data…

  • CWE-213 – Exposure of Sensitive Information Due to Incompatible Policies

    Description The product’s intended functionality exposes information to certain actors in accordance with the developer’s security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product’s administrator, users, or others whose information is being processed. Modes of Introduction: – Policy     Related Weaknesses…

  • CWE-214 – Invocation of Process Using Visible Sensitive Information

    Description A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable…

  • CWE-215 – Insertion of Sensitive Information Into Debugging Code

    Description The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the application is operating in a production environment, then this…

  • CWE-216 – DEPRECATED: Containment Errors (Container Errors)

    Description This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the “container” term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry. Modes of Introduction:    …

  • CWE-217 – DEPRECATED: Failure to Protect Stored Data from Modification

    Description This entry has been deprecated because it incorporated and confused multiple weaknesses. The issues formerly covered in this entry can be found at CWE-766 and CWE-767. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-218 – DEPRECATED: Failure to provide confidentiality for stored data

    Description This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-219 – Storage of File with Sensitive Data Under Web Root

    Description The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. Besides public-facing web pages and code, applications may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server…

  • CWE-179 – Incorrect Behavior Order: Early Validation

    Description The software validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification. Software needs to validate data at the proper time, after data has been canonicalized and cleansed. Early validation is susceptible to various manipulations that…

  • CWE-180 – Incorrect Behavior Order: Validate Before Canonicalize

    Description The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. Modes of Introduction: – Implementation    …

  • CWE-181 – Incorrect Behavior Order: Validate Before Filter

    Description The software validates data before it has been filtered, which prevents the software from detecting data that becomes invalid after the filtering step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. Modes of Introduction: – Implementation  …

  • CWE-182 – Collapse of Data into Unsafe Value

    Description The software filters data in a way that causes it to be reduced or “collapsed” into an unsafe value that violates an expected security property. Modes of Introduction: – Implementation     Related Weaknesses CWE-693 CWE-33 CWE-34 CWE-35   Consequences Access Control: Bypass Protection Mechanism   Potential Mitigations Phase: Architecture and Design Description:  Avoid…

  • CWE-183 – Permissive List of Allowed Inputs

    Description The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive – that is, it allows an input that is unsafe, leading to resultant weaknesses. Modes of Introduction:…

  • CWE-184 – Incomplete List of Disallowed Inputs

    Description The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses. Developers often try to protect their products against malicious input…

  • CWE-185 – Incorrect Regular Expression

    Description The software specifies a regular expression in a way that causes data to be improperly matched or compared. When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data. Modes of Introduction: – Implementation     Related…

  • CWE-186 – Overly Restrictive Regular Expression

    Description A regular expression is overly restrictive, which prevents dangerous values from being detected. This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly…

  • CWE-187 – Partial String Comparison

    Description The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses. For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password. Modes of Introduction:…

  • CWE-188 – Reliance on Data/Memory Layout

    Description The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Low   Related Weaknesses CWE-1105 CWE-435   Consequences Integrity, Confidentiality: Modify Memory, Read Memory Can result in unintended modifications or exposure…

  • CWE-190 – Integer Overflow or Wraparound

    Description The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer…

  • CWE-191 – Integer Underflow (Wrap or Wraparound)

    Description The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. This can happen in signed and unsigned cases. Modes of Introduction: – Implementation     Related Weaknesses CWE-682 CWE-682   Consequences Availability: DoS:…

  • CWE-192 – Integer Coercion Error

    Description Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may…

  • CWE-193 – Off-by-one Error

    Description A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. Modes of Introduction: – Implementation     Related Weaknesses CWE-682 CWE-682 CWE-617 CWE-170 CWE-119   Consequences Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability…

  • CWE-194 – Unexpected Sign Extension

    Description The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses. Modes of Introduction: – Implementation   Likelihood of Exploit: High   Related Weaknesses CWE-681…

  • CWE-195 – Signed to Unsigned Conversion Error

    Description The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive. Modes of Introduction: – Implementation     Related Weaknesses CWE-681 CWE-681 CWE-681 CWE-119   Consequences Integrity: Unexpected State Conversion…

  • CWE-196 – Unsigned to Signed Conversion Error

    Description The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive. Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite…

  • CWE-197 – Numeric Truncation Error

    Description Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal…