{"metadata": {"count": 969, "page": 1, "per_page": 100}, "data": [{"@ID": "95", "@Name": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. \"eval\").", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "94", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['If possible, refactor your code so that it does not need to use eval() at all.']"}, {"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\"]"}, {"@Mitigation_ID": null, "Description": "[\"Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.\", 'Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.']"}, {"@Mitigation_ID": null, "Description": "['For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "940", "@Name": "Improper Verification of Source of a Communication Channel", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "923", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "346", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack.', 'When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "94", "@Name": "Improper Control of Generation of Code ('Code Injection')", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "913", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Refactor your program so that you do not have to dynamically generate code.']"}, {"@Mitigation_ID": null, "Description": "['Run your code in a \"jail\" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.', 'Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.', 'This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.', 'Be careful to avoid CWE-243 and other weaknesses related to jails.']"}, {"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\", 'To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().']"}, {"@Mitigation_ID": null, "Description": "[\"Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.\"]"}, {"@Mitigation_ID": "MIT-32", "Description": "['Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl\\'s \"-T\" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).']"}, {"@Mitigation_ID": "MIT-32", "Description": "['Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl\\'s \"-T\" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).']"}, {"@Mitigation_ID": null, "Description": "['For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "925", "@Name": "Improper Verification of Intent by Broadcast Receiver", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "940", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Before acting on the Intent, check the Intent Action to make sure it matches the expected System action.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "918", "@Name": "Server-Side Request Forgery (SSRF)", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "441", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "610", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "91", "@Name": "XML Injection (aka Blind XPath Injection)", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\"]"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "88", "@Name": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product constructs a string for a command to be executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "77", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "77", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "77", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Where possible, avoid building a single string that contains the command and its arguments.  Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command.  For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments.  In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter.']"}, {"@Mitigation_ID": null, "Description": "['Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.']"}, {"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\"]"}, {"@Mitigation_ID": null, "Description": "[\"Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.\"]"}, {"@Mitigation_ID": null, "Description": "[\"Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.\", 'Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.']"}, {"@Mitigation_ID": null, "Description": "['When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.']"}, {"@Mitigation_ID": null, "Description": "['When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.']"}, {"@Mitigation_ID": null, "Description": "[\"Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.\"]"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "862", "@Name": "Missing Authorization", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product does not perform an authorization check when an actor attempts to access a resource or perform an action.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "285", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.', 'Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.']"}, {"@Mitigation_ID": null, "Description": "[\"Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].\"]"}, {"@Mitigation_ID": "MIT-4.4", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', 'For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].']"}, {"@Mitigation_ID": null, "Description": "['For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.', 'One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.']"}, {"@Mitigation_ID": null, "Description": "['Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a \"default deny\" policy when defining these ACLs.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "835", "@Name": "Loop with Unreachable Exit Condition ('Infinite Loop')", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "834", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "834", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "79", "@Name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Stable", "Description": "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "494", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "PeerOf", "@CWE_ID": "352", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-4", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].', \"Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.\"]"}, {"@Mitigation_ID": null, "Description": "['Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.', 'For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.', 'Parts of the same output document may require different encodings, which will vary depending on whether the output is in the:', 'etc. Note that HTML Entity Encoding is only appropriate for the HTML body.', 'Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.', 'HTML body', 'Element attributes (such as src=\"XYZ\")', 'URIs', 'JavaScript sections', 'Cascading Style Sheets and style property']"}, {"@Mitigation_ID": "MIT-6", "Description": "['Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.']"}, {"@Mitigation_ID": "MIT-15", "Description": "['For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.']"}, {"@Mitigation_ID": "MIT-27", "Description": "['If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.']"}, {"@Mitigation_ID": "MIT-30.1", "Description": "['Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.', 'The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.']"}, {"@Mitigation_ID": "MIT-43", "Description": "[\"With Struts, write all data from form beans with the bean's filter attribute set to true.\"]"}, {"@Mitigation_ID": "MIT-31", "Description": "[\"To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.\"]"}, {"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\", 'When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.', 'Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon (\"<3\") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the \"<\" character, which would need to be escaped or otherwise handled. In this case, stripping the \"<\" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities.', 'Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.', 'Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.']"}, {"@Mitigation_ID": "MIT-21", "Description": "['When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.']"}, {"@Mitigation_ID": "MIT-29", "Description": "['Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].']"}, {"@Mitigation_ID": "MIT-16", "Description": "['When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "789", "@Name": "Memory Allocation with Excessive Size Value", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "770", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "476", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.']"