CWE汎用欠陥対照表

CWE汎用欠陥対照表記録

CWE-1 : Location
CWE-113 : Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CWE-116 : Improper Encoding or Escaping of Output
CWE-118 : Improper Access of Indexable Resource ('Range Error')
CWE-119 : Buffer Errors
CWE-123 : Write-what-where Condition
CWE-125 : Out-of-bounds Read
CWE-129 : Improper Validation of Array Index
CWE-134 : Format String Vulnerability
CWE-137 : Representation Errors
CWE-16 : Configuration
CWE-17 : Code
CWE-171 : Cleansing, Canonicalization, and Comparison Errors
CWE-172 : Encoding Error
CWE-18 : Source Code
CWE-184 : Incomplete Blacklist
CWE-185 : Incorrect Regular Expression
CWE-189 : Numeric Errors
CWE-19 : Data Handling
CWE-190 : Integer Overflow or Wraparound
CWE-191 : Integer Underflow (Wrap or Wraparound)
CWE-199 : Information Management Errors
CWE-2 : Environment
CWE-20 : Input Validation
CWE-200 : Information Leak / Disclosure
CWE-21 : Path Equivalence
CWE-216 : Containment Errors (Container Errors)
CWE-22 : Path Traversal
CWE-220 : Sensitive Data Under FTP Root
CWE-254 : Security Features
CWE-255 : Credentials Management
CWE-264 : Permissions, Privileges, and Access Control
CWE-275 : Permission Issues
CWE-284 : Improper Access Control
CWE-285 : Improper Authorization
CWE-287 : Authentication Issues
CWE-295 : Improper Certificate Validation
CWE-297 : Improper Validation of Certificate with Host Mismatch
CWE-306 : Missing Authentication for Critical Function
CWE-310 : Cryptographic Issues
CWE-320 : Key Management Errors
CWE-326 : Inadequate Encryption Strength
CWE-327 : Use of a Broken or Risky Cryptographic Algorithm
CWE-330 : Use of Insufficiently Random Values
CWE-331 : Insufficient Entropy
CWE-332 : Insufficient Entropy in PRNG
CWE-338 : Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-345 : Insufficient Verification of Data Authenticity
CWE-346 : Origin Validation Error
CWE-347 : Improper Verification of Cryptographic Signature
CWE-352 : Cross-Site Request Forgery (CSRF)
CWE-358 : Improperly Implemented Security Check for Standard
CWE-361 : Time and State
CWE-362 : Race Conditions
CWE-369 : Divide By Zero
CWE-371 : State Issues
CWE-384 : Session Fixation
CWE-388 : Error Handling
CWE-398 : Indicator of Poor Code Quality
CWE-399 : Resource Management Errors
CWE-400 : Uncontrolled Resource Consumption ('Resource Exhaustion')
CWE-404 : Improper Resource Shutdown or Release
CWE-405 : Asymmetric Resource Consumption (Amplification)
CWE-407 : Algorithmic Complexity
CWE-415 : Double Free
CWE-416 : Use After Free
CWE-417 : Channel and Path Errors
CWE-426 : Untrusted Search Path
CWE-427 : Uncontrolled Search Path Element
CWE-428 : Unquoted Search Path or Element
CWE-434 : Unrestricted Upload of File with Dangerous Type
CWE-435 : Interaction Error
CWE-436 : Interpretation Conflict
CWE-441 : Unintended Proxy or Intermediary ('Confused Deputy')
CWE-444 : Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CWE-471 : Modification of Assumed-Immutable Data (MAID)
CWE-472 : External Control of Assumed-Immutable Web Parameter
CWE-476 : NULL Pointer Dereference
CWE-485 : Insufficient Encapsulation
CWE-502 : Deserialization of Untrusted Data
CWE-532 : Information Exposure Through Log Files
CWE-534 : Information Exposure Through Debug Log Files
CWE-538 : File and Directory Information Exposure
CWE-552 : Files or Directories Accessible to External Parties
CWE-59 : Link Following
CWE-601 : URL Redirection to Untrusted Site ('Open Redirect')
CWE-610 : Externally Controlled Reference to a Resource in Another Sphere
CWE-611 : Improper Restriction of XML External Entity Reference ('XXE')
CWE-613 : Insufficient Session Expiration
CWE-640 : Weak Password Recovery Mechanism for Forgotten Password
CWE-642 : External Control of Critical State Data
CWE-664 : Improper Control of a Resource Through its Lifetime
CWE-665 : Improper Initialization
CWE-668 : Exposure of Resource to Wrong Sphere
CWE-669 : Incorrect Resource Transfer Between Spheres
CWE-682 : Incorrect Calculation
CWE-693 : Protection Mechanism Failure
CWE-694 : Use of Multiple Resources with Duplicate Identifier
CWE-704 : Incorrect Type Conversion or Cast
CWE-707 : Improper Enforcement of Message or Data Structure
CWE-74 : Injection
CWE-749 : Exposed Dangerous Method or Function
CWE-754 : Improper Check for Unusual or Exceptional Conditions
CWE-769 : File Descriptor Exhaustion
CWE-77 : Command Injection
CWE-774 : Allocation of File Descriptors or Handles Without Limits or Throttling
CWE-775 : Missing Release of File Descriptor or Handle after Effective Lifetime
CWE-78 : OS Command Injections
CWE-787 : Out-of-bounds Write
CWE-79 : Cross Site Scripting
CWE-79 : Cross-Site Scripting (XSS)
CWE-798 : Use of Hard-coded Credentials
CWE-824 : Access of Uninitialized Pointer
CWE-88 : Argument Injection or Modification
CWE-89 : SQL Injection
CWE-90 : Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-91 : XML Injection (aka Blind XPath Injection)
CWE-913 : Improper Control of Dynamically-Managed Code Resources
CWE-918 : Server-Side Request Forgery (SSRF)
CWE-93 : Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-94 : Code Injection
CWE-943 : Improper Neutralization of Special Elements in Data Query Logic
CWE-99 : Improper Control of Resource Identifiers ('Resource Injection')