79

TLCTC Blog - 2025/06/19

CWE and TLCTC: A Complementary Relationship, Not a 1:1 Mapping

CWE Defines the 'What', TLCTC Defines the 'How': Understanding the Mapping Nuance

TL;DR
Yes, compatible: CWE ≈ what’s wrong; TLCTC ≈ how the attacker starts.
No, not one‑to‑one: A complete CWE→TLCTC table isn’t achievable without context (e.g., whether the flaw lives server‑side or client‑side), and some CWE classes are too broad or incomplete to uniquely map.
Language nuances matter: Some weaknesses are tied to ecosystems (C vs. Java vs. Python), which affects operational detail, not the strategic TLCTC cluster.
Action for MITRE: Stress definitions against TLCTC’s ten clusters to sharpen boundaries and reduce over‑broad buckets.

In the complex world of cybersecurity, clear and consistent language is paramount. We rely on frameworks like the Common Weakness Enumeration (CWE) and emerging concepts like the Top Level Cyber Threat Clusters (TLCTC) to help us identify, categorize, and ultimately mitigate risks. But how do these systems relate, especially when mapping specific weaknesses? Sometimes, it's not a simple one-to-one relationship, and understanding why reveals crucial insights.

A common point of discussion arises when trying to map certain CWE entries directly to a single TLCTC cluster. Why isn't it always straightforward? The answer lies in the fundamental focus of each system.

CWE: Focusing on the Flaw Type ('What')

Definition of MITRE CWE: Vulnerability: A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components. Weakness: A condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.

As the provided CWE documentation highlights, CWE primarily serves as a comprehensive dictionary. It defines the type of error or condition – the "weakness" – present in software, hardware, design, or implementation. Think of CWE as describing 'what' is wrong:

  • Is it a buffer copy without checking size (CWE-120)?
  • Is it improper neutralization of input for SQL (CWE-89)?
  • Is it using a null pointer (CWE-476)?

CWE excels at cataloging these specific flaw types.

TLCTC: Focusing on the Exploit Vector ('How/Where')

The TLCTC framework, on the other hand, takes a different approach. It categorizes threats based on the initial generic vulnerability exploited within a specific interaction model (typically client-server). TLCTC focuses on 'how' and 'where' the initial exploitation vector works by targeting that generic vulnerability:

  • Is the attacker exploiting a flaw in server-side code processing a request (TLCTC #2 Exploiting Server)?
  • Is the attacker exploiting a flaw in client-side code processing a response (TLCTC #3 Exploiting Client)?
  • Is the attacker abusing legitimate functionality beyond its scope (TLCTC #1 Abuse of Functions)?
  • Is the attacker compromising the identity/authentication process (TLCTC #4 Identity Theft)?

Why a Complete Mapping Table Isn’t Possible (Yet)

1) Mapping depends on where the flaw lives (#2 vs. #3)

Many CWE entries can occur in code that runs server‑side or client‑side. TLCTC must choose the cluster that matches the first exploited role:

  • #2 Exploiting Server: flaw in server‑side application code.
  • #3 Exploiting Client: flaw in software acting as a client.

Examples

CWE‑787 Out‑of‑Bounds Write

  • If the bug is in a web server module → #2 Exploiting Server.
  • If the bug is in a PDF reader → #3 Exploiting Client.

CWE‑79 Cross‑Site Scripting

  • The coding error ... → #2/#3 This is the general category for XSS. It can be **#2 Exploiting Server** (for Reflected/Stored XSS where the server fails to sanitize output) or **#3 Exploiting Client** (for DOM-based XSS where client-side script handles data unsafely).

Takeaway: Without context (component role, trust boundary), a single, fixed CWE→TLCTC mapping would be misleading.

2) Some CWE classes are too broad or incomplete

CWE includes umbrella categories whose children are partial or evolving. For instance, CWE‑514 (Covert Channel) is an abstract class; its subtree historically mixes storage vs. timing channels and has had deprecations. Strategically, such channels typically abuse the physical properties of systems — aligning to #8 Physical Attack in TLCTC — but you still need specifics to be precise.

3) Language‑ and ecosystem‑specific weaknesses

Memory‑safety families (C/C++), deserialization pitfalls (Java, .NET), or pickle/exec hazards (Python) matter a lot operationally, but they don’t change the strategic vector. Unsafe deserialization on a server remains #2; in a rich client it’s #3. A big CWE list per language adds detail, not a new TLCTC category, so a flat table yields little insight without the execution role.

Mini‑Examples (Showing Why Context is King)

CWE‑89 SQL Injection → #2 Exploiting Server → often followed by #7 Malware to stage payloads.

Path: #2 → #7 (then possibly #4 if DB creds are dumped and reused).

CWE‑502 Deserialization of Untrusted Data

  • In a Java web service → #2 (initial code execution in server context).
  • In a thick client updater → #3.

Path (server case): #2 → #7 → (#4 + #1) (malware drop, creds theft, and AD abuse).

CWE‑514 Covert Channel → typically #8 Physical Attack (exploiting timing/cache/power as the channel).

Path: #8 → #4 if the channel exfiltrates secrets used later as credentials.

CWE‑798 Hard‑coded Credentials → the exploit is using those creds. Strategically, first vector is #4 Identity Theft (attacker operates as a legitimate identity).

Path: #4 → #1 (abuse functions under that identity).

Why a Universal CWE→TLCTC Table Would Mislead

  • Ambiguity without role: The same CWE can validly be #2 or #3.
  • Umbrella entries: Broad CWEs collapse distinct vectors into one label.
  • Operational overload: Language‑specific families bloat the table without improving strategic clarity.
Conclusion: Publish guidelines and a decision tree, not a rigid table.

Without the specific context of where the flaw exists and how it's triggered in a particular vulnerability instance (context often provided by a CVE description or detailed analysis, but not intrinsic to the abstract CWE type), the CWE type alone could logically relate to either TLCTC #2 or #3.

TLCTC's Added Value: Strategic Clarity

This is where a framework like TLCTC adds significant value. While CWE provides the essential dictionary of what the flaw is, TLCTC provides the strategic overlay focusing on the initial attack vector and the generic vulnerability being targeted within the system's interaction pattern. It forces us to ask: Was the initial exploit targeting a flaw in how the server handled something, or how the client handled something?

This distinction is vital for:

  • Accurate Threat Modeling: Understanding whether attacks are likely to originate against your exposed server interfaces or target your users' clients.
  • Targeted Defenses: Implementing controls specific to server-side processing versus client-side hardening.
  • Risk Assessment: Evaluating risk based on where the exploitable flaw resides within the interaction flow.

Example Mapping Scenario

{
"cwe_id": "CWE-787",
"cwe_name": "Out-of-bounds Write",
"cwe_description": "The software writes data past the end, or before the beginning, of the intended buffer.",
"potential_tlctc_mappings": [
{
  "tlctc_id": "TLCTC-02.00", 
  "tlctc_name": "Exploiting Server",
  "context": "When vulnerability exists in server-side code processing client requests",
  "example": "A remote attacker sends a specially crafted HTTP request that causes an out-of-bounds write in a web server's request parsing function"
},
{
  "tlctc_id": "TLCTC-03.00",
  "tlctc_name": "Exploiting Client",
  "context": "When vulnerability exists in client-side code processing server responses or local data",
  "example": "A malicious server sends a crafted response that triggers an out-of-bounds write in a browser's image parsing library"
}
],
"required_for_mapping": "Specific context of where the vulnerability exists and how it's triggered (typically found in CVE descriptions)"
}

Conclusion: Use Both Wisely

CWE remains indispensable for identifying and communicating specific technical weaknesses. TLCTC complements it by providing a structured, strategic framework based on how those weaknesses are typically first exploited. Recognizing that some CWE types can manifest as either server-side or client-side vulnerabilities reinforces why context (often from CVE details) is essential, and why frameworks like TLCTC, which categorize by the initial exploit vector's target, are crucial for building a comprehensive cybersecurity strategy.

Key Takeaways

  • CWE and TLCTC serve complementary purposes in the cybersecurity ecosystem.
  • CWE offers granular technical classification of specific weakness types.
  • TLCTC provides strategic context about how and where those weaknesses are exploited.
  • Many CWE entries can map to different TLCTC clusters depending on implementation context.
  • Complete understanding requires both frameworks plus contextual details from sources like CVE descriptions.

What MITRE Could Do Next (A Friendly Challenge)

Stress CWE definitions against TLCTC’s cause‑side model to sharpen distinctions and enable contextful mapping:

  • Add “Role” metadata: Client/Server/Both + typical trust boundary.
  • Add “Primary TLCTC candidate(s)” field: One of #1–#10 (or a short list with ordering).
  • Clarify umbrella classes: Split or mark as “non‑terminal; pick a child before mapping.”
  • Tie to credentials semantics: Flag CWEs that commonly yield credential artifacts (→ #4).
  • Annotate likely follow‑on steps: e.g., CWE‑89 often leads to code‑exec (#7) or lateral movement (#1 with AD abuse).

This keeps CWE’s strength (shared language for weaknesses) while giving architects and defenders a cause‑first path to controls and detection.

Mapping Table

TLCTC ↔ CWE Mapping (V4.17)

(AI generated and not revised by me) - Gemini 2.5 pro (because of large context window) - June 2025

This table includes CWE entries where mappingAllowed is "Allowed" or "Allowed-with-Review". I have used this extractor CWE XML Exporter. (Count 612/968)