}, {"@Mitigation_ID": null, "Description": "['Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "787", "@Name": "Out-of-bounds Write", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product writes data past the end, or before the beginning, of the intended buffer.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "119", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "119", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "119", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "119", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-3", "Description": "['Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', 'For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.', \"Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.\"]"}, {"@Mitigation_ID": "MIT-4.1", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', 'Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.']"}, {"@Mitigation_ID": "MIT-10", "Description": "['Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.', 'D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.']"}, {"@Mitigation_ID": "MIT-9", "Description": "[\"Consider adhering to the following rules when allocating and managing an application's memory:\", 'Double check that the buffer is as large as specified.', 'When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.', 'Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.', 'If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.']"}, {"@Mitigation_ID": "MIT-11", "Description": "[\"Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.\", 'Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as \"rebasing\" (for Windows) and \"prelinking\" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.', 'For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].']"}, {"@Mitigation_ID": "MIT-12", "Description": "['Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.', 'For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].']"}, {"@Mitigation_ID": "MIT-13", "Description": "['Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "78", "@Name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Stable", "Description": "The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "77", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "77", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "77", "@View_ID": "1340", "@Ordinal": "Primary"}, {"@Nature": "CanAlsoBe", "@CWE_ID": "88", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['If at all possible, use library calls rather than external processes to recreate the desired functionality.']"}, {"@Mitigation_ID": "MIT-22", "Description": "['Run the code in a \"jail\" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.', 'OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.', 'This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.', 'Be careful to avoid CWE-243 and other weaknesses related to jails.']"}, {"@Mitigation_ID": null, "Description": "[\"For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.\"]"}, {"@Mitigation_ID": "MIT-15", "Description": "['For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.']"}, {"@Mitigation_ID": "MIT-4.3", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', 'For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.']"}, {"@Mitigation_ID": "MIT-28", "Description": "['While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).']"}, {"@Mitigation_ID": null, "Description": "['If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.']"}, {"@Mitigation_ID": "MIT-27", "Description": "['If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.', 'Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.']"}, {"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\", 'When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.', 'Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like \";\" and \">\" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components.', 'Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.']"}, {"@Mitigation_ID": "MIT-21", "Description": "['When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.']"}, {"@Mitigation_ID": "MIT-32", "Description": "['Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl\\'s \"-T\" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).']"}, {"@Mitigation_ID": "MIT-32", "Description": "['Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl\\'s \"-T\" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).']"}, {"@Mitigation_ID": "MIT-39", "Description": "['Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.', 'If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.', 'Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.', 'In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used.']"}, {"@Mitigation_ID": null, "Description": "['Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this.']"}, {"@Mitigation_ID": "MIT-29", "Description": "['Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].']"}, {"@Mitigation_ID": "MIT-17", "Description": "['Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.']"}, {"@Mitigation_ID": "MIT-16", "Description": "['When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "77", "@Name": "Improper Neutralization of Special Elements used in a Command ('Command Injection')", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['If at all possible, use library calls rather than external processes to recreate the desired functionality.']"}, {"@Mitigation_ID": null, "Description": "['If possible, ensure that all external commands called from the program are statically created.']"}, {"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\"]"}, {"@Mitigation_ID": null, "Description": "['Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.']"}, {"@Mitigation_ID": null, "Description": "['Assign permissions that prevent the user from accessing/opening privileged files.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "763", "@Name": "Release of Invalid Pointer or Reference", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "404", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "404", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "404", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().']"}, {"@Mitigation_ID": null, "Description": "['When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory.']"}, {"@Mitigation_ID": "MIT-4.6", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', 'For example, glibc in Linux provides protection against free of invalid pointers.']"}, {"@Mitigation_ID": null, "Description": "['Use a language that provides abstractions for memory allocation and deallocation.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "762", "@Name": "Mismatched Memory Management Routines", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "763", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "404", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().']"}, {"@Mitigation_ID": "MIT-41", "Description": "['Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.', 'For example, glibc in Linux provides protection against free of invalid pointers.', 'When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].', 'To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.']"}, {"@Mitigation_ID": "MIT-4.6", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', 'For example, glibc in Linux provides protection against free of invalid pointers.']"}, {"@Mitigation_ID": null, "Description": "['Use a language that provides abstractions for memory allocation and deallocation.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "761", "@Name": "Free of Pointer not at Start of Buffer", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "763", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "404", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['When utilizing pointer arithmetic to traverse a buffer, use a separate variable to track progress through memory and preserve the originally allocated address for later freeing.']"}, {"@Mitigation_ID": null, "Description": "['When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory.']"}, {"@Mitigation_ID": "MIT-4.6", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', 'For example, glibc in Linux provides protection against free of invalid pointers.']"