CWE検索

Common Weakness Enumeration(CWE)データベースをID・名前・キーワードで検索・閲覧。CVE検索と対になるソフトウェアセキュリティ脆弱性パターン検索ツール

すべてInjectionAuthenticationAuthorizationCryptographyFile HandlingMemory SafetyInformation DisclosureInput ValidationWeb SecurityConfigurationDeserializationRace ConditionsDenial of Service

50 / 50 件表示中

CWE-79Cross-site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation

InjectionHigh

CWE-89SQL Injection

Improper Neutralization of Special Elements used in an SQL Command

InjectionCritical

CWE-78OS Command Injection

Improper Neutralization of Special Elements used in an OS Command

InjectionCritical

CWE-77Command Injection

Improper Neutralization of Special Elements used in a Command

InjectionCritical

CWE-94Code Injection

Improper Control of Generation of Code

InjectionCritical

CWE-90LDAP Injection

Improper Neutralization of Special Elements used in an LDAP Query

InjectionHigh

CWE-91XML Injection

Improper Neutralization of Special Elements used in XML

InjectionHigh

CWE-917Expression Language Injection

Improper Neutralization of Special Elements used in an Expression Language Statement

InjectionCritical

CWE-287Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct

AuthenticationCritical

CWE-306Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity

AuthenticationCritical

CWE-798Hard-coded Credentials

The product contains hard-coded credentials for authentication or cryptographic operations

AuthenticationCritical

CWE-384Session Fixation

Authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions

AuthenticationHigh

CWE-613Insufficient Session Expiration

The product does not sufficiently expire sessions, allowing attackers to reuse old session credentials

AuthenticationMedium

CWE-862Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action

AuthorizationCritical

CWE-863Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource but does not correctly perform the check

AuthorizationHigh

CWE-269Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor

AuthorizationHigh

CWE-639Insecure Direct Object Reference (IDOR)

The system's authorization functionality does not prevent one user from gaining access to another user's data by modifying the key value

AuthorizationHigh

CWE-327Use of Broken Crypto Algorithm

The product uses a broken or risky cryptographic algorithm or protocol

CryptographyHigh

CWE-328Use of Weak Hash

The product uses an algorithm that produces a digest that does not meet security expectations

CryptographyHigh

CWE-330Insufficient Randomness

The product uses insufficiently random numbers or values in a security context

CryptographyHigh

CWE-916Weak Password Hashing

The product generates a hash for a password but uses a scheme that does not provide sufficient computational effort

CryptographyHigh

CWE-311Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission

CryptographyHigh

CWE-22Path Traversal

Improper Limitation of a Pathname to a Restricted Directory

File HandlingHigh

CWE-434Unrestricted File Upload

The product allows the upload of dangerous file types that can be automatically processed

File HandlingHigh

CWE-73External Control of File Name or Path

The product allows user input to control file names or paths used in filesystem operations

File HandlingHigh

CWE-119Buffer Overflow

The product performs operations on a memory buffer without proper bounds checking

Memory SafetyCritical

CWE-120Classic Buffer Overflow

The program copies an input buffer to an output buffer without verifying that the size is within bounds

Memory SafetyCritical

CWE-125Out-of-bounds Read

The product reads data past the end of the intended buffer

Memory SafetyHigh

CWE-416Use After Free

Referencing memory after it has been freed can cause a program to crash or execute arbitrary code

Memory SafetyCritical

CWE-476NULL Pointer Dereference

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid but is NULL

Memory SafetyMedium

CWE-190Integer Overflow

The product performs a calculation that can produce an integer overflow or wraparound

Memory SafetyHigh

CWE-200Information Exposure

The product exposes sensitive information to an actor that is not explicitly authorized to have access

Information DisclosureMedium

CWE-209Error Message Information Leak

The product generates an error message that includes sensitive information

Information DisclosureMedium

CWE-532Information Leak Through Log Files

Information written to log files can be of a sensitive nature and valuable to attackers

Information DisclosureMedium

CWE-20Improper Input Validation

The product receives input but does not validate or incorrectly validates that input

Input ValidationHigh

CWE-1321Prototype Pollution

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object but does not properly control modifications of object prototype attributes

Input ValidationHigh

CWE-352Cross-Site Request Forgery (CSRF)

The product does not verify that a request was intentionally made by the user who submitted it

Web SecurityHigh

CWE-601Open Redirect

A web application accepts user-controlled input that specifies a link to an external site for redirect

Web SecurityMedium

CWE-918Server-Side Request Forgery (SSRF)

The product makes a request to a user-supplied URL without sufficiently ensuring it is a safe destination

Web SecurityHigh

CWE-346Origin Validation Error

The product does not properly verify that the source of data or communication is valid

Web SecurityHigh

CWE-1275Cookie Without Secure Flag

The Secure attribute for sensitive cookies is not set, which could cause the user agent to send those cookies in plaintext over HTTP

Web SecurityMedium

CWE-16Configuration

Weaknesses in this category are typically introduced during the configuration of the software

ConfigurationMedium

CWE-732Incorrect Permission Assignment

The product specifies permissions that allow more access than required

ConfigurationHigh

CWE-1188Insecure Default Initialization

The product initializes or sets a resource with a default that is intended to be changed but is not secure

ConfigurationMedium

CWE-502Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data is valid

DeserializationCritical

CWE-362Race Condition

The product contains a code sequence that can run concurrently with other code and requires temporary exclusive access to a shared resource

Race ConditionsMedium

CWE-367Time-of-check Time-of-use (TOCTOU)

The product checks the state of a resource before using it but the resource state can change between the check and use

Race ConditionsMedium

CWE-400Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, allowing resource exhaustion

Denial of ServiceMedium

CWE-770Allocation Without Limits

The product allocates a reusable resource without imposing any limit on the size or number of resources

Denial of ServiceMedium

CWE-1333ReDoS

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles

Denial of ServiceHigh