CWE-ID CWE Name TLCTC # TLCTC Name Argument
5 J2EE Misconfiguration: Data Transmission Without Encryption #5 Man in the Middle (MitM) Transmitting data without encryption makes it vulnerable to interception and modification by an attacker on the communication path, which is the definition of a Man-in-the-Middle attack.
6 J2EE Misconfiguration: Insufficient Session-ID Length #4 Identity Theft An insufficient session ID length makes brute-force guessing easier, directly weakening the session management and credential protection mechanism.
7 J2EE Misconfiguration: Missing Custom Error Page #2 Exploiting Server This misconfiguration causes the server to leak sensitive system information in default error pages, which is a server-side information exposure flaw.
8 J2EE Misconfiguration: Entity Bean Declared Remote #1 Abuse of Functions Exposing an entity bean's methods remotely abuses the intended component model by potentially allowing unauthorized access to data-setting methods, which is a design-level flaw.
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods #1 Abuse of Functions Assigning weak access permissions (e.g., to an ANYONE role) is a configuration flaw that abuses the intended authorization model, allowing unauthorized actors to invoke functions.
11 ASP.NET Misconfiguration: Creating Debug Binary #1 Abuse of Functions Creating and deploying a debug binary is a misconfiguration that abuses a legitimate development feature (debugging) in a production context, exposing dangerous information or functionality.
12 ASP.NET Misconfiguration: Missing Custom Error Page #2 Exploiting Server This weakness leads to information exposure through detailed error messages. The underlying cause is a flaw in the server-side configuration for error handling.
13 ASP.NET Misconfiguration: Password in Configuration File #4 Identity Theft Storing a password in a configuration file is a weakness in credential protection, making credentials susceptible to theft.
14 Compiler Removal of Code to Clear Buffers #2/#3 Exploiting Server / Exploiting Client This is a subtle implementation flaw. When a compiler optimization removes security-critical code like buffer clearing, it can lead to information exposure in either server-side or client-side applications.
15 External Control of System or Configuration Setting #1 Abuse of Functions Allowing external control of configuration settings abuses the intended function for managing those settings by providing malicious or unauthorized values.
20 Improper Input Validation N/A N/A (Revised)** Excluded. This is a high-level "Class" and explicitly marked as **DISCOURAGED** by MITRE. It is not a specific root-cause vulnerability. Analysis should focus on its more specific children (e.g., CWE-89, CWE-22) which can be mapped directly to TLCTC clusters.
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') #2 Exploiting Server Path Traversal is a classic flaw in server-side code that fails to properly validate file paths, allowing access to unintended files on the server.
23 Relative Path Traversal #2 Exploiting Server A variant of Path Traversal, this is a flaw in server-side path handling/validation code using relative paths ("..").
36 Absolute Path Traversal #2 Exploiting Server This allows access outside a restricted directory due to a flaw in server-side path handling/validation code using absolute paths.
41 Improper Resolution of Path Equivalence #2 Exploiting Server This allows access control bypass using alternate names for the same resource, which is a flaw in server-side path canonicalization or comparison logic.
59 Improper Link Resolution Before File Access ('Link Following') #1/#2 Abuse of Functions / Exploiting Server This can be **#1** if it abuses legitimate symlink functionality (e.g., tricking a privileged script). It can be **#2** if a flaw in server-side file access code (a race condition, TOCTOU) allows a link to be swapped in before access. The context is critical.
61 UNIX Symbolic Link (Symlink) Following #1 Abuse of Functions This is a specific form of 'Link Following' and typically abuses legitimate symlink functionality to access unauthorized files.
62 UNIX Hard Link #1 Abuse of Functions Similar to a symlink attack, this abuses legitimate hard link functionality to access files outside of the intended scope.
64 Windows Shortcut Following (.LNK) #1 Abuse of Functions Abuses the legitimate functionality of Windows shortcut files to cause a program to operate on an unintended file or execute code.
65 Windows Hard Link #1 Abuse of Functions Similar to a UNIX hard link attack, this abuses legitimate Windows hard link functionality to access unintended files.
66 Improper Handling of File Names that Identify Virtual Resources #2 Exploiting Server The server-side code does not properly handle special device filenames (e.g., COM1, LPT1), leading to denial of service or information exposure. This is a server-side handling flaw.
67 Improper Handling of Windows Device Names #2 Exploiting Server A specific variant of CWE-66, this is a flaw in server-side code's handling of special device names on the Windows platform.
69 Improper Handling of Windows ::DATA Alternate Data Stream #2 Exploiting Server Exploits a feature of the NTFS file system. This is a server-side file handling flaw where data can be hidden or checks can be bypassed.
73 External Control of File Name or Path #2 Exploiting Server The product uses an external path without validation. This is a classic server-side flaw that enables path traversal or arbitrary file access/modification.
77 Improper Neutralization of Special Elements used in a Command ('Command Injection') #2/#3 Exploiting Server / Exploiting Client Command Injection can occur on the server when processing a request (e.g., a web form calls system()) or on a client when processing a response (e.g., a malicious response triggers a command on a client-side application). Context is required.
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') #2/#3 Exploiting Server / Exploiting Client A specific type of Command Injection. It's typically a server-side flaw (#2) but could occur on the client (#3) if a client application unsafely constructs and executes OS commands based on server data.
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') #2/#3 Exploiting Server / Exploiting Client This is the general category for XSS. It can be **#2 Exploiting Server** (for Reflected/Stored XSS where the server fails to sanitize output) or **#3 Exploiting Client** (for DOM-based XSS where client-side script handles data unsafely).
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) #2 Exploiting Server A basic form of Reflected or Stored XSS. The server fails to properly neutralize HTML tags in its output, leading to script injection.
81 Improper Neutralization of Script in an Error Message Web Page #2 Exploiting Server A specific case of Reflected XSS where the server reflects unsanitized input within an error message page.
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page #2 Exploiting Server A specific vector for Cross-Site Scripting where the server fails to sanitize data that is then placed into attributes of an IMG tag, which can be executed by the browser.
83 Improper Neutralization of Script in Attributes in a Web Page #2 Exploiting Server A specific XSS vector where the server fails to sanitize data written into HTML attributes like onload, leading to script execution.
84 Improper Neutralization of Encoded URI Schemes in a Web Page #2 Exploiting Server A server-side filtering flaw. The server fails to recognize and neutralize script handlers (like 'javascript:') when they are URI-encoded, allowing XSS.
85 Doubled Character XSS Manipulations #2 Exploiting Server The server-side sanitization logic is flawed and can be bypassed by doubling characters, which is an exploit of the server's filtering mechanism.
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages #2 Exploiting Server The flaw lies in the server-side code's inconsistent parsing or handling of identifiers, allowing injection.
87 Improper Neutralization of Alternate XSS Syntax #2 Exploiting Server The server-side filter does not account for non-standard script representations, allowing an XSS attack.
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') #2 Exploiting Server The server-side code constructs a command but fails to neutralize argument delimiters from user input, allowing an attacker to inject new arguments.
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') #2 Exploiting Server The quintessential server-side weakness where user input is not sanitized before being used in an SQL query, allowing manipulation of the database.
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') #2 Exploiting Server Similar to SQL injection, this is a server-side flaw where user input modifies an LDAP query.
91 XML Injection (aka Blind XPath Injection) #2 Exploiting Server A server-side flaw where user input modifies XML syntax or XPath queries.
93 Improper Neutralization of CRLF Sequences ('CRLF Injection') #2/#3 Exploiting Server / Exploiting Client This can be **#2** (HTTP Response Splitting, server fails to sanitize headers) or **#3** (client fails to handle crafted responses). It can also affect log files on the server.
94 Improper Control of Generation of Code ('Code Injection') #2/#3 Exploiting Server / Exploiting Client This can be server-side (#2), where user input is used to generate executable code (e.g., via eval()), or client-side (#3), where a response causes client-side code generation.
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') #2 Exploiting Server A specific form of Code Injection where server-side code uses an eval() or similar function with unsanitized user input.
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') #2 Exploiting Server The server saves user input to a file (e.g., a config file, a template) that is later executed, representing a flaw in the server's data storage and execution logic.
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page #2 Exploiting Server A server-side vulnerability where the server fails to sanitize output that is then parsed for SSI directives.
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') #2 Exploiting Server A critical server-side flaw where the PHP interpreter is made to include and execute a remote file based on user input.
99 Improper Control of Resource Identifiers ('Resource Injection') #1/#2 Abuse of Functions / Exploiting Server This can be **#1** if it's about abusing a function that takes a resource identifier to access an unintended resource (e.g., a generic file-retrieval function). It's **#2** if it leads to a specific exploit like Path Traversal.
102 Struts: Duplicate Validation Forms #1 Abuse of Functions Using multiple validation forms with the same name abuses the Struts validation framework, causing it to arbitrarily choose one form and potentially bypass intended validation logic.
103 Struts: Incomplete validate() Method Definition #1 Abuse of Functions A flaw in the design/configuration of the Struts validation logic, which falls under abusing the intended functionality of the validation framework by not implementing it correctly.
104 Struts: Form Bean Does Not Extend Validation Class #1 Abuse of Functions A design/configuration flaw where the application fails to use the framework's security features correctly, thus abusing the intended validation mechanism by omission.
105 Struts: Form Field Without Validator #1 Abuse of Functions A design/configuration flaw. By not providing a validator for a field, the application's intended validation logic is incomplete and can be abused.
106 Struts: Plug-in Framework not in Use #1 Abuse of Functions A high-level design choice to not use an available security framework, which means the application functionality is inherently less secure than intended by the framework designers. This is an abuse of the platform by omission.
107 Struts: Unused Validation Form N/A N/A This is a code quality/maintainability issue. It indicates dead code but is not a directly exploitable vulnerability. Excluded.
108 Struts: Unvalidated Action Form #1 Abuse of Functions A design/configuration flaw where an action form that should be validated is not, allowing its functionality to be used with untrusted data.
109 Struts: Validator Turned Off #1 Abuse of Functions A configuration setting that explicitly turns off a security feature, abusing the system's configuration to bypass validation.
110 Struts: Validator Without Form Field #1 Abuse of Functions A configuration mismatch where validation logic exists for a field that is no longer in the form. This indicates out-of-date or broken validation, which is an abuse of the intended (but flawed) control.
111 Direct Use of Unsafe JNI #2/#3 Exploiting Server / Exploiting Client JNI calls can introduce vulnerabilities on both the server (#2) and client (#3). If a Java application makes an unsafe native call, it's a flaw in that application's code, regardless of where it runs.
112 Missing XML Validation #2 Exploiting Server The server-side application fails to validate XML against a schema, which is a flaw in the server's data handling logic.
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') #2 Exploiting Server This is a server-side flaw where the server fails to sanitize headers, enabling response splitting.
114 Process Control N/A N/A This is a broad Class. It can refer to command injection (**#2**), abuse of process control functions (**#1**), or malware execution (**#7**). It is too high-level for a precise mapping.
115 Misinterpretation of Input #2/#3 Exploiting Server / Exploiting Client A very broad category. It depends on whether the server or client is misinterpreting the input. Needs more context, but generally points to an implementation flaw.
116 Improper Encoding or Escaping of Output #2/#3 Exploiting Server / Exploiting Client The flaw can be in server-side code failing to encode output (#2), or client-side code failing to handle improperly encoded data it receives (#3).
117 Improper Output Neutralization for Logs #2 Exploiting Server The flaw is in the server-side code which improperly sanitizes data before writing it to a log file on the server.
118 Incorrect Access of Indexable Resource ('Range Error') N/A N/A This is a high-level Class. It describes the consequence of other weaknesses like CWE-125 (Out-of-bounds Read) or CWE-129 (Improper Validation of Array Index). Map to its more specific children.
119 Improper Restriction of Operations within the Bounds of a Memory Buffer #2/#3 Exploiting Server / Exploiting Client The general category for buffer overflows. It's a flaw in either server-side (#2) or client-side (#3) code. Context is required.
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') #2/#3 Exploiting Server / Exploiting Client A classic implementation flaw in memory handling that can occur on either the server (#2) or the client (#3). Context is required.
121 Stack-based Buffer Overflow #2/#3 Exploiting Server / Exploiting Client A specific type of buffer overflow, an implementation flaw in either server (#2) or client (#3) code.
122 Heap-based Buffer Overflow #2/#3 Exploiting Server / Exploiting Client A specific type of buffer overflow, an implementation flaw in either server (#2) or client (#3) code.
123 Write-what-where Condition #2/#3 Exploiting Server / Exploiting Client An advanced exploitation result, typically arising from a memory corruption vulnerability (like a buffer overflow) in either server (#2) or client (#3) code.
124 Buffer Underwrite ('Buffer Underflow') #2/#3 Exploiting Server / Exploiting Client An implementation flaw in memory handling that can occur on either the server (#2) or the client (#3).
125 Out-of-bounds Read #2/#3 Exploiting Server / Exploiting Client An implementation flaw in memory handling that allows reading outside of a buffer's bounds, occurring on either the server (#2) or the client (#3). Context is required.
126 Buffer Over-read #2/#3 Exploiting Server / Exploiting Client A synonym for Out-of-bounds Read. An implementation flaw in either server (#2) or client (#3) code.
127 Buffer Under-read #2/#3 Exploiting Server / Exploiting Client An implementation flaw in memory handling allowing reads before the start of a buffer, occurring on either the server (#2) or the client (#3).
128 Wrap-around Error #2/#3 Exploiting Server / Exploiting Client This is a numeric error (like an integer overflow) that often leads to a buffer overflow or other logic flaw. It's an implementation bug that can be in server (#2) or client (#3) code.
129 Improper Validation of Array Index #2/#3 Exploiting Server / Exploiting Client A specific cause of an out-of-bounds access, this is an implementation flaw in server (#2) or client (#3) code.
130 Improper Handling of Length Parameter Inconsistency #2/#3 Exploiting Server / Exploiting Client A parsing flaw where the code trusts a length field over the actual data size. This can occur on the server during a request or on the client during a response.
131 Incorrect Calculation of Buffer Size #2/#3 Exploiting Server / Exploiting Client An integer overflow or other logic error that leads to allocating an incorrectly sized buffer. This is an implementation flaw on either the server (#2) or the client (#3).
132 DEPRECATED: Miscalculated Null Termination N/A N/A Deprecated. The concept is now covered under CWE-170. Excluded.
134 Use of Externally-Controlled Format String #2/#3 Exploiting Server / Exploiting Client The code uses a function that accepts a format string, but the string is externally controlled. This is an implementation flaw that can occur in server-side code (e.g., logging) or client-side code (e.g., displaying a formatted message).
135 Incorrect Calculation of Multi-Byte String Length #2/#3 Exploiting Server / Exploiting Client A specific type of calculation error. This implementation flaw leads to incorrect memory allocation or buffer operations, which can occur on either the server or the client.
138 Improper Neutralization of Special Elements N/A N/A Excluded. This is a high-level Class and is too generic for direct mapping. Specific sub-variants (like SQLi or OS Command Injection) should be used instead.
140 Improper Neutralization of Delimiters #2/#3 Exploiting Server / Exploiting Client A data parsing or handling flaw where delimiters are not properly neutralized, leading to injection. This can be a flaw in either server-side or client-side code.
141 Improper Neutralization of Parameter/Argument Delimiters #2/#3 Exploiting Server / Exploiting Client A specific type of delimiter neutralization failure. This is an implementation flaw that could be exploited in server-side or client-side logic.
142 Improper Neutralization of Value Delimiters #2/#3 Exploiting Server / Exploiting Client A specific type of delimiter neutralization failure. This is an implementation flaw that could be exploited in server-side or client-side logic.
143 Improper Neutralization of Record Delimiters #2/#3 Exploiting Server / Exploiting Client A specific type of delimiter neutralization failure. This is an implementation flaw that could be exploited in server-side or client-side logic.
144 Improper Neutralization of Line Delimiters #2/#3 Exploiting Server / Exploiting Client A specific type of delimiter neutralization failure. This is an implementation flaw that could be exploited in server-side or client-side logic.
145 Improper Neutralization of Section Delimiters #2/#3 Exploiting Server / Exploiting Client A specific type of delimiter neutralization failure. This is an implementation flaw that could be exploited in server-side or client-side logic.
146 Improper Neutralization of Expression/Command Delimiters #2/#3 Exploiting Server / Exploiting Client A specific type of delimiter neutralization failure that often leads to command injection. This is an implementation flaw in server or client code.
147 Improper Neutralization of Input Terminators #2/#3 Exploiting Server / Exploiting Client A specific type of delimiter neutralization failure (e.g., null byte handling). This is an implementation flaw in server or client code.
148 Improper Neutralization of Input Leaders #2/#3 Exploiting Server / Exploiting Client A specific type of delimiter neutralization failure. This is an implementation flaw in server or client code.
149 Improper Neutralization of Quoting Syntax #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling quoted strings, which can lead to various injection attacks on either the server or client.
150 Improper Neutralization of Escape, Meta, or Control Sequences #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling special character sequences, which can lead to various injection attacks on either the server or client.
151 Improper Neutralization of Comment Delimiters #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling comment syntax, which can be used to hide malicious code from filters or cause parsing errors. Can be server-side or client-side.