}, {"@Mitigation_ID": null, "Description": "['Use a language that provides abstractions for memory allocation and deallocation.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "756", "@Name": "Missing Custom Error Page", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product does not return custom error pages to the user, possibly exposing sensitive information.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "755", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "209", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "75", "@Name": "Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not adequately filter user-controlled input for special elements with control implications.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Programming languages and supporting technologies might be chosen which are not subject to these issues.']"}, {"@Mitigation_ID": null, "Description": "['Utilize an appropriate mix of allowlist and denylist parsing to filter special element syntax from all input.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "74", "@Name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "707", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Programming languages and supporting technologies might be chosen which are not subject to these issues.']"}, {"@Mitigation_ID": null, "Description": "['Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "693", "@Name": "Protection Mechanism Failure", "@Abstraction": "Pillar", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.", "Related_Weaknesses": {"Related_Weakness": null}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "682", "@Name": "Incorrect Calculation", "@Abstraction": "Pillar", "@Structure": "Simple", "@Status": "Draft", "Description": "The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "CanPrecede", "@CWE_ID": "170", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Understand your programming language\\'s underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, \"not-a-number\" calculations, and how your language handles numbers that are too large or too small for its underlying representation.']"}, {"@Mitigation_ID": "MIT-8", "Description": "['Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.']"}, {"@Mitigation_ID": null, "Description": "['Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity.']"}, {"@Mitigation_ID": null, "Description": "['Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.', 'Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).']"}, {"@Mitigation_ID": null, "Description": "['Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.', 'Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).']"}, {"@Mitigation_ID": "MIT-26", "Description": "['Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "676", "@Name": "Use of Potentially Dangerous Function", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1177", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-58", "Description": "['Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the \"banned.h\" include file from Microsoft\\'s SDL. [REF-554] [REF-1009] [REF-7]']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "674", "@Name": "Uncontrolled Recursion", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not properly control the amount of recursion that takes place,  consuming excessive resources, such as allocated memory or the program stack.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "834", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Ensure that an end condition will be reached under all logic conditions.  The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.']"}, {"@Mitigation_ID": null, "Description": "['Increase the stack size.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "668", "@Name": "Exposure of Resource to Wrong Sphere", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "664", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "665", "@Name": "Improper Initialization", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "664", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-3", "Description": "['Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', \"For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.\"]"}, {"@Mitigation_ID": null, "Description": "['Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.']"}, {"@Mitigation_ID": null, "Description": "['Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.']"}, {"@Mitigation_ID": null, "Description": "['Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.']"}, {"@Mitigation_ID": null, "Description": "['Avoid race conditions (CWE-362) during initialization routines.']"}, {"@Mitigation_ID": null, "Description": "['Run or compile your product with settings that generate warnings about uninitialized variables or data.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "662", "@Name": "Improper Synchronization", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "664", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "691", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "362", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Use industry standard APIs to synchronize your code.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "642", "@Name": "External Control of Critical State Data", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "668", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Understand all the potential locations that are accessible to attackers. For example, some programmers assume that cookies and hidden form fields cannot be modified by an attacker, or they may not consider that environment variables can be modified before a privileged program is invoked.']"}, {"@Mitigation_ID": "MIT-14", "Description": "['Store state information and sensitive data on the server side only.', 'Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions.', 'If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328).']"}, {"@Mitigation_ID": null, "Description": "['Store state information on the server side only. Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions.']"}, {"@Mitigation_ID": "MIT-4", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].', 'With a stateless protocol such as HTTP, use some frameworks can maintain the state for you.', 'Examples include ASP.NET View State and the OWASP ESAPI Session Management feature.', 'Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security.']"}, {"@Mitigation_ID": "MIT-15", "Description": "['For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.']"}, {"@Mitigation_ID": "MIT-16", "Description": "['When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "640", "@Name": "Weak Password Recovery Mechanism for Forgotten Password", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1390", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "287", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.']"}, {"@Mitigation_ID": null, "Description": "['Do not use standard weak security questions and use several security questions.']"}, {"@Mitigation_ID": null, "Description": "['Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.']"}, {"@Mitigation_ID": null, "Description": "['Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.']"}, {"@Mitigation_ID": null, "Description": "['Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.']"}, {"@Mitigation_ID": null, "Description": "['Assign a new temporary password rather than revealing the original password.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "639", "@Name": "Authorization Bypass Through User-Controlled Key", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "863", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "863", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.']"}, {"@Mitigation_ID": null, "Description": "[\"Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.\"]"}, {"@Mitigation_ID": null, "Description": "['Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "621", "@Name": "Variable Extraction Error", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "914", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "471", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Use allowlists of variable names that can be extracted.']"}, {"@Mitigation_ID": null, "Description": "['Consider refactoring your code to avoid extraction routines altogether.']"}, {"@Mitigation_ID": null, "Description": "['In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "620", "@Name": "Unverified Password Change", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1390", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['When prompting for a password change, force the user to provide the original password in addition to the new password.']"}, {"@Mitigation_ID": null, "Description": "['Do not use \"forgotten password\" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "613", "@Name": "Insufficient Session Expiration", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "According to WASC, \"Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.\"", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "287", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Set sessions/credentials expiration date.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "606", "@Name": "Unchecked Input for Loop Condition", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1284", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "834", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Do not use user-controlled data for loop conditions.']"}, {"@Mitigation_ID": null, "Description": "['Perform input validation.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "599", "@Name": "Missing Validation of OpenSSL Certificate", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "295", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Ensure that proper authentication is included in the system design.']"}, {"@Mitigation_ID": null, "Description": "['Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "598", "@Name": "Use of HTTP Request With Sensitive Query String", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "201", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['When sending sensitive information, only\\n               include it in the request body or request headers\\n               instead of the query string. This may require avoiding\\n               use of GET requests.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "591", "@Name": "Sensitive Data Storage in Improperly Locked Memory", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "413", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Identify data that needs to be protected from swapping and choose platform-appropriate protection mechanisms.']"}, {"@Mitigation_ID": null, "Description": "['Check return values to ensure locking operations are successful.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "590", "@Name": "Free of Memory not on the Heap", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "762", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "123", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Only free pointers that you have called malloc on previously. This is the recommended solution. Keep track of which pointers point at the beginning of valid chunks and free them only once.']"}, {"@Mitigation_ID": null, "Description": "['Before freeing a pointer, the programmer should make sure that the pointer was previously allocated on the heap and that the memory belongs to the programmer. Freeing an unallocated pointer will cause undefined behavior in the program.']"}, {"@Mitigation_ID": "MIT-4.6", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', 'For example, glibc in Linux provides protection against free of invalid pointers.']"}, {"@Mitigation_ID": null, "Description": "['Use a language that provides abstractions for memory allocation and deallocation.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "586", "@Name": "Explicit Call to Finalize()", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product makes an explicit call to the finalize() method from outside the finalizer.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1076", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Do not make explicit calls to finalize().']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "571", "@Name": "Expression is Always True", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product contains an expression that will always evaluate to true.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "710", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "561", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Consider refactoring the code, or determine if the code is not including a condition that could cause the expression to become false.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "570", "@Name": "Expression is Always False", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product contains an expression that will always evaluate to false.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "710", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "561", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Consider refactoring the code, or determine if the code is not including a condition that could cause the expression to become false.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "568", "@Name": "finalize() Method Without super.finalize()", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product contains a finalize() method that does not call super.finalize().", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "573", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "ChildOf", "@CWE_ID": "459", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Call the super.finalize() method.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "562", "@Name": "Return of Stack Variable Address", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "758", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "672", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "825", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Fix the code so that it does not return a stack address.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "561", "@Name": "Dead Code", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product contains dead code, which can never be executed.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1164", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Remove dead code before deploying the application.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "549", "@Name": "Missing Password Field Masking", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "522", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "548", "@Name": "Exposure of Information Through Directory Listing", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "497", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "530", "@Name": "Exposure of Backup File to an Unauthorized Control Sphere", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "A backup file is stored in a directory or archive that is made accessible to unauthorized actors.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "552", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "528", "@Name": "Exposure of Core Dump File to an Unauthorized Control Sphere", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "552", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Protect the core dump files from unauthorized access.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "525", "@Name": "Use of Web Browser Cache Containing Sensitive Information", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "524", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Protect information stored in cache.']"}, {"@Mitigation_ID": null, "Description": "['Use a restrictive caching policy for forms and web pages that potentially contain sensitive information, such as \"no-cache\" in the Cache-Control header.']"}, {"@Mitigation_ID": null, "Description": "['Do not store unnecessarily sensitive information in the cache.']"}, {"@Mitigation_ID": null, "Description": "['Consider using encryption in the cache.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "524", "@Name": "Use of Cache Containing Sensitive Information", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "668", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Protect information stored in cache.']"}, {"@Mitigation_ID": null, "Description": "['Do not store unnecessarily sensitive information in the cache.']"