152 Improper Neutralization of Macro Symbols #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling macros, which could allow an attacker to invoke unintended functionality. Can be server-side or client-side.
153 Improper Neutralization of Substitution Characters #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling substitution characters, which can alter the intended logic. Can be server-side or client-side.
154 Improper Neutralization of Variable Name Delimiters #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling variable delimiters, which could lead to variable manipulation or injection. Can be server-side or client-side.
155 Improper Neutralization of Wildcards or Matching Symbols #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling wildcards, which could lead to unintended resource access or logic bypasses. Can be server-side or client-side.
156 Improper Neutralization of Whitespace #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling whitespace, which can lead to bypasses of security filters. Can be server-side or client-side.
157 Failure to Sanitize Paired Delimiters #2/#3 Exploiting Server / Exploiting Client An implementation flaw in parsing paired delimiters (like parentheses or brackets), which can lead to syntax errors or injection. Can be server-side or client-side.
158 Improper Neutralization of Null Byte or NUL Character #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling null bytes, often leading to premature string termination and filter bypasses. Can be server-side or client-side.
159 Improper Handling of Invalid Use of Special Elements N/A N/A Excluded. This is a high-level Class, too generic for mapping.
160 Improper Neutralization of Leading Special Elements #2/#3 Exploiting Server / Exploiting Client An implementation flaw in parsing, leading to bypasses. Can be server-side or client-side.
161 Improper Neutralization of Multiple Leading Special Elements #2/#3 Exploiting Server / Exploiting Client An implementation flaw in parsing, leading to bypasses. Can be server-side or client-side.
162 Improper Neutralization of Trailing Special Elements #2/#3 Exploiting Server / Exploiting Client An implementation flaw in parsing, leading to bypasses. Can be server-side or client-side.
163 Improper Neutralization of Multiple Trailing Special Elements #2/#3 Exploiting Server / Exploiting Client An implementation flaw in parsing, leading to bypasses. Can be server-side or client-side.
164 Improper Neutralization of Internal Special Elements #2/#3 Exploiting Server / Exploiting Client An implementation flaw in parsing, leading to bypasses. Can be server-side or client-side.
165 Improper Neutralization of Multiple Internal Special Elements #2/#3 Exploiting Server / Exploiting Client An implementation flaw in parsing, leading to bypasses. Can be server-side or client-side.
166 Improper Handling of Missing Special Element #2/#3 Exploiting Server / Exploiting Client An implementation flaw where the code expects a special element that is missing, causing a parsing error or logic flaw. Can be server-side or client-side.
167 Improper Handling of Additional Special Element #2/#3 Exploiting Server / Exploiting Client An implementation flaw where the code receives more special elements than expected, causing a parsing error or logic flaw. Can be server-side or client-side.
168 Improper Handling of Inconsistent Special Elements #2/#3 Exploiting Server / Exploiting Client An implementation flaw where the code does not handle inconsistencies (e.g., mismatched pairs), causing a parsing error or logic flaw. Can be server-side or client-side.
170 Improper Null Termination #2/#3 Exploiting Server / Exploiting Client An implementation flaw where a string is not properly null-terminated, often leading to buffer over-reads. Can be server-side or client-side.
172 Encoding Error #2/#3 Exploiting Server / Exploiting Client A flaw in the implementation of encoding or decoding logic, leading to data corruption or bypasses. Can be server-side or client-side.
173 Improper Handling of Alternate Encoding #2/#3 Exploiting Server / Exploiting Client An implementation flaw where alternate encodings are not handled, allowing filter bypasses. Can be server-side or client-side.
174 Double Decoding of the Same Data #2/#3 Exploiting Server / Exploiting Client An implementation flaw that allows an attacker to bypass a filter by sending encoded data that only becomes malicious after a second, later decoding step. Can be server-side or client-side.
175 Improper Handling of Mixed Encoding #2/#3 Exploiting Server / Exploiting Client An implementation flaw where mixed encodings are not handled correctly, allowing filter bypasses. Can be server-side or client-side.
176 Improper Handling of Unicode Encoding #2/#3 Exploiting Server / Exploiting Client An implementation flaw in handling the complexities of Unicode, which can lead to filter bypasses or logic errors. Can be server-side or client-side.
177 Improper Handling of URL Encoding (Hex Encoding) #2/#3 Exploiting Server / Exploiting Client A flaw in the server's or client's URL parsing and decoding logic.
178 Improper Handling of Case Sensitivity #2 Exploiting Server Typically a server-side flaw where logic does not account for the case-insensitivity of an underlying system (like Windows filenames), allowing bypasses.
179 Incorrect Behavior Order: Early Validation #2/#3 Exploiting Server / Exploiting Client A logic flaw where validation occurs before sanitization/canonicalization, allowing bypasses. This is an implementation flaw on the server or client.
180 Incorrect Behavior Order: Validate Before Canonicalize #2/#3 Exploiting Server / Exploiting Client A specific and common type of CWE-179. An implementation flaw on the server or client.
181 Incorrect Behavior Order: Validate Before Filter #2/#3 Exploiting Server / Exploiting Client A specific and common type of CWE-179. An implementation flaw on the server or client.
182 Collapse of Data into Unsafe Value #2/#3 Exploiting Server / Exploiting Client An implementation flaw in a filter where removing a "bad" string results in the creation of a new "bad" string (e.g., removing ../ from ...//..// leaves ../). Can be server or client side.
183 Permissive List of Allowed Inputs #1 Abuse of Functions A design/implementation flaw in an allowlist. This is an abuse of the intended (but flawed) validation logic.
184 Incomplete List of Disallowed Inputs #1 Abuse of Functions A design/implementation flaw in a denylist. This is an abuse of the intended (but flawed) validation logic.
185 Incorrect Regular Expression #2/#3 Exploiting Server / Exploiting Client An implementation flaw in the validation logic itself. This can occur on the server or the client.
187 Partial String Comparison #2/#3 Exploiting Server / Exploiting Client An implementation flaw in comparison logic (e.g., using strncmp instead of strcmp without checking the return value). This can occur on the server or the client.
188 Reliance on Data/Memory Layout #2/#3 Exploiting Server / Exploiting Client A low-level C/C++ implementation flaw where code makes unsafe assumptions about memory layout, leading to corruption. Can be server-side or client-side.
190 Integer Overflow or Wraparound #2/#3 Exploiting Server / Exploiting Client A classic numeric calculation flaw. This can occur in server-side or client-side code, often leading to buffer overflows or logic errors. It's a fundamental implementation bug.
191 Integer Underflow (Wrap or Wraparound) #2/#3 Exploiting Server / Exploiting Client Similar to integer overflow, this is a numeric calculation flaw in the implementation of server-side or client-side code.
192 Integer Coercion Error #2/#3 Exploiting Server / Exploiting Client A flaw in how data types are converted. This implementation error can lead to unexpected values and security bypasses in either server or client code.
193 Off-by-one Error #2/#3 Exploiting Server / Exploiting Client A common implementation bug in loops or memory calculations that leads to out-of-bounds access. Can occur on server or client.
194 Unexpected Sign Extension #2/#3 Exploiting Server / Exploiting Client A numeric conversion error. It's an implementation flaw in how signed/unsigned numbers are handled, which can occur on either the server or client.
195 Signed to Unsigned Conversion Error #2/#3 Exploiting Server / Exploiting Client A numeric conversion error. An implementation flaw in how signed/unsigned numbers are handled, which can occur on either the server or client.
196 Unsigned to Signed Conversion Error #2/#3 Exploiting Server / Exploiting Client A numeric conversion error. An implementation flaw in how signed/unsigned numbers are handled, which can occur on either the server or client.
197 Numeric Truncation Error #2/#3 Exploiting Server / Exploiting Client A numeric conversion error where data is lost. This implementation flaw can occur on either the server or client.
198 Use of Incorrect Byte Ordering #2/#3 Exploiting Server / Exploiting Client A data handling flaw where the byte order (endianness) is not correctly interpreted, leading to data corruption. Can be a server or client implementation bug.
200 Exposure of Sensitive Information to an Unauthorized Actor N/A N/A Excluded. This is a high-level "Class" and is explicitly marked as **DISCOURAGED** by MITRE for mapping. It describes a *consequence*, not a root-cause weakness.
201 Insertion of Sensitive Information Into Sent Data #2/#3 Exploiting Server / Exploiting Client The flaw is in the code that constructs the data to be sent. This can be server-side code sending a response or client-side code sending a request.
202 Exposure of Sensitive Information Through Data Queries #2 Exploiting Server The weakness lies in how the server processes queries and returns data, allowing an attacker to infer sensitive information. This is a server-side information-handling flaw.
203 Observable Discrepancy #2/#3/#8 Exploiting Server / Exploiting Client / Physical Attack This is a broad category for side-channel attacks. It can be a software flaw on the server (#2) or client (#3), or it can exploit physical hardware properties (#8).
204 Observable Response Discrepancy #2 Exploiting Server The server provides different responses (e.g., error messages) based on internal state, which an attacker can use to enumerate users or learn system details. This is a server-side information leak.
208 Observable Timing Discrepancy #2/#3/#8 Exploiting Server / Exploiting Client / Physical Attack A specific side-channel where the time taken for an operation reveals information. Can be a software flaw on the server (#2) or client (#3), or a physical hardware timing leak (#8).
209 Generation of Error Message Containing Sensitive Information #2 Exploiting Server The server-side code generates an error message that improperly includes sensitive information.
211 Externally-Generated Error Message Containing Sensitive Information #2 Exploiting Server The server environment (e.g., application server, database) generates a detailed error message that is then exposed by the application. This is a server-side information exposure flaw.
212 Improper Removal of Sensitive Information Before Storage or Transfer #2 Exploiting Server The flaw is in the server-side logic that fails to scrub sensitive data from a resource before making it available.
213 Exposure of Sensitive Information Due to Incompatible Policies #1 Abuse of Functions This is a design flaw where the system's functionality, while working as designed, violates a user's or another component's security policy. This is an abuse of the system's legitimate functions.
214 Invocation of Process Using Visible Sensitive Information #1 Abuse of Functions The flaw is in how a process is invoked, abusing the operating system's process management to expose credentials (e.g., in command-line arguments).
215 Insertion of Sensitive Information Into Debugging Code N/A N/A This is a development practice issue. It becomes a vulnerability only when that debug code is exposed, which would be covered by other CWEs (e.g., CWE-489 - Active Debug Code). Excluded as a pre-cursor.
219 Storage of File with Sensitive Data Under Web Root #2 Exploiting Server A server configuration/deployment flaw where sensitive files are placed in a publicly accessible location on the server.
220 Storage of File With Sensitive Data Under FTP Root #2 Exploiting Server A server configuration/deployment flaw, similar to CWE-219 but specific to FTP servers.
221 Information Loss or Omission N/A N/A This describes a failure to log security-relevant information, which hinders forensics but is not a directly exploitable vulnerability that leads to compromise. It's a control failure, not a TLCTC threat. Excluded.
222 Truncation of Security-relevant Information N/A N/A Similar to CWE-221, this hinders forensics but is not a direct attack vector. Excluded.
223 Omission of Security-relevant Information N/A N/A Similar to CWE-221, this hinders forensics but is not a direct attack vector. Excluded.
224 Obscured Security-relevant Information by Alternate Name N/A N/A Similar to CWE-221, this hinders forensics but is not a direct attack vector. Excluded.
226 Sensitive Information in Resource Not Removed Before Reuse #2/#3/#8 Exploiting Server / Exploiting Client / Physical Attack A flaw where a resource (memory, file, etc.) is not cleared before being re-allocated. This can be a flaw in server-side software (#2), client-side software (#3), or hardware registers (#8).
228 Improper Handling of Syntactically Invalid Structure #2/#3 Exploiting Server / Exploiting Client A parsing error on either the server or client, leading to a crash or undefined behavior.
229 Improper Handling of Values #2/#3 Exploiting Server / Exploiting Client A generic parsing/logic flaw where unexpected values cause errors. Can be a server-side or client-side implementation bug.
230 Improper Handling of Missing Values #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-229. An implementation flaw on the server or client.
231 Improper Handling of Extra Values #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-229. An implementation flaw on the server or client.
232 Improper Handling of Undefined Values #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-229. An implementation flaw on the server or client.
233 Improper Handling of Parameters #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-229 related to function parameters. An implementation flaw on the server or client.
234 Failure to Handle Missing Parameter #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-229. An implementation flaw on the server or client.
235 Improper Handling of Extra Parameters #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-229. An implementation flaw on the server or client.
236 Improper Handling of Undefined Parameters #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-229. An implementation flaw on the server or client.
237 Improper Handling of Structural Elements #2/#3 Exploiting Server / Exploiting Client A generic parsing error that can occur on the server or client.
238 Improper Handling of Incomplete Structural Elements #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-237. An implementation flaw on the server or client.
240 Improper Handling of Inconsistent Structural Elements #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-237. An implementation flaw on the server or client.
241 Improper Handling of Unexpected Data Type #2/#3 Exploiting Server / Exploiting Client An implementation flaw in type handling that leads to errors. Can occur on the server or client.
242 Use of Inherently Dangerous Function #2/#3 Exploiting Server / Exploiting Client This describes using a function like gets() that cannot be made safe. This is an implementation flaw that can occur in server-side or client-side code.
243 Creation of chroot Jail Without Changing Working Directory #1 Abuse of Functions This is an abuse of the chroot() function's intended behavior. The function is working as designed, but the programmer's failure to also call chdir() allows the jail to be bypassed.
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') #2 Exploiting Server A server-side memory handling flaw where sensitive data is not scrubbed, potentially leaking it to other processes on the same server.
245 J2EE Bad Practices: Direct Management of Connections #2 Exploiting Server This is a server-side implementation that violates the framework's specification, leading to potential resource management issues.
246 J2EE Bad Practices: Direct Use of Sockets #2 Exploiting Server A server-side implementation that violates the framework's specification, potentially bypassing container-level security controls.
248 Uncaught Exception #2/#3 Exploiting Server / Exploiting Client An implementation flaw in error handling. Can occur on the server or client, often leading to information disclosure or denial of service.
250 Execution with Unnecessary Privileges #1 Abuse of Functions The code is granted more permissions than it needs for a specific task. An attacker abuses this oversized permission set to perform unauthorized actions.
252 Unchecked Return Value #2/#3 Exploiting Server / Exploiting Client An implementation flaw where the code does not check if a function call succeeded, potentially causing it to proceed in an unexpected state. Can occur on the server or client.
253 Incorrect Check of Function Return Value #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-252. An implementation flaw on the server or client.
256 Plaintext Storage of a Password #4 Identity Theft This is a fundamental weakness in credential management where passwords are not protected at rest, making them vulnerable to theft.
257 Storing Passwords in a Recoverable Format #4 Identity Theft Storing passwords with reversible encryption is a weakness in credential protection. If the key is compromised, all passwords can be recovered, making it nearly as risky as plaintext storage.
258 Empty Password in Configuration File #4 Identity Theft A specific and severe credential management weakness. An empty password allows trivial authentication bypass.
259 Use of Hard-coded Password #4 Identity Theft Hard-coding a password is a critical credential management weakness, as it cannot be changed and is easily discovered via reverse engineering.
260 Password in Configuration File #4 Identity Theft This is a credential storage weakness, making passwords accessible to anyone who can read the configuration file.
261 Weak Encoding for Password #4 Identity Theft Using a weak, reversible encoding (like Base64) instead of a proper hash is a credential protection failure.
262 Not Using Password Aging #4 Identity Theft This is a policy weakness in identity management that increases the risk window for compromised credentials.
263 Password Aging with Long Expiration #4 Identity Theft A specific type of password policy weakness, making credentials vulnerable for a longer period.
266 Incorrect Privilege Assignment #1 Abuse of Functions The product incorrectly assigns a privilege, creating an overly permissive state that can be abused by the actor. This is a flaw in the intended function of the authorization system.
267 Privilege Defined With Unsafe Actions #1 Abuse of Functions The privilege itself is defined too broadly, allowing a legitimate user of that privilege to perform unsafe actions. This is an abuse of a poorly designed function/privilege.
268 Privilege Chaining #1 Abuse of Functions An attacker combines multiple, distinct privileges to achieve an outcome that no single privilege should allow. This is an abuse of the designed functionality of the separate privileges.
269 Improper Privilege Management N/A N/A Excluded. This is a high-level Class and is explicitly marked as **DISCOURAGED** by MITRE for mapping. It covers the weaknesses below it.
270 Privilege Context Switching Error #1/#2 Abuse of Functions / Exploiting Server This can be **#1** if it's an abuse of the logic for switching contexts, or **#2** if it's an implementation bug (e.g., a race condition) in the context-switching code itself.
271 Privilege Dropping / Lowering Errors N/A N/A Excluded. This is a high-level Class that is too generic for mapping.
272 Least Privilege Violation #1 Abuse of Functions The code executes a specific operation but abuses its privileges by not dropping them immediately after. The function of holding privileges is abused by retaining them for too long.
273 Improper Check for Dropped Privileges #2/#3 Exploiting Server / Exploiting Client An implementation flaw. The code attempts to drop privileges but doesn't check the return value, causing it to continue running in an elevated state. Can be server-side or client-side.
274 Improper Handling of Insufficient Privileges #2/#3 Exploiting Server / Exploiting Client An implementation flaw in error handling. The code doesn't gracefully handle a failure to get needed privileges, potentially leading to an unstable state. Can be server or client.
276 Incorrect Default Permissions #1 Abuse of Functions The product is installed with overly permissive defaults. An attacker abuses this default configuration to access resources.