}, {"@Mitigation_ID": null, "Description": "['Consider using encryption in the cache.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "506", "@Name": "Embedded Malicious Code", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product contains code that appears to be malicious in nature.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "912", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "502", "@Name": "Deserialization of Untrusted Data", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "913", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "913", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "915", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.']"}, {"@Mitigation_ID": null, "Description": "['When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.']"}, {"@Mitigation_ID": null, "Description": "['Explicitly define a final object() to prevent deserialization.']"}, {"@Mitigation_ID": null, "Description": "['Make fields transient to protect them from deserialization.', 'An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.']"}, {"@Mitigation_ID": null, "Description": "['Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.']"}, {"@Mitigation_ID": null, "Description": "[\"Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.\"]"}, {"@Mitigation_ID": "MIT-29", "Description": "['Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "489", "@Name": "Active Debug Code", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product is released with debugging code still enabled or active.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "710", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "215", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Remove debug code before deploying the application.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "482", "@Name": "Comparing instead of Assigning", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The code uses an operator for comparison when the intention was to perform an assignment.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "480", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Many IDEs and static analysis products will detect this problem.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "481", "@Name": "Assigning instead of Comparing", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The code uses an operator for assignment when the intention was to perform a comparison.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "480", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "697", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Place constants on the left. If one attempts to assign a constant with a variable, the compiler will produce an error.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "451", "@Name": "User Interface (UI) Misrepresentation of Critical Information", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "684", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "221", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "PeerOf", "@CWE_ID": "346", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Perform data validation (e.g. syntax, length, etc.) before interpreting the data.']"}, {"@Mitigation_ID": null, "Description": "['Create a strategy for presenting information, and plan for how to display unusual characters.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "44", "@Name": "Path Equivalence: 'file.name' (Internal Dot)", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "41", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "437", "@Name": "Incomplete Model of Endpoint Features", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "436", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "434", "@Name": "Unrestricted Upload of File with Dangerous Type", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "669", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "669", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "351", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "PeerOf", "@CWE_ID": "436", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "PeerOf", "@CWE_ID": "430", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]']"}, {"@Mitigation_ID": "MIT-21", "Description": "['When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.']"}, {"@Mitigation_ID": null, "Description": "['Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]']"}, {"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\", 'For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.']"}, {"@Mitigation_ID": null, "Description": "['Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.']"}, {"@Mitigation_ID": null, "Description": "['Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that \"filename.php.gif\" is fed to the PHP interpreter.[REF-422] [REF-423]']"}, {"@Mitigation_ID": null, "Description": "['When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.']"}, {"@Mitigation_ID": "MIT-15", "Description": "['For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.']"}, {"@Mitigation_ID": null, "Description": "['Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field.']"}, {"@Mitigation_ID": null, "Description": "['Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution.']"}, {"@Mitigation_ID": "MIT-17", "Description": "['Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.']"}, {"@Mitigation_ID": "MIT-22", "Description": "['Run the code in a \"jail\" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.', 'OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.', 'This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.', 'Be careful to avoid CWE-243 and other weaknesses related to jails.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "427", "@Name": "Uncontrolled Search Path Element", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "668", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "668", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.']"}, {"@Mitigation_ID": null, "Description": "['When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.']"}, {"@Mitigation_ID": null, "Description": "['Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.']"}, {"@Mitigation_ID": null, "Description": "['Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.']"}, {"@Mitigation_ID": null, "Description": "['Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "425", "@Name": "Direct Request ('Forced Browsing')", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "862", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "862", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "288", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "ChildOf", "@CWE_ID": "424", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "471", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "98", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.']"}, {"@Mitigation_ID": null, "Description": "['Consider using MVC based frameworks such as Struts.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "416", "@Name": "Use After Free", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Stable", "Description": "The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory \"belongs\" to the code that operates on the new pointer.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "825", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1340", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "120", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "123", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Choose a language that provides automatic memory management.']"}, {"@Mitigation_ID": null, "Description": "['When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "401", "@Name": "Missing Release of Memory after Effective Lifetime", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "772", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "404", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "404", "@View_ID": "1305", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-41", "Description": "['Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.', 'For example, glibc in Linux provides protection against free of invalid pointers.', 'When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].', 'To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.']"}, {"@Mitigation_ID": null, "Description": "['Use an abstraction library to abstract away risky APIs. Not a complete solution.']"}, {"@Mitigation_ID": null, "Description": "['Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "400", "@Name": "Uncontrolled Resource Consumption", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not properly control the allocation and maintenance of a limited resource.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "664", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.']"}, {"@Mitigation_ID": null, "Description": "['Mitigation of resource exhaustion attacks requires that the target system either:', 'The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.', 'The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.', 'recognizes the attack and denies that user further access for a given amount of time, or', 'uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.']"}, {"@Mitigation_ID": null, "Description": "['Ensure that protocols have specific limits of scale placed on them.']"}, {"@Mitigation_ID": null, "Description": "['Ensure that all failures in resource allocation place the system into a safe posture.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "392", "@Name": "Missing Report of Error Condition", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "755", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "684", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "ChildOf", "@CWE_ID": "703", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "703", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "379", "@Name": "Creation of Temporary File in Directory with Insecure Permissions", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "377", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.']"}, {"@Mitigation_ID": null, "Description": "['Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories.']"}, {"@Mitigation_ID": null, "Description": "['Avoid using vulnerable temp file functions.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "362", "@Name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "662", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "416", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "476", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.']"}, {"@Mitigation_ID": null, "Description": "['Use thread-safe capabilities such as the data access abstraction in Spring.']"}, {"@Mitigation_ID": null, "Description": "['Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.', 'Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).']"}, {"@Mitigation_ID": null, "Description": "['When using multithreading and operating on shared variables, only use thread-safe functions.']"}, {"@Mitigation_ID": null, "Description": "['Use atomic operations on shared variables. Be wary of innocent-looking constructs such as \"x++\". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.']"}, {"@Mitigation_ID": null, "Description": "['Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.']"}, {"@Mitigation_ID": null, "Description": "['Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.']"}, {"@Mitigation_ID": null, "Description": "['Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.']"}, {"@Mitigation_ID": null, "Description": "['Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.']"}, {"@Mitigation_ID": "MIT-17", "Description": "['Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "36", "@Name": "Absolute Path Traversal", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as \"/abs/path\" that can resolve to a location that is outside of that directory.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "22", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "22", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "22", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-5.1", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\", 'When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single \".\" character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as \"/\" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.', 'Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering \"/\" is insufficient protection if the filesystem also supports the use of \"\\\\\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if \"../\" sequences are removed from the \".../...//\" string in a sequential fashion, two instances of \"../\" would be removed from the original string, but the remaining characters would still form the \"../\" string.']"}, {"@Mitigation_ID": "MIT-20", "Description": "[\"Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.\"]"}, {"@Mitigation_ID": "MIT-29", "Description": "['Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "354", "@Name": "Improper Validation of Integrity Check Value", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not validate or incorrectly validates the integrity check values or \"checksums\" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "345", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "345", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "754", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "PeerOf", "@CWE_ID": "353", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Ensure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "353", "@Name": "Missing Support for Integrity Check", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "345", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "354", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Add an appropriately sized checksum to the protocol, ensuring that data received may be simply validated before it is parsed and used.']"}, {"@Mitigation_ID": null, "Description": "['Ensure that the checksums present in the protocol design are properly implemented and added to each message before it is sent.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "330", "@Name": "Use of Insufficiently Random Values", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Stable", "Description": "The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "693", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "804", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.', 'In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.', 'Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a \"random enough\" number.']"}, {"@Mitigation_ID": null, "Description": "['Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.']"}, {"@Mitigation_ID": "MIT-2", "Description": "['Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (\"Approved Random Number Generators\").']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "323", "@Name": "Reusing a Nonce, Key Pair in Encryption", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "Nonces should be used for the present occasion and only once.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "344", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Refuse to reuse nonce values.']"}, {"@Mitigation_ID": null, "Description": "['Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "316", "@Name": "Cleartext Storage of Sensitive Information in Memory", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product stores sensitive information in cleartext in memory.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "312", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "311", "@Name": "Missing Encryption of Sensitive Data", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not encrypt sensitive or critical information before storage or transmission.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "693", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.']"}, {"@Mitigation_ID": null, "Description": "['Ensure that encryption is properly integrated into the system design, including but not necessarily limited to:', 'Identify the separate needs and contexts for encryption:', 'Using threat modeling or other techniques, assume that data can be compromised through a separate vulnerability or weakness, and determine where encryption will be most effective. Ensure that data that should be private is not being inadvertently exposed using weaknesses such as insecure permissions (CWE-732). [REF-7]', {'xhtml:li': ['Encryption that is needed to store or transmit private data of the users of the system', 'Encryption that is needed to protect the system itself from unauthorized disclosure or tampering']}, {'xhtml:li': ['One-way (i.e., only the user or recipient needs to have the key). This can be achieved using public key cryptography, or other techniques in which the encrypting party (i.e., the product) does not need to have access to a private key.', 'Two-way (i.e., the encryption can be automatically performed on behalf of a user, but the key must be available so that the plaintext can be automatically recoverable by that user). This requires storage of the private key in a format that is recoverable only by the user (or perhaps by the operating system) in a way that cannot be recovered by others.']