277 Insecure Inherited Permissions #1 Abuse of Functions A flaw in how permissions are designed to be inherited, which an attacker can abuse to gain unintended access.
278 Insecure Preserved Inherited Permissions #1 Abuse of Functions Similar to CWE-277, this is a flaw in how permissions are handled during operations like copying, which an attacker abuses.
279 Incorrect Execution-Assigned Permissions #1 Abuse of Functions The product violates its own intended policy by assigning the wrong permissions at runtime. An attacker can abuse this incorrect state.
282 Improper Ownership Management N/A N/A Excluded. This is a high-level Class and is explicitly marked as **DISCOURAGED** by MITRE for mapping.
283 Unverified Ownership #1/#4 Abuse of Functions / Identity Theft Can be **#1** (Abuse of Function) if the system trusts a user-provided claim of ownership without verification. Can be **#4** (Identity Theft) if it's a failure to properly authenticate the owner's identity.
284 Improper Access Control N/A N/A Excluded. This is a Pillar, the highest level of abstraction, and is not suitable for mapping.
285 Improper Authorization N/A N/A Excluded. This is a high-level Class, too generic for direct mapping. Specific sub-variants should be used instead.
286 Incorrect User Management N/A N/A Excluded. A high-level Class, too generic for direct mapping.
287 Improper Authentication N/A N/A Excluded. A high-level Class, explicitly marked as **DISCOURAGED** by MITRE for mapping.
288 Authentication Bypass Using an Alternate Path or Channel #1 Abuse of Functions The system has an unprotected alternate path (e.g., a debug interface, a secondary port). An attacker abuses this legitimate (though insecure) channel to bypass authentication on the primary channel.
289 Authentication Bypass by Alternate Name #1/#4 Abuse of Functions / Identity Theft This is **#1** if it exploits a system's logic for resolving names (e.g., path equivalence). It is **#4** if it involves faking an identity credential that uses an alternate name.
290 Authentication Bypass by Spoofing #4 Identity Theft The core of this weakness is faking or misrepresenting an identity to the authentication system, which is a form of identity theft.
291 Reliance on IP Address for Authentication #4 Identity Theft Using an easily spoofable identifier like an IP address for authentication is a weak identity verification mechanism.
293 Using Referer Field for Authentication #4 Identity Theft Using a client-controlled, easily modifiable header like Referer for authentication is a weak identity verification mechanism.
294 Authentication Bypass by Capture-replay #5 Man in the Middle (MitM) This is a classic Man-in-the-Middle (MitM) attack where an attacker on the communication path captures and replays authentication traffic.
295 Improper Certificate Validation #2/#3 Exploiting Server / Exploiting Client Certificate validation is a specific implementation step. A flaw here is a bug in either server-side code (#2, e.g., validating a client cert) or client-side code (#3, e.g., validating a server cert).
296 Improper Following of a Certificate's Chain of Trust #2/#3 Exploiting Server / Exploiting Client A specific type of implementation flaw in certificate validation that can occur on the server or the client.
297 Improper Validation of Certificate with Host Mismatch #2/#3 Exploiting Server / Exploiting Client A specific type of implementation flaw in certificate validation that can occur on the server or the client.
298 Improper Validation of Certificate Expiration #2/#3 Exploiting Server / Exploiting Client A specific type of implementation flaw in certificate validation that can occur on the server or the client.
299 Improper Check for Certificate Revocation #2/#3 Exploiting Server / Exploiting Client A specific type of implementation flaw in certificate validation that can occur on the server or the client.
300 Channel Accessible by Non-Endpoint #5 Man in the Middle (MitM) This describes the core condition that enables a Man-in-the-Middle (MitM) attack. The channel's integrity is not sufficient to prevent an intermediary from accessing it.
301 Reflection Attack in an Authentication Protocol #4 Identity Theft An attack that tricks a system into revealing secrets needed for impersonation. It is a flaw in the authentication process logic, directly enabling identity theft.
302 Authentication Bypass by Assumed-Immutable Data #1/#4 Abuse of Functions / Identity Theft This is **#1** if it's abusing the application logic that trusts a mutable parameter (e.g., a hidden form field). It is **#4** if that parameter is an identity token or credential.
303 Incorrect Implementation of Authentication Algorithm #2/#3/#4 Exploiting Server / Exploiting Client / Identity Theft Can be a flaw in the implementation code itself (#2/#3). However, since it directly impacts the authentication process, it's most strongly a weakness in the identity verification process (#4).
304 Missing Critical Step in Authentication #4 Identity Theft A flaw in the authentication logic where a required verification step is skipped, weakening the identity check.
305 Authentication Bypass by Primary Weakness N/A N/A Excluded. This is a "resultant" weakness and does not describe a root cause. It is a way of saying "another bug led to auth bypass."
306 Missing Authentication for Critical Function #1 Abuse of Functions The critical function itself is implemented correctly, but the failure to place an authentication check before it allows the function to be abused by unauthorized actors.
307 Improper Restriction of Excessive Authentication Attempts #4 Identity Theft A weakness in the identity management process that makes brute-force attacks against credentials more feasible.
308 Use of Single-factor Authentication #4 Identity Theft A weakness in the design of the authentication process, making it more susceptible to compromise than a multi-factor system.
309 Use of Password System for Primary Authentication #4 Identity Theft A high-level description of using passwords, which are a form of identity credential. The specific weaknesses are in how they are managed.
310 DEPRECATED: Cleartext Transmission of Sensitive Information N/A N/A Deprecated. Replaced by CWE-319. Excluded.
311 Missing Encryption of Sensitive Data #4/#5 Identity Theft / Man in the Middle (MitM) This is a broad category. If it refers to storing credentials without encryption, it's **#4**. If it refers to transmitting data over a network without encryption, it's **#5**, as it enables a Man-in-the-Middle attack.
312 Cleartext Storage of Sensitive Information #4 Identity Theft A specific type of CWE-311. Storing sensitive data, especially credentials, in cleartext is a fundamental credential protection weakness.
313 Cleartext Storage in a File or on Disk #4 Identity Theft A specific variant of cleartext storage, representing a credential management flaw.
314 Cleartext Storage in the Registry #4 Identity Theft A specific variant of cleartext storage, representing a credential management flaw.
315 Cleartext Storage of Sensitive Information in a Cookie #4 Identity Theft Storing credentials or session identifiers in a cleartext cookie is a critical flaw in the identity/session management process.
316 Cleartext Storage of Sensitive Information in Memory #2/#3 Exploiting Server / Exploiting Client A memory management flaw. If sensitive data (like a password) is held in memory longer than necessary, it can be leaked. This can be a flaw in server-side or client-side code.
317 Cleartext Storage of Sensitive Information in GUI #3 Exploiting Client This is a client-side implementation flaw where sensitive information is not properly masked or protected within the user interface.
318 Cleartext Storage of Sensitive Information in Executable #4 Identity Theft Hard-coding credentials into a binary is a critical credential management weakness.
319 Cleartext Transmission of Sensitive Information #5 Man in the Middle (MitM) This is the primary weakness that enables a Man-in-the-Middle (MitM) attack by allowing an attacker on the communication path to read sensitive data.
320 Key Management Errors N/A N/A Excluded. This is a high-level "Class" that is too generic for mapping.
321 Use of Hard-coded Cryptographic Key #4 Identity Theft Hard-coding a key used for authentication or session protection is a critical credential management weakness.
322 Key Exchange without Entity Authentication #5 Man in the Middle (MitM) A flaw in the communication protocol that allows an attacker to perform a Man-in-the-Middle attack by impersonating one of the endpoints during the key exchange.
323 Reusing a Nonce, Key Pair in Encryption #5 Man in the Middle (MitM) Reusing a nonce can break the security guarantees of a cryptographic protocol, enabling replay attacks or decryption by a Man-in-the-Middle.
324 Use of a Key Past its Expiration Date #4 Identity Theft A key management flaw that falls under identity/credential management. Using an expired key is akin to using an expired password.
325 Missing Cryptographic Step #2/#3 Exploiting Server / Exploiting Client An implementation bug in cryptographic code. This can be a flaw in server-side or client-side code.
326 Inadequate Encryption Strength #4/#5 Identity Theft / Man in the Middle (MitM) Can be **#4** if used for storing credentials, or **#5** if used for protecting a communication channel. In either case, the protection is too weak to be effective.
327 Use of a Broken or Risky Cryptographic Algorithm #4/#5 Identity Theft / Man in the Middle (MitM) Can be **#4** if a broken hash is used for password storage, or **#5** if a broken cipher is used for transport security. A fundamental protection failure.
328 Use of Weak Hash #4 Identity Theft Using a weak hash (like MD5) for passwords is a credential management failure, as it makes offline brute-force attacks trivial.
329 Generation of Predictable IV with CBC Mode #5 Man in the Middle (MitM) An implementation flaw in the use of a cryptographic protocol that weakens the encryption, making it more vulnerable to a Man-in-the-Middle attack.
330 Use of Insufficiently Random Values N/A N/A Excluded. A high-level "Class" that is too generic for mapping.
331 Insufficient Entropy #4/#5/#8 Identity Theft / Man in the Middle (MitM) / Physical Attack This can apply in multiple contexts. If a weak random number generator is used for session IDs, it's a **#4** flaw. If it's for cryptographic keys for transport, it's **#5**. If it's a hardware RNG flaw, it's **#8**.
332 Insufficient Entropy in PRNG #4/#5 Identity Theft / Man in the Middle (MitM) A software-based entropy issue. A flaw in the PRNG used for session IDs (#4) or transport crypto (#5).
333 Improper Handling of Insufficient Entropy in TRNG #8 Physical Attack A True Random Number Generator (TRNG) is a hardware component. A flaw in its handling is a physical-layer weakness.
334 Small Space of Random Values #4/#5 Identity Theft / Man in the Middle (MitM) A design flaw in a randomization process. If used for session IDs, it's a **#4** flaw. If for transport crypto, it's **#5**.
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) #4/#5 Identity Theft / Man in the Middle (MitM) An implementation flaw in how a PRNG is seeded. Can impact session tokens (#4) or transport crypto (#5).
336 Same Seed in Pseudo-Random Number Generator (PRNG) #4/#5 Identity Theft / Man in the Middle (MitM) A specific type of PRNG seeding flaw. Can impact session tokens (#4) or transport crypto (#5).
337 Predictable Seed in Pseudo-Random Number Generator (PRNG) #4/#5 Identity Theft / Man in the Middle (MitM) A specific type of PRNG seeding flaw. Can impact session tokens (#4) or transport crypto (#5).
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) #4/#5 Identity Theft / Man in the Middle (MitM) An implementation choice to use a weak PRNG for security-sensitive values like session IDs (#4) or transport keys (#5).
339 Small Seed Space in PRNG #4/#5 Identity Theft / Man in the Middle (MitM) A design flaw that makes a PRNG's seed easier to brute-force. Can impact session tokens (#4) or transport crypto (#5).
340 Generation of Predictable Numbers or Identifiers N/A N/A Excluded. A high-level "Class" that is too generic for mapping.
341 Predictable from Observable State #4/#5 Identity Theft / Man in the Middle (MitM) A flaw where an attacker can predict a "random" value (like a session ID or key) from public information. A flaw in either identity management (#4) or channel security (#5).
342 Predictable Exact Value from Previous Values #4/#5 Identity Theft / Man in the Middle (MitM) A flaw where an attacker can predict the next "random" value from previous ones. A flaw in either identity management (#4) or channel security (#5).
343 Predictable Value Range from Previous Values #4/#5 Identity Theft / Man in the Middle (MitM) A flaw where an attacker can narrow the search space for the next "random" value. A flaw in either identity management (#4) or channel security (#5).
344 Use of Invariant Value in Dynamically Changing Context #1/#2 Abuse of Functions / Exploiting Server Can be **#1** if a function is abused by providing an invariant value in a context where it becomes unsafe, or **#2** if it's an implementation flaw in handling state.
345 Insufficient Verification of Data Authenticity N/A N/A Excluded. A high-level "Class" that is too generic for mapping.
346 Origin Validation Error #1/#4 Abuse of Functions / Identity Theft Can be **#1** if the flaw is in the business logic that trusts the origin. Can be **#4** if it's a failure to properly authenticate the origin's identity.
347 Improper Verification of Cryptographic Signature #2/#3 Exploiting Server / Exploiting Client An implementation flaw in the code that verifies a signature. Can be server-side (#2, e.g. verifying a SAML assertion) or client-side (#3, e.g. verifying a signed applet).
348 Use of Less Trusted Source #1 Abuse of Functions A logic flaw where the application chooses to use data from a source that is known to be less reliable or secure, abusing a function that allows for multiple sources.
349 Acceptance of Extraneous Untrusted Data With Trusted Data #2 Exploiting Server A server-side parsing flaw where the application accepts and processes untrusted data that has been appended to or included with legitimate, trusted data.
350 Reliance on Reverse DNS Resolution for a Security-Critical Action #4 Identity Theft Using reverse DNS for authentication is a weak identity verification mechanism because DNS can be spoofed.
351 Insufficient Type Distinction N/A N/A Excluded. A high-level Class, too generic for mapping.
352 Cross-Site Request Forgery (CSRF) #1 Abuse of Functions CSRF is a classic example of Abuse of Functions. The attacker tricks a user's authenticated browser into sending a request that invokes a legitimate, state-changing function on the server without the user's consent.
353 Missing Support for Integrity Check #5 Man in the Middle (MitM) The communication protocol lacks integrity checks, making it vulnerable to a Man-in-the-Middle who can modify data in transit without detection.
354 Improper Validation of Integrity Check Value #2/#3/#5 Exploiting Server / Exploiting Client / Man in the Middle (MitM) Can be an implementation flaw on the server (#2) or client (#3) that fails to correctly validate a checksum. The existence of this flaw makes a **#5** (MitM) attack possible.
356 Product UI does not Warn User of Unsafe Actions #9 Social Engineering This is a failure to properly guide the user, making them more susceptible to social engineering attacks where they are tricked into performing a dangerous action.
357 Insufficient UI Warning of Dangerous Operations #9 Social Engineering A specific type of CWE-356, where the warning exists but is ineffective, increasing the chance a user can be socially engineered.
358 Improperly Implemented Security Check for Standard #2/#3 Exploiting Server / Exploiting Client This describes a bug in the implementation of a security check, which could reside on either the server or the client.
359 Exposure of Private Personal Information to an Unauthorized Actor N/A N/A Excluded. This is a high-level "Base" category that describes a *consequence* (information exposure), not a specific root-cause weakness.
360 Trust of System Event Data #1 Abuse of Functions The application abuses the system's event model by trusting event data (e.g., window messages) that can be spoofed by other processes on the same desktop.
361 DEPRECATED: Basic XSS N/A N/A Deprecated. See CWE-80.
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') #2/#3 Exploiting Server / Exploiting Client A classic implementation flaw related to concurrency. Race conditions can occur in server-side or client-side code, leading to unpredictable states and vulnerabilities.
363 Race Condition Enabling Link Following #2 Exploiting Server A specific type of race condition (TOCTOU) where a file check is performed, but an attacker can replace the file with a symbolic link before it's used. This is an implementation flaw on the server.
364 Signal Handler Race Condition #2/#3 Exploiting Server / Exploiting Client An implementation flaw in how signal handlers interact with shared state, which can occur in either server or client processes.
366 Race Condition within a Thread #2/#3 Exploiting Server / Exploiting Client A specific type of race condition related to unsynchronized access to shared resources within a single process. Can be a server or client implementation flaw.
367 Time-of-check Time-of-use (TOCTOU) Race Condition #2 Exploiting Server A classic race condition where the state of a resource changes between a check and its use. This is typically a flaw in server-side logic when dealing with files or other shared resources.
368 Context Switching Race Condition #2/#3 Exploiting Server / Exploiting Client A race condition that occurs during a privilege or context switch. This is an implementation flaw in the code handling the transition, which could be on the server or client.
369 Divide By Zero #2/#3 Exploiting Server / Exploiting Client A common implementation bug that leads to an exception or crash. This can occur in either server-side or client-side calculations.
370 Missing Check for Certificate Revocation after Initial Check #2/#3 Exploiting Server / Exploiting Client A TOCTOU (Time-of-check Time-of-use) race condition applied to certificate validation. This is an implementation flaw on either the client or server.
372 Incomplete Internal State Distinction #2/#3 Exploiting Server / Exploiting Client A logic flaw where the program doesn't correctly identify its own state, leading to incorrect behavior. This is an implementation bug that can occur on the server or client.
374 Passing Mutable Objects to an Untrusted Method #2/#3 Exploiting Server / Exploiting Client An implementation flaw. If a server passes a mutable object to a component it doesn't trust (e.g., a plugin), it's #2. If a client does so (e.g., passing data to a browser extension), it's #3.
375 Returning a Mutable Object to an Untrusted Caller #2/#3 Exploiting Server / Exploiting Client An implementation flaw where a method returns a direct reference to an internal, mutable object, allowing the caller to modify internal state. Can occur on server or client.
377 Insecure Temporary File #1/#2 Abuse of Functions / Exploiting Server This is **#1** if the flaw is in the business logic of how temporary files are used (e.g., predictable names). It is **#2** if it's a TOCTOU race condition during file creation.
378 Creation of Temporary File With Insecure Permissions #2 Exploiting Server A server-side implementation flaw where a temporary file is created with permissions that are too broad, allowing other users on the system to access it.
379 Creation of Temporary File in Directory with Insecure Permissions #2 Exploiting Server A server-side implementation flaw where a temporary file is created in a world-writable directory, enabling symlink attacks and other race conditions.
382 J2EE Bad Practices: Use of System.exit() #2 Exploiting Server A server-side implementation flaw where the application code calls a function that shuts down the entire container, causing a denial of service.
383 J2EE Bad Practices: Direct Use of Threads #2 Exploiting Server A server-side implementation that violates the framework's specification, leading to potential instability and race conditions.
384 Session Fixation #4 Identity Theft An attack on the session management process. The application fails to create a new session ID upon login, allowing an attacker to fixate the user's session to one they control. This is an identity/session management flaw.
385 Covert Timing Channel #8 Physical Attack A covert timing channel is a classic side-channel attack that exploits the physical properties (timing) of the hardware's execution.
Read the TLCTC Blog: "Mapping CWE-514 (Covert Channel) to TLCTC"
386 Symbolic Name not Mapping to Correct Object #1 Abuse of Functions A logic flaw where a symbolic name can be manipulated to point to an unintended object, abusing the name resolution functionality.
388 DEPRECATED: Error Handling N/A N/A Deprecated. See CWE-703. Excluded.