}]"}, {"@Mitigation_ID": "MIT-24", "Description": "['When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis.', 'For example, US government systems require FIPS 140-2 certification.', 'Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak.', 'Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267]']"}, {"@Mitigation_ID": "MIT-46", "Description": "['Compartmentalize the system to have \"safe\" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.', 'Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.']"}, {"@Mitigation_ID": "MIT-25", "Description": "[\"When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.\"]"}, {"@Mitigation_ID": "MIT-33", "Description": "['Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "301", "@Name": "Reflection Attack in an Authentication Protocol", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1390", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "327", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Use different keys for the initiator and responder or of a different type of challenge for the initiator and responder.']"}, {"@Mitigation_ID": null, "Description": "['Let the initiator prove its identity before proceeding.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "298", "@Name": "Improper Validation of Certificate Expiration", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "A certificate expiration is not validated or is incorrectly validated.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "295", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.']"}, {"@Mitigation_ID": null, "Description": "['If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "297", "@Name": "Improper Validation of Certificate with Host Mismatch", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "923", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "295", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.']"}, {"@Mitigation_ID": null, "Description": "['If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "296", "@Name": "Improper Following of a Certificate's Chain of Trust", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "295", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "573", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Ensure that proper certificate checking is included in the system design.']"}, {"@Mitigation_ID": null, "Description": "['Understand, and properly implement all checks necessary to ensure the integrity of certificate trust integrity.']"}, {"@Mitigation_ID": null, "Description": "['If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the full chain of trust.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "295", "@Name": "Improper Certificate Validation", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not validate, or incorrectly validates, a certificate.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "287", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "287", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "322", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "[\"Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.\"]"}, {"@Mitigation_ID": null, "Description": "['If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "287", "@Name": "Improper Authentication", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Use an authentication framework or library such as the OWASP ESAPI Authentication feature.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "285", "@Name": "Improper Authorization", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries.', 'Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.']"}, {"@Mitigation_ID": null, "Description": "[\"Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.\"]"}, {"@Mitigation_ID": "MIT-4.4", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.', 'For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].']"}, {"@Mitigation_ID": null, "Description": "['For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.', 'One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.']"}, {"@Mitigation_ID": null, "Description": "['Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a \"default deny\" policy when defining these ACLs.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "284", "@Name": "Improper Access Control", "@Abstraction": "Pillar", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.", "Related_Weaknesses": {"Related_Weakness": null}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-1", "Description": "['Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.']"}, {"@Mitigation_ID": "MIT-46", "Description": "['Compartmentalize the system to have \"safe\" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.', 'Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "269", "@Name": "Improper Privilege Management", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-1", "Description": "['Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.']"}, {"@Mitigation_ID": "MIT-48", "Description": "['Follow the principle of least privilege when assigning access rights to entities in a software system.']"}, {"@Mitigation_ID": "MIT-49", "Description": "['Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "261", "@Name": "Weak Encoding for Password", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "Obscuring a password with a trivial encoding does not protect the password.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "522", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "26", "@Name": "Path Traversal: '/dir/../filename'", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/dir/../filename\" sequences that can resolve to a location that is outside of that directory.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "23", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-5.1", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\", 'When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single \".\" character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as \"/\" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.', 'Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering \"/\" is insufficient protection if the filesystem also supports the use of \"\\\\\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if \"../\" sequences are removed from the \".../...//\" string in a sequential fashion, two instances of \"../\" would be removed from the original string, but the remaining characters would still form the \"../\" string.']"}, {"@Mitigation_ID": "MIT-20", "Description": "[\"Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.\"]"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "250", "@Name": "Execution with Unnecessary Privileges", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "269", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "657", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-17", "Description": "['Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.']"}, {"@Mitigation_ID": "MIT-18", "Description": "['Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.']"}, {"@Mitigation_ID": "MIT-18", "Description": "['Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.']"}, {"@Mitigation_ID": null, "Description": "['Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.']"}, {"@Mitigation_ID": "MIT-19", "Description": "['When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.']"}, {"@Mitigation_ID": null, "Description": "['If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.']"}, {"@Mitigation_ID": "MIT-37", "Description": "['Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "242", "@Name": "Use of Inherently Dangerous Function", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product calls a function that can never be guaranteed to work safely.