390 Detection of Error Condition Without Action #2/#3 Exploiting Server / Exploiting Client An implementation flaw in error handling where a detected error is ignored, potentially leaving the application in an unstable or insecure state. Can be server-side or client-side.
391 Unchecked Error Condition #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-390, where the code fails to check for an error condition. An implementation flaw on the server or client.
392 Missing Report of Error Condition #2/#3 Exploiting Server / Exploiting Client A specific type of CWE-390, where an error occurs but is not reported, hiding potential issues. An implementation flaw on the server or client.
393 Return of Wrong Status Code #2/#3 Exploiting Server / Exploiting Client An implementation flaw where a function returns a misleading status code, causing the caller to behave incorrectly. Can occur on server or client.
394 Unexpected Status Code or Return Value #2/#3 Exploiting Server / Exploiting Client An implementation flaw where the code does not handle all possible legitimate return values from a function, leading to errors. Can occur on server or client.
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference #2/#3 Exploiting Server / Exploiting Client A poor implementation practice for error handling that can obscure bugs and impact performance. A flaw in either server or client code.
396 Declaration of Catch for Generic Exception #2/#3 Exploiting Server / Exploiting Client A poor implementation practice that can hide the root cause of errors, making the code harder to secure and maintain. A flaw in either server or client code.
397 Declaration of Throws for Generic Exception #2/#3 Exploiting Server / Exploiting Client A poor API design/implementation practice that prevents callers from handling specific errors correctly. Can occur in server or client code.
398 Indicator of Poor Code Quality N/A N/A Excluded. This is a "Category" and not a specific weakness.
399 Resource Management Errors N/A N/A Excluded. This is a high-level "Category." Specific resource management flaws should be used.
400 Uncontrolled Resource Consumption #6 Flooding Attack The core definition of a Flooding Attack. The product allocates resources based on user input without placing limits, leading to resource exhaustion.
401 Missing Release of Memory after Effective Lifetime #6 Flooding Attack A classic memory leak. This is a form of resource consumption where memory is the limited resource being exhausted.
402 Transmission of Private Resources into a New Sphere ('Resource Leak') N/A N/A Excluded. This is a high-level "Class" that describes an information leak consequence, not the root cause.
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') #1 Abuse of Functions A child process is not supposed to have access to the parent's file descriptors. By not closing them, the parent process's functionality is being abused.
404 Improper Resource Shutdown or Release #6 Flooding Attack A general category for resource leaks. If an attacker can trigger the allocation of a resource that is never released, they can cause resource exhaustion.
405 Asymmetric Resource Consumption (Amplification) #6 Flooding Attack A specific type of flooding attack where a small input from an attacker causes a large amount of resource consumption on the server (e.g., DNS amplification attacks).
406 Insufficient Control of Network Message Volume (Network Amplification) #6 Flooding Attack A specific form of amplification attack where the limited resource being consumed is network bandwidth.
407 Inefficient Algorithmic Complexity #6 Flooding Attack A flaw where an algorithm has a high worst-case complexity that an attacker can trigger with crafted input, consuming excessive CPU resources and causing a denial of service.
408 Incorrect Behavior Order: Early Amplification #1/#6 Abuse of Functions / Flooding Attack This can be **#1** (Abuse of Function) because the logic allows an expensive operation before an inexpensive one like authentication. It's **#6** (Flooding) because the impact is resource consumption.
409 Improper Handling of Highly Compressed Data (Data Amplification) #6 Flooding Attack A classic "decompression bomb" attack. A small, compressed input causes a massive amount of memory or disk space to be consumed, which is a flooding attack.
410 Insufficient Resource Pool #6 Flooding Attack A design flaw where the resource pool is too small for expected load, making it highly susceptible to a flooding attack that exhausts the pool quickly.
412 Unrestricted Externally Accessible Lock #6 Flooding Attack An attacker can acquire and hold a lock indefinitely, preventing legitimate processes from using the locked resource. This is a resource exhaustion (flooding) attack.
413 Improper Resource Locking #2/#3 Exploiting Server / Exploiting Client An implementation flaw in concurrency logic. A race condition caused by improper locking can happen on either the server or the client.
414 Missing Lock Check #2/#3 Exploiting Server / Exploiting Client A specific implementation flaw where code accesses a shared resource without first acquiring a lock. A race condition that can occur on the server or client.
415 Double Free #2/#3 Exploiting Server / Exploiting Client A critical memory corruption implementation flaw that can occur in server-side or client-side code.
416 Use After Free #2/#3 Exploiting Server / Exploiting Client A critical memory corruption implementation flaw that can occur in server-side or client-side code.
419 Unprotected Primary Channel #1 Abuse of Functions The product uses a channel for privileged operations but does not protect it. An attacker abuses the existence of this insecure channel.
420 Unprotected Alternate Channel #1 Abuse of Functions A specific case of CWE-419. An attacker abuses an unprotected alternate channel to bypass controls on the primary channel.
421 Race Condition During Access to Alternate Channel #2 Exploiting Server A TOCTOU race condition where an attacker can access an alternate channel before the legitimate user can, exploiting a flaw in the channel creation/access implementation.
422 Unprotected Windows Messaging Channel ('Shatter') #1 Abuse of Functions An attack that abuses the Windows Messaging system by sending messages to a higher-privilege process that does not validate the message source.
424 Improper Protection of Alternate Path #1 Abuse of Functions A general design weakness where not all paths to a resource are protected equally, allowing an attacker to abuse the weaker path.
425 Direct Request ('Forced Browsing') #1 Abuse of Functions The application's functionality for serving pages is abused by directly requesting a URL that should not be accessible, bypassing intended navigation and authorization checks.
426 Untrusted Search Path #1/#7 Abuse of Functions / Malware This can be **#1** (Abuse of Function) if the code abuses a legitimate search path by including untrusted directories. It's **#7** (Malware) if an attacker places a malicious executable (e.g., a Trojanized DLL) in that path to achieve code execution.
427 Uncontrolled Search Path Element #1/#7 Abuse of Functions / Malware A more specific variant of CWE-426. Abusing the system's search path logic (#1) to load and execute a malicious library or executable (#7).
428 Unquoted Search Path or Element #1/#7 Abuse of Functions / Malware Abusing a flaw in how the OS handles unquoted paths containing spaces (#1) to cause the execution of a malicious file placed in a parent directory (#7).
430 Deployment of Wrong Handler #1 Abuse of Functions A server configuration or logic flaw. The system abuses its own handler-selection logic by choosing the wrong one (e.g., serving JSP source instead of executing it).
431 Missing Handler #2/#3 Exploiting Server / Exploiting Client A flaw in implementation where a required handler (e.g., for an exception or event) is missing, leading to an unhandled state. Can be server-side or client-side.
432 Dangerous Signal Handler not Disabled During Sensitive Operations #2/#3 Exploiting Server / Exploiting Client A race condition where a signal handler can interrupt a sensitive operation. This is a flaw in the implementation of the concurrent code on the server or client.
433 Unparsed Raw Web Content Delivery #2 Exploiting Server A server-side configuration flaw where the server delivers the source code of a file instead of executing it, because no handler is configured for that file type.
434 Unrestricted Upload of File with Dangerous Type #7 Malware The core weakness is allowing an attacker to place a malicious, executable file (malware) onto the server, which can then be executed.
435 Improper Interaction Between Multiple Correctly-Behaving Entities N/A N/A Excluded. This is a Pillar-level abstraction, too broad for direct mapping. It describes the general concept of emergent behaviors.
436 Interpretation Conflict #5 Man in the Middle (MitM) A classic Man-in-the-Middle (MitM) weakness, where an intermediary (like a proxy) and an endpoint parse a request differently, allowing an attacker to smuggle requests through the intermediary.
437 Incomplete Model of Endpoint Features #5 Man in the Middle (MitM) A specific cause for an Interpretation Conflict (CWE-436), where an intermediary's incomplete understanding of an endpoint's behavior allows an attacker to bypass the intermediary's controls. This is a MitM scenario.
439 Behavioral Change in New Version or Environment N/A N/A Excluded. This describes a software engineering and compatibility problem, not a directly exploitable security vulnerability in the TLCTC sense.
440 Expected Behavior Violation N/A N/A Excluded. This is a very high-level category describing general bugs or quality issues where code doesn't meet its specification.
441 Unintended Proxy or Intermediary ('Confused Deputy') #1 Abuse of Functions The product is tricked into acting as a proxy for an attacker. The attacker abuses the product's legitimate functionality to make requests on its behalf, hiding their origin.
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') #5 Man in the Middle (MitM) This is the canonical definition of HTTP Request Smuggling, a Man-in-the-Middle attack that exploits parsing differences between a front-end (proxy) and back-end server.
446 UI Discrepancy for Security Feature #9 Social Engineering The UI misleads the user about the state of a security feature, making them more vulnerable to social engineering or causing them to take unsafe actions based on false information.
447 Unimplemented or Unsupported Feature in UI #9 Social Engineering A specific type of CWE-446, where the UI implies a security feature exists when it does not, deceiving the user.
448 Obsolete Feature in UI #9 Social Engineering A specific type of CWE-446, where the UI presents a feature that no longer works, potentially causing a user to believe they are protected when they are not.
449 The UI Performs the Wrong Action #9 Social Engineering A severe form of UI misrepresentation where the user is deceived into performing an action different from what they intended.
450 Multiple Interpretations of UI Input #9 Social Engineering The UI does not clarify ambiguous user input, potentially selecting a less secure action than the user intended. This is a failure to protect the user from making a mistake.
451 User Interface (UI) Misrepresentation of Critical Information #9 Social Engineering The general category for UI-based deception. This is a social engineering vector that tricks a user into performing an unsafe action or trusting a malicious entity.
453 Insecure Default Variable Initialization #1 Abuse of Functions A flaw where a variable is initialized with an insecure default value. An attacker can abuse this default state to compromise the application.
454 External Initialization of Trusted Variables or Data Stores #1 Abuse of Functions The application's logic improperly trusts an externally-controlled input to initialize a critical variable. This is an abuse of the initialization function.
455 Non-exit on Failed Initialization #2/#3 Exploiting Server / Exploiting Client A flaw in error-handling logic where the program continues to run in an insecure state after initialization fails. Can be a server or client implementation bug.
456 Missing Initialization of a Variable #2/#3 Exploiting Server / Exploiting Client A classic implementation bug where a variable is used before it is initialized. Can occur in server or client code.
457 Use of Uninitialized Variable #2/#3 Exploiting Server / Exploiting Client A specific manifestation of CWE-456. An implementation flaw in server or client code.
459 Incomplete Cleanup #6 Flooding Attack Failure to clean up resources (files, etc.) can lead to resource exhaustion if an attacker can repeatedly trigger the creation of these resources.
460 Improper Cleanup on Thrown Exception #6 Flooding Attack A specific type of resource leak where an exception prevents cleanup code from running, potentially leading to resource exhaustion.
462 Duplicate Key in Associative List (Alist) #2/#3 Exploiting Server / Exploiting Client An implementation flaw in data structure handling that can lead to unpredictable behavior. Can be a bug in server or client code.
463 Deletion of Data Structure Sentinel #2/#3 Exploiting Server / Exploiting Client An implementation flaw that corrupts a data structure by deleting its terminator (e.g., null byte), often leading to over-reads. Can occur on server or client.
464 Addition of Data Structure Sentinel #2/#3 Exploiting Server / Exploiting Client An implementation flaw that corrupts a data structure by adding a premature terminator (e.g., null byte), leading to data truncation or logic errors. Can occur on server or client.
466 Return of Pointer Value Outside of Expected Range #2/#3 Exploiting Server / Exploiting Client An implementation flaw where a function returns a pointer to an invalid memory location. A bug in server or client code.
467 Use of sizeof() on a Pointer Type #2/#3 Exploiting Server / Exploiting Client A common C/C++ implementation mistake that leads to incorrect size calculations and buffer overflows. Can occur in server or client code.
468 Incorrect Pointer Scaling #2/#3 Exploiting Server / Exploiting Client A low-level C/C++ implementation flaw in pointer arithmetic that leads to memory corruption. Can occur in server or client code.
469 Use of Pointer Subtraction to Determine Size #2/#3 Exploiting Server / Exploiting Client A dangerous implementation technique for calculating size that can lead to integer overflows or incorrect results. Can occur in server or client code.
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') #1 Abuse of Functions The code uses reflection to execute a class/method named by the user. An attacker abuses this functionality by providing the name of a class that was not intended to be called.
471 Modification of Assumed-Immutable Data (MAID) #1 Abuse of Functions The application logic assumes certain data (e.g., a hidden form field value) cannot be changed, but an attacker modifies it. This is an abuse of the function that processes that data.
472 External Control of Assumed-Immutable Web Parameter #1 Abuse of Functions A specific case of MAID (CWE-471) applied to web parameters like cookies or hidden fields. The attacker abuses the server-side function that trusts these parameters.
473 PHP External Variable Modification #1 Abuse of Functions A specific PHP weakness (register_globals) where an attacker can abuse the language feature to overwrite internal server variables.
474 Use of Function with Inconsistent Implementations #2/#3 Exploiting Server / Exploiting Client An implementation flaw where the code relies on a function whose behavior differs across platforms, leading to unpredictable results. A bug that could be in server or client code.
475 Undefined Behavior for Input to API #2/#3 Exploiting Server / Exploiting Client An implementation flaw where the code provides input to an API that results in undefined behavior. A bug that could be in server or client code.
476 NULL Pointer Dereference #2/#3 Exploiting Server / Exploiting Client A very common implementation bug that leads to a crash. Can occur in server or client code.
477 Use of Obsolete Function #2/#3 Exploiting Server / Exploiting Client Using a deprecated function is a poor implementation practice that may introduce known vulnerabilities. A flaw in either server or client code.
478 Missing Default Case in Multiple Condition Expression #2/#3 Exploiting Server / Exploiting Client An implementation flaw in a switch statement that can lead to an unexpected state if an unhandled value is received. Can be a server or client bug.
479 Signal Handler Use of a Non-reentrant Function #2/#3 Exploiting Server / Exploiting Client A concurrency implementation flaw. Using a non-reentrant function in a signal handler can lead to memory corruption. This can occur in server or client processes.
480 Use of Incorrect Operator #2/#3 Exploiting Server / Exploiting Client A typo or logic error in the implementation (e.g., using & instead of &&). A bug that could be in server or client code.
481 Assigning instead of Comparing #2/#3 Exploiting Server / Exploiting Client A classic C-style typo (= instead of ==) that alters program logic. An implementation bug on server or client.
482 Comparing instead of Assigning #2/#3 Exploiting Server / Exploiting Client A typo (== instead of =) that prevents a variable from being updated. An implementation bug on server or client.
483 Incorrect Block Delimitation #2/#3 Exploiting Server / Exploiting Client A typo or syntax error (e.g., missing curly braces {}) that alters control flow. An implementation bug on server or client.
484 Omitted Break Statement in Switch #2/#3 Exploiting Server / Exploiting Client A logic flaw where a missing break causes unintended "fall-through" in a switch statement. An implementation bug on server or client.
486 Comparison of Classes by Name #2/#3 Exploiting Server / Exploiting Client A logic flaw in object-oriented code. In languages like Java, comparing class objects by name can be bypassed if an attacker can create a class with the same name in a different namespace. An implementation flaw on server or client.
487 Reliance on Package-level Scope #2 Exploiting Server A server-side Java implementation flaw. Relying on package-private access for security is insufficient because other classes can be added to the same package.
488 Exposure of Data Element to Wrong Session #2 Exploiting Server A server-side concurrency flaw, typically in a multithreaded application server, where one user's data leaks into another user's session due to improper state management (e.g., using static variables).
489 Active Debug Code #1 Abuse of Functions Debug code or a backdoor is intentionally left in the application. An attacker abuses this leftover, legitimate-but-dangerous functionality to compromise the system.
491 Public cloneable() Method Without Final ('Object Hijack') #2/#3 Exploiting Server / Exploiting Client A Java-specific implementation flaw where a class can be cloned without its constructor being called, leading to an improperly initialized object. Can be a server or client flaw.
492 Use of Inner Class Containing Sensitive Data #2 Exploiting Server A Java-specific implementation flaw where private data in an outer class is exposed because of how inner classes are compiled, making it accessible within the same package on the server.
493 Critical Public Variable Without Final Modifier #2/#3 Exploiting Server / Exploiting Client An implementation flaw where a critical variable is not declared final, allowing it to be modified unexpectedly. Can be a flaw in server or client code.
494 Download of Code Without Integrity Check #10 Supply Chain Attack The product downloads and executes code from a remote source but does not verify its integrity. This allows an attacker to compromise the download source (a supply chain attack) to deliver malicious code.
495 Private Data Structure Returned From A Public Method #2/#3 Exploiting Server / Exploiting Client An implementation flaw that breaks encapsulation by returning a reference to a private internal data structure, allowing a caller to modify it. Can occur on server or client.
496 Public Data Assigned to Private Array-Typed Field #2/#3 Exploiting Server / Exploiting Client An implementation flaw that breaks encapsulation by assigning a public array directly to a private field, allowing the public array to be modified externally. Can occur on server or client.
497 Exposure of Sensitive System Information to an Unauthorized Control Sphere #2 Exploiting Server A server-side information leak where internal system details (paths, versions, etc.) are exposed, typically through error messages or debugging output.
498 Cloneable Class Containing Sensitive Information #2/#3 Exploiting Server / Exploiting Client A Java-specific implementation flaw. If a class with sensitive data can be cloned, its data can be accessed without proper controls. Can be a server or client flaw.
499 Serializable Class Containing Sensitive Data #2/#3 Exploiting Server / Exploiting Client A Java-specific implementation flaw. If a class with sensitive data is serializable, its data can be read from the serialized stream. Can be a server or client flaw.
500 Public Static Field Not Marked Final #2/#3 Exploiting Server / Exploiting Client Similar to CWE-493, this implementation flaw allows a critical static field to be modified unexpectedly. Can be a flaw in server or client code.
501 Trust Boundary Violation #1/#2/#3 Abuse of Functions / Exploiting Server / Exploiting Client This is a high-level design weakness. It can be **#1** (abusing a function that crosses a boundary), or it can be the result of a code flaw (#2/#3) that allows data to cross a boundary improperly.
502 Deserialization of Untrusted Data #2/#3 Exploiting Server / Exploiting Client A critical implementation flaw where the product deserializes a data stream from an untrusted source, which can lead to object creation and code execution. Can be a server or client vulnerability.
506 Embedded Malicious Code #7 Malware The product itself *is* or contains malware. The code is designed to perform a malicious action.
507 Trojan Horse #7 Malware A specific type of malware where malicious code is hidden within a seemingly benign application.
508 Non-Replicating Malicious Code #7 Malware A classification of malware based on its propagation behavior (or lack thereof).
509 Replicating Malicious Code (Virus or Worm) #7 Malware A classification of malware based on its propagation behavior.
510 Trapdoor #1 Abuse of Functions A hidden entry point or command deliberately left by a developer that bypasses normal security. An attacker abuses this hidden functionality.
511 Logic/Time Bomb #7 Malware A type of malware that is designed to execute its malicious payload only when a certain logical condition is met or a specific time is reached.
512 Spyware #7 Malware A type of malware specifically designed to collect and exfiltrate sensitive information.
514 Covert Channel #8 Physical Attack A covert channel uses a physical property of the system (e.g., timing, temperature, power usage) that is not intended for communication to leak information, bypassing logical controls.
Read the TLCTC Blog: "Mapping CWE-514 (Covert Channel) to TLCTC"
515 Covert Storage Channel #8 Physical Attack A specific type of covert channel where information is leaked by modifying a shared physical resource (e.g., a file's status bits, cache state).
Read the TLCTC Blog: "Mapping CWE-514 (Covert Channel) to TLCTC"
520 .NET Misconfiguration: Use of Impersonation #1 Abuse of Functions The application is configured to abuse the impersonation feature, potentially running with higher privileges than necessary or intended.
521 Weak Password Requirements #4 Identity Theft A policy flaw in identity management that allows users to set weak, easily guessable passwords.
522 Insufficiently Protected Credentials #4 Identity Theft A general category for weaknesses in how credentials are stored or transmitted.
523 Unprotected Transport of Credentials #5 Man in the Middle (MitM) A specific failure to protect credentials in transit, which enables a Man-in-the-Middle (MitM) attack.
524 Use of Cache Containing Sensitive Information #2 Exploiting Server A server-side flaw where sensitive data is stored in an insecure cache (e.g., a shared, world-readable cache file).
525 Use of Web Browser Cache Containing Sensitive Information #3 Exploiting Client A flaw in a web application's caching headers that causes a client's browser to store sensitive information insecurely on the user's machine.
526 Cleartext Storage of Sensitive Information in an Environment Variable #4 Identity Theft A credential management flaw where secrets are stored in environment variables, which can be read by any subprocesses.
527 Exposure of Version-Control Repository to an Unauthorized Control Sphere #2 Exploiting Server A server configuration flaw where a version control directory (like .git) is deployed to the web root, exposing source code and history.
528 Exposure of Core Dump File to an Unauthorized Control Sphere #2 Exploiting Server A server configuration flaw where core dump files containing sensitive memory are stored in a publicly accessible location.
529 Exposure of Access Control List Files to an Unauthorized Control Sphere #2 Exploiting Server A server configuration flaw where sensitive access control list files are publicly accessible.
530 Exposure of Backup File to an Unauthorized Control Sphere #2 Exploiting Server A server configuration flaw where backup files are stored in a publicly accessible location.
531 Inclusion of Sensitive Information in Test Code N/A N/A Excluded. A development practice issue. It only becomes a vulnerability if the test code is exposed (CWE-489) or the information is otherwise leaked.
532 Insertion of Sensitive Information into Log File #2 Exploiting Server A server-side implementation flaw where sensitive data is written to logs, which may have less stringent access controls than the original data source.
535 Exposure of Information Through Shell Error Message #2 Exploiting Server A server-side information leak where a raw shell error message is displayed to the user.
536 Servlet Runtime Error Message Containing Sensitive Information #2 Exploiting Server A server-side information leak where a Java servlet error message (often with a stack trace) is exposed.
537 Java Runtime Error Message Containing Sensitive Information #2 Exploiting Server A server-side information leak where a generic Java error message is exposed.
538 Insertion of Sensitive Information into Externally-Accessible File or Directory #2 Exploiting Server A server-side implementation flaw where a file containing sensitive information is intentionally created in a publicly accessible location.
539 Use of Persistent Cookies Containing Sensitive Information #4 Identity Theft Storing sensitive, long-lived data in cookies is a flaw in the application's session/identity management design.
540 Inclusion of Sensitive Information in Source Code #4 Identity Theft Hard-coding sensitive information like credentials into source code is a critical credential management flaw.
541 Inclusion of Sensitive Information in an Include File #2 Exploiting Server A specific case of CWE-540, where sensitive data is in a server-side include file that might be exposed if the server is misconfigured to show its source instead of executing it.
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context #2 Exploiting Server A server-side implementation flaw in a concurrent environment, creating a race condition that can corrupt the state of the singleton object.
544 Missing Standardized Error Handling Mechanism N/A N/A Excluded. A process/code quality issue, not a direct vulnerability.
546 Suspicious Comment N/A N/A Excluded. A code quality indicator (TODO, FIXME) that points to a *potential* weakness, but is not one itself.
547 Use of Hard-coded, Security-relevant Constants #1 Abuse of Functions A design flaw. If a security constant (e.g., max password length) is hard-coded instead of configurable, it can't be updated, and an attacker can abuse this inflexibility.
548 Exposure of Information Through Directory Listing #2 Exploiting Server A server configuration weakness that allows directory contents to be listed, leaking information about the application's structure.
549 Missing Password Field Masking #3 Exploiting Client A client-side UI implementation flaw that exposes a password to shoulder-surfing attacks.
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization #1 Abuse of Functions A logic flaw where the authorization check is performed on non-canonical data, allowing it to be bypassed. This is an abuse of the authorization function's reliance on canonical input.
552 Files or Directories Accessible to External Parties #2 Exploiting Server A server configuration/permissions flaw that exposes files to unauthorized actors.
553 Command Shell in Externally Accessible Directory #7 Malware A file (.sh, .bat) that allows command execution is placed in a web-accessible directory. This is a form of malware deployment.
554 ASP.NET Misconfiguration: Use of Identity Impersonation #1 Abuse of Functions A configuration flaw. By enabling impersonation, the application's functions are given permissions they might not otherwise need, which can be abused by an attacker who finds another vulnerability.
555 J2EE Misconfiguration: Plaintext Password in Configuration File #4 Identity Theft Storing a password in plaintext is a critical flaw in credential protection and management.
556 ASP.NET Misconfiguration: Use of Identity Impersonation #1 Abuse of Functions A configuration flaw that abuses the intended identity and access management functionality, potentially granting unnecessary privileges.
558 Use of getlogin() in Multithreaded Application #2/#3 Exploiting Server / Exploiting Client A flaw in the implementation of a concurrent application. The function is non-reentrant and can lead to race conditions. This is a coding bug that could exist on either the server (#2) or client (#3).
560 Use of umask() with chmod-style Argument #1 Abuse of Functions A logic flaw where the programmer misunderstands and thus misuses the umask() function, leading to incorrect (often overly permissive) file permissions. This is an abuse of the file creation functionality.
561 Dead Code N/A N/A This is a code quality/maintainability issue. Since the code is unreachable, it cannot be directly exploited. Excluded.
562 Return of Stack Variable Address #2/#3 Exploiting Server / Exploiting Client A critical implementation flaw in memory management. It can occur in either server-side or client-side code, leading to memory corruption or information leaks.
563 Assignment to Variable without Use N/A N/A This is a code quality/maintainability issue (a "dead store"). While it might indicate a logic bug, it is not a directly exploitable vulnerability itself. Excluded.
564 SQL Injection: Hibernate #2 Exploiting Server A specific variant of SQL Injection. This is a flaw in server-side code that improperly constructs a query using the Hibernate framework.
565 Reliance on Cookies without Validation and Integrity Checking #1/#4 Abuse of Functions / Identity Theft This can be **#1 (Abuse of Function)** if the cookie controls application logic (e.g., user preferences that affect behavior). It is **#4 (Identity Theft)** if the cookie is a session token or contains authentication/authorization information.
566 Authorization Bypass Through User-Controlled SQL Primary Key #2 Exploiting Server A server-side flaw where the application constructs a SQL query using a user-controllable primary key without proper authorization checks, leading to data access violations. This is a type of SQL injection.
567 Unsynchronized Access to Shared Data in a Multithreaded Context #2/#3 Exploiting Server / Exploiting Client An implementation flaw related to concurrency (a race condition). This can occur in server-side (#2) or client-side (#3) code.
568 finalize() Method Without super.finalize() #2/#3 Exploiting Server / Exploiting Client A Java-specific implementation flaw in object cleanup logic. This could lead to resource leaks or incomplete object destruction, representing a bug in either server or client code.
570 Expression is Always False N/A N/A This is a code quality/maintainability issue. It indicates dead code or a logic bug, but is not directly exploitable itself. Excluded.
571 Expression is Always True #1 Abuse of Functions This is a logic flaw. A condition that is always true can lead to the bypass of security checks or other controls, which is an abuse of the intended program flow.
572 Call to Thread run() instead of start() #2/#3 Exploiting Server / Exploiting Client An implementation flaw in concurrent programming. It causes the code to execute in the wrong thread, which can lead to blocking or other logic errors. A bug that can be in server or client code.
574 EJB Bad Practices: Use of Synchronization Primitives #2 Exploiting Server This is a server-side EJB implementation that violates the framework's specification by using thread synchronization, potentially causing instability or race conditions.
575 EJB Bad Practices: Use of AWT Swing #2 Exploiting Server This is a server-side EJB implementation that violates the framework's specification by attempting to use GUI libraries, which is forbidden and can lead to undefined behavior on a server.
576 EJB Bad Practices: Use of Java I/O #2 Exploiting Server This is a server-side EJB implementation that violates the framework's specification by directly accessing the filesystem instead of using resource manager APIs.
577 EJB Bad Practices: Use of Sockets #2 Exploiting Server This is a server-side EJB implementation that violates the framework's specification by acting as a network server, which can interfere with the container's operation.
578 EJB Bad Practices: Use of Class Loader #2 Exploiting Server This is a server-side EJB implementation that violates the framework's specification by using functions reserved for the container, potentially compromising security.
579 J2EE Bad Practices: Non-serializable Object Stored in Session #2/#6 Exploiting Server / Flooding Attack A server-side implementation flaw (**#2**) that can lead to a denial of service under heavy load (making it a **#6** vector) because the container cannot replicate the session.
580 clone() Method Without super.clone() #2/#3 Exploiting Server / Exploiting Client A Java-specific implementation flaw that violates the object cloning contract, potentially returning an object of the wrong type. A bug in either server or client code.
581 Object Model Violation: Just One of Equals and Hashcode Defined #2/#3 Exploiting Server / Exploiting Client A Java-specific implementation flaw that violates the contract for equality and hashing, leading to incorrect behavior in collections. A bug in either server or client code.
582 Array Declared Public, Final, and Static #2/#3 Exploiting Server / Exploiting Client An implementation flaw that breaks encapsulation. It can be exploited by other code running on the same platform, which could be a server-side component (#2) or a client-side component (#3), depending on the context.
583 finalize() Method Declared Public #1 Abuse of Functions Declaring finalize() as public allows it to be called by any code, abusing the intended garbage collection mechanism. This can lead to unexpected object states.
584 Return Inside Finally Block #2/#3 Exploiting Server / Exploiting Client An implementation flaw in error handling. It can suppress exceptions that should have been propagated. A bug that can be in server or client code.
585 Empty Synchronized Block N/A N/A A code quality issue. It does not provide any synchronization and likely indicates a logic error or leftover code, but is not directly exploitable. Excluded.
586 Explicit Call to Finalize() #1 Abuse of Functions Abuse of the garbage collection mechanism by explicitly calling finalize(), which can lead to an object being finalized multiple times and result in an unpredictable state.
587 Assignment of a Fixed Address to a Pointer #2/#3 Exploiting Server / Exploiting Client A low-level implementation flaw that makes code non-portable and potentially insecure if the hardcoded address is invalid or points to sensitive data. A bug in server or client code.
588 Attempt to Access Child of a Non-structure Pointer #2/#3 Exploiting Server / Exploiting Client A low-level implementation flaw (improper type casting) that leads to memory corruption. A bug in server or client code.
589 Call to Non-ubiquitous API #2/#3 Exploiting Server / Exploiting Client Using an API that is not available on all target platforms is a portability and implementation flaw that can lead to unexpected failures on certain systems.
590 Free of Memory not on the Heap #2/#3 Exploiting Server / Exploiting Client A critical memory management implementation flaw (e.g., freeing a stack variable) that leads to memory corruption. A bug in server or client code.
591 Sensitive Data Storage in Improperly Locked Memory #2/#3 Exploiting Server / Exploiting Client An implementation flaw where sensitive data is not locked in memory, allowing it to be swapped to disk. This can be a flaw in either server or client code that handles secrets.
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created #5 Man in the Middle (MitM) This is a flaw in the handling of the cryptographic context (CTX) which can weaken the SSL/TLS channel, making it susceptible to bypass and MitM attacks. The core issue is channel security.
594 J2EE Framework: Saving Unserializable Objects to Disk #2/#6 Exploiting Server / Flooding Attack This is a server-side implementation flaw (**#2**) that can lead to a denial of service under heavy load (making it a **#6** vector) because the container cannot persist the session state.
595 Comparison of Object References Instead of Object Contents #2/#3 Exploiting Server / Exploiting Client A common implementation logic error (e.g., using == instead of .equals() in Java) that leads to incorrect comparisons. A bug that can be in server or client code.
597 Use of Wrong Operator in String Comparison #2/#3 Exploiting Server / Exploiting Client A specific variant of CWE-595. A common implementation logic error. A bug that can be in server or client code.
598 Use of GET Request Method With Sensitive Query Strings #2 Exploiting Server A server-side design flaw. The server's functionality exposes sensitive data (like session IDs) in the URL, which can be logged by proxies, saved in browser history, or shared easily, weakening the protection of that data.
599 Missing Validation of OpenSSL Certificate #2/#3 Exploiting Server / Exploiting Client A specific implementation flaw in certificate validation. Can be on the server validating a client cert (#2) or a client validating a server cert (#3).
600 Uncaught Exception in Servlet #2 Exploiting Server An uncaught exception in a server-side component (servlet) leads to the container sending a default error response, which often contains sensitive debugging information. This is a server-side information leak.
601 URL Redirection to Untrusted Site ('Open Redirect') #1 Abuse of Functions An attacker abuses the legitimate redirect functionality by providing a URL to a malicious site. The redirect function itself is working as designed, but its parameters are controlled by the attacker.
603 Use of Client-Side Authentication #3 Exploiting Client A fundamental design flaw where authentication logic resides on the client. An attacker can simply modify or bypass the client-side code to bypass authentication entirely. The weakness is in the client's implementation.
605 Multiple Binds to the Same Port #1 Abuse of Functions This abuses the socket API's functionality (specifically the SO_REUSEADDR option) to allow a malicious service to hijack traffic intended for a legitimate service on the same port.
606 Unchecked Input for Loop Condition #6 Flooding Attack An attacker provides input that causes a loop to execute for an excessive number of iterations, consuming CPU or memory resources and leading to a denial of service. This is a form of flooding attack.
607 Public Static Final Field References Mutable Object #2/#3 Exploiting Server / Exploiting Client A Java-specific implementation flaw that breaks immutability, allowing a shared object to be modified unexpectedly. A bug that can exist in server or client code.
608 Struts: Non-private Field in ActionForm Class #1 Abuse of Functions This is a design flaw that violates encapsulation, abusing the intended object-oriented design of the Struts framework by allowing direct, uncontrolled access to form fields.
609 Double-Checked Locking #2/#3 Exploiting Server / Exploiting Client An implementation flaw in concurrent programming. This pattern is broken on many platforms and can lead to race conditions. A bug that can exist in server or client code.
611 Improper Restriction of XML External Entity Reference #2/#3 Exploiting Server / Exploiting Client A flaw in how an XML parser is configured or invoked. This is typically a server-side flaw (#2) when processing an XML-based request, but can also be a client-side flaw (#3) if a client application parses a malicious XML document.
612 Improper Authorization of Index Containing Sensitive Information #1 Abuse of Functions The search functionality is abused to reveal sensitive information from an index that is not properly access-controlled, even if the source documents are.
613 Insufficient Session Expiration #4 Identity Theft A weakness in the session management policy. Long-lived sessions increase the window of opportunity for an attacker to use a stolen session token.
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute #4 Identity Theft A configuration flaw in session management. Without the 'Secure' flag, a cookie can be transmitted over unencrypted HTTP, making it vulnerable to interception (#5 MitM) and enabling session hijacking (#4). The root weakness is in credential (session token) protection.
615 Inclusion of Sensitive Information in Source Code Comments N/A N/A A development practice issue. It is not directly exploitable unless the source code itself is exposed, which would be a separate vulnerability (e.g., CWE-552). Excluded.
616 Incomplete Identification of Uploaded File Variables (PHP) #1 Abuse of Functions This abuses a legacy PHP feature where global variables could be overwritten by user input, allowing an attacker to manipulate file upload parameters and abuse the file handling functionality.
617 Reachable Assertion #6 Flooding Attack An assertion that can be triggered by an attacker leads to program termination. This is a denial-of-service vector, which is a type of Flooding Attack.
618 Exposed Unsafe ActiveX Method #1 Abuse of Functions The weakness is that a dangerous function is exposed for use. An attacker abuses this exposed function, which may be working as designed, to perform unauthorized actions.
619 Dangling Database Cursor ('Cursor Injection') #2/#6 Exploiting Server / Flooding Attack This is primarily a server-side resource management flaw (**#2**). If an attacker can repeatedly cause cursors to become dangling, it can lead to resource exhaustion and denial of service (**#6**).
620 Unverified Password Change #1 Abuse of Functions The function for changing a password does not require proper authentication (e.g., the old password). An attacker abuses this flawed function to take over an account.
621 Variable Extraction Error #1 Abuse of Functions A PHP-specific weakness where a function like extract() is abused with user-controlled input, allowing an attacker to overwrite arbitrary variables in the current scope.
622 Improper Validation of Function Hook Arguments #2/#3 Exploiting Server / Exploiting Client This is a flaw in the implementation of a hook handler. The vulnerable code can reside on the server or the client, depending on what is being hooked.
623 Unsafe ActiveX Control Marked Safe For Scripting #1 Abuse of Functions This is a configuration flaw. The control itself may be unsafe, but marking it 'Safe For Scripting' is an abuse of the security model that allows it to be used in dangerous ways.
624 Executable Regular Expression Error #2 Exploiting Server This is a server-side flaw (typically in languages like PHP) where user input can introduce executable code into a regular expression, leading to command execution on the server.
625 Permissive Regular Expression #1 Abuse of Functions The validation logic is flawed due to a permissive regex. An attacker abuses this flawed validation to submit data that should have been rejected.
626 Null Byte Interaction Error (Poison Null Byte) #2/#3 Exploiting Server / Exploiting Client A flaw in how data is handled between different components (e.g., a script and a native library). This is an implementation bug that can occur on either the server or client side.
627 Dynamic Variable Evaluation #1 Abuse of Functions This abuses a language feature that allows variable names to be determined at runtime, enabling an attacker to read or write unintended variables by controlling the input.
628 Function Call with Incorrectly Specified Arguments #2/#3 Exploiting Server / Exploiting Client A general implementation bug where a function is called incorrectly. This can occur in either server or client code.
639 Authorization Bypass Through User-Controlled Key #1 Abuse of Functions An attacker abuses the data retrieval function by providing a key (e.g., a user ID in a URL) for a record they are not authorized to see. The access control logic is missing or flawed, allowing the function to be misused.
641 Improper Restriction of Names for Files and Other Resources #1/#2 Abuse of Functions / Exploiting Server Can be **#1** if an attacker provides a "valid" but malicious name that abuses the system's naming conventions (e.g., a script name that will be executed). Can be **#2** if the name causes a parsing flaw in a downstream component.
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection') #2 Exploiting Server A server-side implementation flaw where user input is not sanitized before being included in an XPath query, allowing manipulation of the query.
644 Improper Neutralization of HTTP Headers for Scripting Syntax #2 Exploiting Server A server-side flaw where the server fails to sanitize data placed into an HTTP response header, which can be executed by certain browser components (like Flash), leading to XSS.
645 Overly Restrictive Account Lockout Mechanism #1 Abuse of Functions An attacker abuses the legitimate account lockout functionality by intentionally triggering it for a victim's account, causing a denial of service for that user.
646 Reliance on File Name or Extension of Externally-Supplied File #1 Abuse of Functions The system's logic for processing files is abused by providing a file with a misleading name or extension (e.g., `image.jpg.php`), causing it to be handled by the wrong, often dangerous, processor.
648 Incorrect Use of Privileged APIs #1/#2 Abuse of Functions / Exploiting Server Can be **#1** if the API is used in a way that is technically allowed but insecure (abusing its design). Can be **#2** if the API is used incorrectly due to a bug in the calling code.
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking #1 Abuse of Functions This is an abuse of the application's logic which relies on client-side parameters for security decisions, assuming they can't be tampered with just because they are obfuscated.
650 Trusting HTTP Permission Methods on the Server Side #1 Abuse of Functions A server-side design flaw. It abuses the HTTP protocol by incorrectly implementing state-changing operations within GET requests, which are intended to be safe and idempotent.
651 Exposure of WSDL File Containing Sensitive Information #2 Exploiting Server The server is configured to expose a WSDL file containing sensitive information about internal methods or deprecated services, which is a server-side information leak.
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') #2 Exploiting Server A server-side implementation flaw where user input is not sanitized before being included in an XQuery expression, allowing manipulation of the query.
653 Improper Isolation or Compartmentalization #1 Abuse of Functions A high-level design flaw. An attacker who compromises a low-privilege component can abuse its lack of isolation to affect a high-privilege component. The "function" being abused is the communication channel between components.
654 Reliance on a Single Factor in a Security Decision #4 Identity Theft This is fundamentally a weakness in the design of an authentication or authorization process, making it less resilient. It falls under weaknesses related to identity and access management.
663 Use of a Non-reentrant Function in a Concurrent Context #2/#3 Exploiting Server / Exploiting Client An implementation flaw in concurrent code (race condition). Can exist on either server or client.
676 Use of Potentially Dangerous Function #2/#3 Exploiting Server / Exploiting Client An implementation choice to use a function (like `strcpy`) that is prone to misuse. While not inherently a vulnerability, its use is a coding weakness that can easily lead to a flaw in either server or client code.
681 Incorrect Conversion between Numeric Types #2/#3 Exploiting Server / Exploiting Client An implementation flaw related to data types and casting that can lead to unexpected values and logic errors. A bug in either server or client code.
683 Function Call With Incorrect Order of Arguments #2/#3 Exploiting Server / Exploiting Client A basic implementation error. This bug can occur in server-side or client-side code, leading to unpredictable behavior.
685 Function Call With Incorrect Number of Arguments #2/#3 Exploiting Server / Exploiting Client A basic implementation error. This bug can occur in server-side or client-side code, leading to unpredictable behavior or crashes.
686 Function Call With Incorrect Argument Type #2/#3 Exploiting Server / Exploiting Client A basic implementation error, especially in loosely-typed languages. This bug can occur in server-side or client-side code.
687 Function Call With Incorrectly Specified Argument Value #2/#3 Exploiting Server / Exploiting Client A logic error in the implementation where a function is called with a wrong, but type-correct, value. A bug that can exist on server or client.
688 Function Call With Incorrect Variable or Reference as Argument #2/#3 Exploiting Server / Exploiting Client A logic error in the implementation where the wrong variable is passed to a function. A bug that can exist on server or client.
689 Permission Race Condition During Resource Copy #2 Exploiting Server This is a server-side race condition where a resource is accessible with incorrect permissions for a short time during its creation/copy process.
693 Protection Mechanism Failure N/A N/A Excluded. This is a high-level category describing a consequence or state, not a specific root-cause weakness. A protection mechanism fails *because* of another weakness.
694 Use of Multiple Resources with Duplicate Identifier #1 Abuse of Functions The system's logic assumes unique identifiers. An attacker abuses this by creating duplicate identifiers, causing the system to operate on the wrong resource.
695 Use of Low-Level Functionality #2/#3 Exploiting Server / Exploiting Client Using prohibited low-level functions is an implementation flaw that violates a framework's security model. This can occur on either the server or client.
698 Execution After Redirect (EAR) #2 Exploiting Server This is a server-side logic flaw where the server code continues to execute after sending a redirect header, potentially performing actions that should have been prevented by the redirect.
703 Improper Check or Handling of Exceptional Conditions N/A N/A A very high-level category describing a class of implementation errors. Specific children should be used for mapping (e.g., CWE-248, CWE-390). Excluded.
704 Incorrect Type Conversion or Cast #2/#3 Exploiting Server / Exploiting Client A fundamental implementation flaw that can lead to type confusion (CWE-843) or other logic errors. A bug in server or client code.
706 Use of Incorrectly-Resolved Name or Reference #1/#2 Abuse of Functions / Exploiting Server Can be **#1** if an attacker provides a name that is resolved in an unexpected but legitimate way (e.g., DNS resolution). Can be **#2** if there's a bug in the code that performs the name resolution.
707 Improper Neutralization N/A N/A A high-level category describing a failure to sanitize input. Specific children should be used for mapping (e.g., CWE-79, CWE-89). Excluded.
708 Incorrect Ownership Assignment #1 Abuse of Functions A flaw in the application's logic for assigning ownership, which can be abused to give an attacker control over a resource they shouldn't own.
732 Incorrect Permission Assignment for Critical Resource #1 Abuse of Functions A configuration or design flaw where a resource has overly permissive access rights. An attacker abuses these permissions to perform unauthorized actions.
733 Compiler Optimization Removal or Modification of Security-critical Code #2/#3 Exploiting Server / Exploiting Client Similar to CWE-14, this is a subtle implementation flaw where compiler behavior undermines explicit security code. This can affect both server and client applications.
749 Exposed Dangerous Method or Function #1 Abuse of Functions A function with dangerous capabilities is exposed to unauthorized users. An attacker directly abuses this exposed function to compromise the system.
754 Improper Check for Unusual or Exceptional Conditions #2/#3 Exploiting Server / Exploiting Client An implementation flaw where the code does not handle edge cases or errors, leading to crashes or unexpected behavior. A bug that can be in server or client code.
755 Improper Handling of Exceptional Conditions #2/#3 Exploiting Server / Exploiting Client An implementation flaw in error/exception handling logic. A bug that can be in server or client code.
756 Missing Custom Error Page #2 Exploiting Server A server configuration flaw. Failure to use custom error pages can lead to the server exposing sensitive system information in default error messages.
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') #5 Man in the Middle (MitM) An attacker on the communication channel forces the client and server to negotiate a weaker cryptographic algorithm, which the attacker can then break. This is a classic MitM attack on protocol negotiation.
759 Use of a One-Way Hash without a Salt #4 Identity Theft A weakness in the password storage mechanism. The lack of a salt makes the stored hashes vulnerable to pre-computed attacks like rainbow tables, directly compromising credential security.
760 Use of a One-Way Hash with a Predictable Salt #4 Identity Theft A weakness in the password storage mechanism. A predictable salt provides no meaningful protection against pre-computation attacks, thus weakening credential security.
761 Free of Pointer not at Start of Buffer #2/#3 Exploiting Server / Exploiting Client A memory corruption flaw resulting from incorrect pointer arithmetic before a free(). This is an implementation bug that can occur in server or client code.
762 Mismatched Memory Management Routines #2/#3 Exploiting Server / Exploiting Client An implementation flaw where memory allocated with one routine (e.g., malloc) is freed with another (e.g., delete). This can lead to memory corruption on either the server or client.
763 Release of Invalid Pointer or Reference #2/#3 Exploiting Server / Exploiting Client A general memory management flaw where an invalid pointer is passed to a release function. This can occur on server or client.
764 Multiple Locks of a Critical Resource #6 Flooding Attack Repeatedly locking a resource can exhaust the available locks or lead to deadlock, causing a denial of service. This is a resource exhaustion attack.
765 Multiple Unlocks of a Critical Resource #2/#3 Exploiting Server / Exploiting Client Unlocking a resource that is not locked can corrupt memory management structures or cause unpredictable behavior. This is an implementation flaw on the server or client.
766 Critical Data Element Declared Public #2/#3 Exploiting Server / Exploiting Client An implementation flaw that breaks encapsulation by making a critical variable public, allowing it to be modified unexpectedly. A bug that can be in server or client code.
767 Access to Critical Private Variable via Public Method #1 Abuse of Functions The public method itself is a legitimate function, but it is being abused to access or modify a private variable, violating the principle of encapsulation.
768 Incorrect Short Circuit Evaluation #2/#3 Exploiting Server / Exploiting Client A logic error in the implementation due to misunderstanding operator precedence and short-circuiting, leading to unexpected behavior. A bug in either server or client code.
770 Allocation of Resources Without Limits or Throttling #6 Flooding Attack The core definition of a resource exhaustion vulnerability. An attacker makes many requests that consume a resource (e.g., memory, connections) until none are left, causing a denial of service.
771 Missing Reference to Active Allocated Resource #6 Flooding Attack This is a specific cause of a memory leak. By losing the reference, the resource cannot be freed, which can be exploited to cause resource exhaustion.
772 Missing Release of Resource after Effective Lifetime #6 Flooding Attack A specific cause of resource exhaustion (a resource leak). An attacker can repeatedly trigger the allocation of a resource that is never released, leading to a denial of service.
773 Missing Reference to Active File Descriptor or Handle #6 Flooding Attack A specific type of resource leak where file descriptors are lost, leading to resource exhaustion.
774 Allocation of File Descriptors or Handles Without Limits or Throttling #6 Flooding Attack A specific type of resource exhaustion targeting the system's pool of file descriptors.
775 Missing Release of File Descriptor or Handle after Effective Lifetime #6 Flooding Attack A resource leak targeting file descriptors, leading to resource exhaustion.
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') #6 Flooding Attack The "Billion Laughs" attack. An attacker provides a small XML input that, when parsed, expands exponentially to consume massive amounts of memory or CPU, causing a denial of service. A form of flooding attack.
777 Regular Expression without Anchors #1/#2 Abuse of Functions / Exploiting Server This is **#1** if it's a flaw in the validation logic being abused. It can be considered **#2** because the permissive regex is an implementation flaw on the server that allows malicious input to bypass checks.
778 Insufficient Logging N/A N/A This describes a failure of detective controls, which hinders forensics but is not a direct threat vector that leads to an initial compromise. Excluded.
779 Logging of Excessive Data N/A N/A This is a control weakness that can hinder detection and forensics. It does not represent a direct threat vector for initial compromise. Excluded.
780 Use of RSA Algorithm without OAEP #4/#5 Identity Theft / Man in the Middle (MitM) Using weak encryption can be a **#4** flaw if it fails to protect stored credentials, or a **#5** flaw if it fails to protect a communication channel from MitM attacks.
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code #2 Exploiting Server This is a flaw in a privileged component (the driver, acting as a server) that fails to validate input from a less-privileged client (user-mode application), leading to memory corruption. This is a classic server-side exploit.
782 Exposed IOCTL with Insufficient Access Control #1 Abuse of Functions The IOCTL provides a legitimate, though dangerous, function. The weakness is the failure to properly restrict access, allowing an attacker to abuse this exposed functionality.
783 Operator Precedence Logic Error #2/#3 Exploiting Server / Exploiting Client A fundamental implementation logic error that can occur in either server-side (#2) or client-side (#3) code, leading to unexpected behavior.
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision #1/#4 Abuse of Functions / Identity Theft Can be **#1** if the cookie controls application logic that is being abused. It is **#4** if the cookie contains session or identity tokens that are being hijacked.
785 Use of Path Manipulation Function without Maximum-sized Buffer #2/#3 Exploiting Server / Exploiting Client This is a specific cause of a buffer overflow, which is a flaw in the implementation. It can occur in either server-side (#2) or client-side (#3) code.
787 Out-of-bounds Write #2/#3 Exploiting Server / Exploiting Client A critical memory corruption implementation flaw that can occur in server-side or client-side code, leading to crashes or code execution. Context is required.
789 Memory Allocation with Excessive Size Value #6 Flooding Attack An attacker provides a large size value to a memory allocation function, causing the system to try to allocate an enormous amount of memory, leading to resource exhaustion and denial of service.
798 Use of Hard-coded Credentials #4 Identity Theft A critical flaw in credential management. The credentials are part of the application itself and are the same for all instances, making them easily discoverable and usable by an attacker.
804 Guessable CAPTCHA #1 Abuse of Functions The CAPTCHA mechanism is a legitimate function designed to prevent automation. A guessable CAPTCHA represents a design flaw in this function that allows it to be abused by automated bots.
805 Buffer Access with Incorrect Length Value #2/#3 Exploiting Server / Exploiting Client An implementation flaw where an incorrect length leads to an out-of-bounds access. A bug that can occur in server or client code.
806 Buffer Access Using Size of Source Buffer #2/#3 Exploiting Server / Exploiting Client A common implementation error leading to a buffer overflow when the source buffer is larger than the destination. A bug that can occur in server or client code.
807 Reliance on Untrusted Inputs in a Security Decision #1/#4 Abuse of Functions / Identity Theft This can be **#1** if the input controls business logic (abusing the function). It is **#4** if the input is an identity or session token that is being manipulated.
820 Missing Synchronization #2/#3 Exploiting Server / Exploiting Client A fundamental concurrency flaw (race condition) in implementation. Can occur in either server-side or client-side code.
821 Incorrect Synchronization #2/#3 Exploiting Server / Exploiting Client A fundamental concurrency flaw (race condition) in implementation where synchronization exists but is flawed. Can occur in either server-side or client-side code.
822 Untrusted Pointer Dereference #2/#3 Exploiting Server / Exploiting Client An implementation flaw where the code dereferences a pointer controlled by an untrusted source. Can occur on server or client, leading to memory corruption.
823 Use of Out-of-range Pointer Offset #2/#3 Exploiting Server / Exploiting Client An implementation flaw in pointer arithmetic leading to out-of-bounds access. Can occur on server or client.
824 Access of Uninitialized Pointer #2/#3 Exploiting Server / Exploiting Client A low-level implementation bug where a pointer is used before being initialized. Can lead to crashes or unpredictable behavior in server or client code.
825 Expired Pointer Dereference #2/#3 Exploiting Server / Exploiting Client A synonym for Use After Free (CWE-416). A critical memory corruption flaw in either server or client code.
826 Premature Release of Resource During Expected Lifetime #2/#3 Exploiting Server / Exploiting Client A logic flaw in resource management that can lead to a Use After Free condition. This bug can occur in server or client code.
827 Improper Control of Document Type Definition #2 Exploiting Server Allowing an attacker to control the DTD can lead to XML External Entity (XXE) attacks, which is a classic server-side parsing exploit.
828 Signal Handler with Functionality that is not Asynchronous-Safe #2/#3 Exploiting Server / Exploiting Client A specific type of concurrency flaw (race condition) related to signal handling. Can occur in either server or client processes.
829 Inclusion of Functionality from Untrusted Control Sphere #10/#2/#3 Supply Chain / Exploiting Server / Client This is a broad weakness. It is often a **#10 Supply Chain Attack** (e.g., including a malicious library). It could also be **#2** (server-side includes) or **#3** (client-side script inclusion) if the untrusted functionality is pulled from a remote source at runtime.
830 Inclusion of Web Functionality from an Untrusted Source #3 Exploiting Client This describes loading remote scripts (e.g., JavaScript widgets) that execute in the client's browser with the origin's privileges, making it an exploit vector against the client.
831 Signal Handler Function Associated with Multiple Signals #2/#3 Exploiting Server / Exploiting Client A concurrency flaw where re-entering a signal handler can lead to race conditions. This bug can exist in server or client processes.
832 Unlock of a Resource that is not Locked #2/#3 Exploiting Server / Exploiting Client An implementation bug in synchronization logic that can corrupt internal state. This can occur in server or client code.
833 Deadlock #6 Flooding Attack A deadlock causes processes or threads to hang indefinitely, consuming resources and denying service to legitimate users. This is a resource exhaustion/flooding attack.
835 Loop with Unreachable Exit Condition ('Infinite Loop') #6 Flooding Attack An infinite loop consumes 100% of a CPU core, denying that resource to other processes. This is a denial of service, which falls under flooding attacks.
836 Use of Password Hash Instead of Password for Authentication #4 Identity Theft A design flaw in the authentication protocol. By accepting the hash directly, the hash itself becomes the credential, making it vulnerable to theft and replay. This is an identity management weakness.
837 Improper Enforcement of a Single, Unique Action #1 Abuse of Functions The application logic for performing an action (e.g., voting) is flawed because it doesn't prevent repeated execution. An attacker abuses this logical flaw.
838 Inappropriate Encoding for Output Context #2/#3 Exploiting Server / Exploiting Client This can be **#2** when the server sends data with the wrong encoding, leading to injection (e.g., XSS). It is **#3** because the client misinterprets the data, but the root cause is the server's output.
839 Numeric Range Comparison Without Minimum Check #2/#3 Exploiting Server / Exploiting Client A flaw in validation logic where assuming a number is positive can lead to vulnerabilities like overflows if a negative number is supplied. A bug in either server or client code.
841 Improper Enforcement of Behavioral Workflow #1 Abuse of Functions The application's business logic expects a certain sequence of actions. An attacker abuses the system by calling these functions out of order, potentially bypassing checks or achieving an unintended state.
842 Placement of User into Incorrect Group #1 Abuse of Functions This is a flaw in the user management function, which can be abused to grant a user unintended privileges by placing them in the wrong access group.
843 Access of Resource Using Incompatible Type ('Type Confusion') #2/#3 Exploiting Server / Exploiting Client A low-level implementation flaw where memory is accessed with the wrong data type, leading to memory corruption. A bug that can exist in server or client code.
862 Missing Authorization #1 Abuse of Functions A function that should be protected by an authorization check is not. An attacker directly calls this function, abusing the lack of access control to perform a privileged action.
863 Incorrect Authorization #1 Abuse of Functions A function has an authorization check, but the logic is flawed (e.g., checking for the wrong role). An attacker abuses this flawed check to perform a privileged action.
908 Use of Uninitialized Resource #2/#3 Exploiting Server / Exploiting Client A general implementation bug where a resource is used before initialization. This can occur in server or client code and lead to unpredictable behavior.
910 Use of Expired File Descriptor #2/#3 Exploiting Server / Exploiting Client This is a type of Use After Free, but specific to file descriptors. It's an implementation flaw in server or client code.
911 Improper Update of Reference Count #2/#3 Exploiting Server / Exploiting Client A flaw in manual memory or resource management that can lead to Use After Free or resource leaks. An implementation bug in server or client code.
914 Improper Control of Dynamically-Identified Variables #1 Abuse of Functions Abuse of a language feature that allows variable names to be determined at runtime. An attacker provides a variable name that was not intended, manipulating program logic.
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes #1 Abuse of Functions Often called Mass Assignment, this abuses a function that automatically assigns user-provided data to object properties, allowing an attacker to overwrite security-sensitive attributes.
916 Use of Password Hash With Insufficient Computational Effort #4 Identity Theft Using a fast hash for passwords is a credential management flaw. It makes offline brute-force attacks much easier, weakening the protection of stored credentials.
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') #2 Exploiting Server A server-side flaw where user input is not sanitized before being evaluated by an expression language engine (e.g., in a JSP), leading to code execution on the server.
918 Server-Side Request Forgery (SSRF) #1 Abuse of Functions An attacker abuses a server-side function that is designed to fetch resources from a URL. By providing a URL to an internal or otherwise restricted resource, the attacker tricks the server into making a request on their behalf.
920 Improper Restriction of Power Consumption #6 Flooding Attack This describes an attack that intentionally drains a limited resource (battery power), which is a form of denial of service or resource exhaustion attack.
921 Storage of Sensitive Data in a Mechanism without Access Control #2 Exploiting Server This is a server-side (or system-level) flaw. The weakness is in choosing to store sensitive data in a location (like an SD card on Android) that lacks granular access controls by design.
922 Insecure Storage of Sensitive Information #4 Identity Theft A general category for weaknesses related to storing sensitive data, most critically credentials, without proper protection (e.g., strong encryption). This directly impacts credential security.
924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel #5 Man in the Middle (MitM) The core weakness that enables a Man-in-the-Middle attack. The channel lacks integrity protection, allowing an attacker to modify messages in transit without detection.
925 Improper Verification of Intent by Broadcast Receiver #1 Abuse of Functions An Android-specific flaw. An application abuses the Intent system by accepting an intent without verifying its origin, allowing a malicious app to trigger its functionality.
926 Improper Export of Android Application Components #1 Abuse of Functions A design flaw where an application component is exported without proper restrictions, allowing any other application to abuse its functionality.
927 Use of Implicit Intent for Sensitive Communication #1 Abuse of Functions An Android-specific flaw. The application abuses the Intent system by sending sensitive data via an implicit (broadcast) intent, which can be intercepted by any listening application. The sending function is misused.
939 Improper Authorization in Handler for Custom URL Scheme N/A N/A This is better described by its more fundamental components. It's an **#1 Abuse of Functions** (invoking the custom URL handler) combined with a **CWE-862 Missing Authorization**. Mapping to the more granular CWEs is preferred.
940 Improper Verification of Source of a Communication Channel #4/#5 Identity Theft / Man in the Middle (MitM) This can be **#4** if it leads to impersonation (a failure to authenticate the source). It can be **#5** if an attacker on the channel can spoof the source to an intermediary.
941 Incorrectly Specified Destination in a Communication Channel #2/#3 Exploiting Server / Exploiting Client This is an implementation flaw where the wrong destination is specified. It could be server code sending to the wrong place (#2) or client code doing so (#3).
942 Permissive Cross-domain Policy with Untrusted Domains #1 Abuse of Functions A configuration flaw where a cross-domain policy is too permissive. An attacker abuses this legitimate but misconfigured policy to make unauthorized requests.
943 Improper Neutralization of Special Elements in Data Query Logic N/A N/A A high-level category for injection flaws. Specific children like CWE-89 (SQLi) or CWE-643 (XPathi) should be used. Excluded.
1004 Sensitive Cookie Without 'HttpOnly' Flag #4 Identity Theft The lack of the HttpOnly flag makes a session cookie (a credential) accessible to client-side scripts, typically via XSS. This directly weakens the protection of the credential, making it vulnerable to theft (session hijacking).
1007 Insufficient Visual Distinction of Homoglyphs Presented to User #9 Social Engineering This weakness exploits human perception by using visually similar characters to deceive a user, often to trick them into visiting a phishing site. This is a direct application of social engineering.
1021 Improper Restriction of Rendered UI Layers or Frames #9 Social Engineering Commonly known as "Clickjacking," this attack tricks a user into clicking on something different from what they perceive, thereby performing an unintended action. This is a form of user deception and manipulation, which falls under Social Engineering.
1022 Use of Web Link to Untrusted Target with window.opener Access #9 Social Engineering Known as "tabnabbing," this attack manipulates the user's original tab to redirect to a malicious site without their knowledge, typically for phishing. The core of the attack is deceiving the user.
1024 Comparison of Incompatible Types #2/#3 Exploiting Server / Exploiting Client This is a fundamental implementation flaw in code logic. It can occur in either server-side or client-side code, leading to unexpected behavior or bypasses that can be exploited. Context is needed to determine the specific cluster.
1025 Comparison Using Wrong Factors #2/#3 Exploiting Server / Exploiting Client This is a fundamental coding bug, such as comparing object references instead of their content. This implementation flaw can exist in either server-side or client-side code.
1037 Processor Optimization Removal or Modification of Security-critical Code #8 Physical Attack This weakness stems from the physical behavior of the hardware (the processor), not a flaw in the software's logic. Exploiting microarchitectural behaviors is a form of physical-layer attack.
1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor #2/#3 Exploiting Server / Exploiting Client This is a low-level implementation flaw in object-oriented C++ code that can lead to memory leaks or undefined behavior. It is a coding error that can exist on either the server or client.
1046 Creation of Immutable Text Using String Concatenation #6 Flooding Attack This describes an inefficient coding pattern that, when triggered by an attacker with crafted input, can consume excessive CPU and memory resources, leading to a denial of service.
1049 Excessive Data Query Operations in a Large Data Table #6 Flooding Attack An attacker can craft queries that exploit this inefficiency to consume excessive database server resources, leading to a denial of service. This is a resource exhaustion attack.
1050 Excessive Platform Resource Consumption within a Loop #6 Flooding Attack An attacker provides input that causes a loop to consume excessive platform resources (e.g., messaging, sessions, locks), leading to a resource exhaustion denial of service.
1104 Use of Unmaintained Third Party Components #10 Supply Chain Attack This is the core definition of a supply chain risk. The product relies on a third-party component that is no longer maintained, which means any discovered vulnerabilities will remain unpatched.
1173 Improper Use of Validation Framework #1 Abuse of Functions This weakness describes the incorrect or incomplete use of a legitimate, provided feature (a validation framework). This is an abuse of the framework's intended security function by omission or misconfiguration.
1174 ASP.NET Misconfiguration: Improper Model Validation #1 Abuse of Functions This is a specific instance of CWE-1173. The model validation framework is a legitimate feature that is being used improperly, thus abusing its intended function.
1188 Initialization of a Resource with an Insecure Default #1 Abuse of Functions The product ships with a default configuration that is insecure. An attacker abuses this legitimate (but insecure) default state to compromise the system. The functionality is working as designed.
1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC) #8 Physical Attack This is a hardware design flaw on a System-on-a-Chip. The vulnerability exists at the hardware layer, making it a physical-layer weakness.
1190 DMA Device Enabled Too Early in Boot Phase #8 Physical Attack This vulnerability exploits the timing of hardware initialization during the boot process, allowing a DMA-capable device to compromise system security. This is a hardware/physical layer attack.
1191 On-Chip Debug and Test Interface With Improper Access Control #8 Physical Attack This describes improper access control on a physical debug interface like JTAG, which requires physical access to exploit.
1193 Power-On of Untrusted Execution Core Before Enabling Fabric Access Control #8 Physical Attack This is a hardware boot sequence flaw where an untrusted hardware component is activated before security controls are in place, making it a physical-layer vulnerability.
1204 Generation of Weak Initialization Vector (IV) #4/#5 Identity Theft / Man in the Middle (MitM) A weak IV can break cryptographic protections. If used for transport security (e.g., TLS), it enables a MitM attack (#5). If used for encrypting session tokens or credentials, it enables their compromise (#4).
1236 Improper Neutralization of Formula Elements in a CSV File #2 Exploiting Server The vulnerability lies in the server-side code that fails to sanitize data before embedding it into a CSV file. While the execution happens on the client (spreadsheet program), the root-cause flaw is the server's improper output generation.
1240 Use of a Cryptographic Primitive with a Risky Implementation #4/#5 Identity Theft / Man in the Middle (MitM) Using a flawed crypto implementation is a weakness in a protection mechanism. If it protects credentials at rest, its failure enables Identity Theft (#4). If it protects data in transit, its failure enables a Man-in-the-Middle attack (#5).
1241 Use of Predictable Algorithm in Random Number Generator #4/#5 Identity Theft / Man in the Middle (MitM) A weak PRNG compromises whatever it is used for. If it generates session IDs or password reset tokens, it enables Identity Theft (#4). If it generates keys for transport encryption, it enables a Man-in-the-Middle attack (#5).
1259 Improper Restriction of Security Token Assignment #4/#8 Identity Theft / Physical Attack This describes spoofing an agent's identity at the hardware level (#4). Because the vulnerability is in the hardware implementation (SoC), it has a physical component (#8), but the core threat is impersonation.
1275 Sensitive Cookie with Improper SameSite Attribute #1 Abuse of Functions The `SameSite` attribute is a control against Cross-Site Request Forgery (CSRF). A CSRF attack abuses the legitimate, authenticated session of a user. An improper SameSite configuration enables this abuse of function.
1284 Improper Validation of Specified Quantity in Input #2/#3 Exploiting Server / Exploiting Client This is a general input validation failure related to quantities (size, length). It is a fundamental implementation flaw that can lead to buffer overflows or resource exhaustion on either the server or client.
1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') #2/#3 Exploiting Server / Exploiting Client This is an injection attack against the object model of a language. It can occur in server-side (e.g., Node.js) or client-side (browser) JavaScript, making it a flaw in the implementation of either.
1336 Improper Neutralization of Special Elements Used in a Template Engine #2/#3 Exploiting Server / Exploiting Client Template injection is a code injection vulnerability that can occur on the server (SSTI) or the client (CSTI). The flaw is in how the application code constructs and renders the template with user input.
1385 Missing Origin Validation in WebSockets #1 Abuse of Functions This enables Cross-Site WebSocket Hijacking (CSWSH), which is a variant of CSRF. The attack abuses a legitimate, established WebSocket connection. The server-side function is being misused by a request from an unauthorized origin.
1386 Insecure Operation on Windows Junction / Mount Point #1/#2 Abuse of Functions / Exploiting Server This is a form of link following. It can be an abuse of legitimate junction functionality to trick a privileged program (#1), or it can exploit a race condition (TOCTOU) in file access logic (#2).
1389 Incorrect Parsing of Numbers with Different Radices #1 Abuse of Functions The application's logic is flawed because it misunderstands the behavior of an underlying parsing function (e.g., `inet_addr` treating a leading '0' as octal). An attacker abuses this discrepancy between intended logic and actual function behavior.
1392 Use of Default Credentials #4 Identity Theft Using default, publicly known credentials is a critical failure in the credential management process, enabling trivial identity compromise.
1393 Use of Default Password #4 Identity Theft A specific and common instance of using default credentials, representing a flaw in the identity and access management process.
1394 Use of Default Cryptographic Key #4 Identity Theft Using a default key for authentication or encryption of secrets is a critical credential management flaw, as the key is effectively a shared, public credential.
1427 Improper Neutralization of Input Used for LLM Prompting #1 Abuse of Functions "Prompt Injection" abuses the legitimate function of a Large Language Model (LLM), which is to follow instructions. The attacker provides crafted input that subverts the intended system-level instructions, making the LLM perform an unauthorized action.

Distribution Analysis

The following data represents the relative frequency of each threat cluster as observed in our comprehensive study. The numbers indicate the prevalence index of each threat cluster in security incidents and implementations:

TLCTC ID Threat Cluster Prevalence Index Visualization
TLCTC-01.00 Abuse of Functions 104 ########################################################################################################
TLCTC-02.00 Exploiting Server 304 ############################################################################################################################################################################################################################################################################################################
TLCTC-03.00 Exploiting Client 228 ####################################################################################################################################################################################################################################
TLCTC-04.00 Identity Theft 67 ###################################################################
TLCTC-05.00 Man in the Middle 32 ################################
TLCTC-06.00 Flooding Attack 29 #############################
TLCTC-07.00 Malware 11 ###########
TLCTC-08.00 Physical Attack 8 ########
TLCTC-09.00 Social Engineering 8 ########
TLCTC-10.00 Supply Chain Attack 2 ##