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1177", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-58", "Description": "['Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the \"banned.h\" include file from Microsoft\\'s SDL. [REF-554] [REF-1009] [REF-7]']"}, {"@Mitigation_ID": null, "Description": "['Use grep or static analysis tools to spot usage of dangerous functions.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "23", "@Name": "Relative Path Traversal", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as \"..\" that can resolve to a location that is outside of that directory.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "22", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "22", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "22", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-5.1", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\", 'When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single \".\" character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as \"/\" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.', 'Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering \"/\" is insufficient protection if the filesystem also supports the use of \"\\\\\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if \"../\" sequences are removed from the \".../...//\" string in a sequential fashion, two instances of \"../\" would be removed from the original string, but the remaining characters would still form the \"../\" string.']"}, {"@Mitigation_ID": "MIT-20.1", "Description": "[\"Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.\", 'Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes \"..\" sequences and symbolic links (CWE-23, CWE-59). This includes:', 'realpath() in C', 'getCanonicalPath() in Java', 'GetFullPath() in ASP.NET', 'realpath() or abs_path() in Perl', 'realpath() in PHP']"}, {"@Mitigation_ID": "MIT-29", "Description": "['Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "22", "@Name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Stable", "Description": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "706", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "706", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "668", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-5.1", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\", 'When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single \".\" character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as \"/\" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.', 'Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering \"/\" is insufficient protection if the filesystem also supports the use of \"\\\\\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if \"../\" sequences are removed from the \".../...//\" string in a sequential fashion, two instances of \"../\" would be removed from the original string, but the remaining characters would still form the \"../\" string.']"}, {"@Mitigation_ID": "MIT-15", "Description": "['For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.']"}, {"@Mitigation_ID": "MIT-20.1", "Description": "[\"Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.\", 'Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes \"..\" sequences and symbolic links (CWE-23, CWE-59). This includes:', 'realpath() in C', 'getCanonicalPath() in Java', 'GetFullPath() in ASP.NET', 'realpath() or abs_path() in Perl', 'realpath() in PHP']"}, {"@Mitigation_ID": "MIT-4", "Description": "['Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].']"}, {"@Mitigation_ID": "MIT-29", "Description": "['Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].']"}, {"@Mitigation_ID": "MIT-17", "Description": "['Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.']"}, {"@Mitigation_ID": "MIT-21.1", "Description": "['When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.', 'For example, ID 1 could map to \"inbox.txt\" and ID 2 could map to \"profile.txt\". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.']"}, {"@Mitigation_ID": "MIT-22", "Description": "['Run the code in a \"jail\" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.', 'OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.', 'This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.', 'Be careful to avoid CWE-243 and other weaknesses related to jails.']"}, {"@Mitigation_ID": "MIT-34", "Description": "[\"Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.\", 'This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.']"}, {"@Mitigation_ID": "MIT-39", "Description": "['Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.', 'If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.', 'Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.', 'In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy.']"}, {"@Mitigation_ID": "MIT-16", "Description": "['When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "214", "@Name": "Invocation of Process Using Visible Sensitive Information", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "497", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": null}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "212", "@Name": "Improper Removal of Sensitive Information Before Storage or Transfer", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "669", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "669", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "201", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.']"}, {"@Mitigation_ID": "MIT-46", "Description": "['Compartmentalize the system to have \"safe\" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.', 'Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.']"}, {"@Mitigation_ID": "MIT-57", "Description": "['Some tools can automatically analyze\\n\\t\\tdocuments to redact, strip, or \"sanitize\" private\\n\\t\\tinformation, although some human review might be\\n\\t\\tnecessary. Tools may vary in terms of which document\\n\\t\\tformats can be processed.', 'When calling an external program to automatically\\n\\t\\t  generate or convert documents, invoke the program with\\n\\t\\t  any available options that avoid generating sensitive\\n\\t\\t  metadata.  Some formats have well-defined fields that\\n\\t\\t  could contain private data, such as Exchangeable image\\n\\t\\t  file format (Exif), which can contain potentially\\n\\t\\t  sensitive metadata such as geolocation, date, and time\\n\\t\\t  [REF-1515] [REF-1516].']"}, {"@Mitigation_ID": "MIT-33", "Description": "['Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.']"}, {"@Mitigation_ID": null, "Description": "['Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "203", "@Name": "Observable Discrepancy", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "200", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "200", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-46", "Description": "['Compartmentalize the system to have \"safe\" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.', 'Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.']"}, {"@Mitigation_ID": "MIT-39", "Description": "['Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.', 'If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.', 'Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "201", "@Name": "Insertion of Sensitive Information Into Sent Data", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "200", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanAlsoBe", "@CWE_ID": "209", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanAlsoBe", "@CWE_ID": "202", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.']"}, {"@Mitigation_ID": null, "Description": "['Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.']"}, {"@Mitigation_ID": null, "Description": "['Setup default error messages so that unexpected errors do not disclose sensitive information.']"}, {"@Mitigation_ID": "MIT-46", "Description": "['Compartmentalize the system to have \"safe\" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.', 'Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "200", "@Name": "Exposure of Sensitive Information to an Unauthorized Actor", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "668", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-46", "Description": "['Compartmentalize the system to have \"safe\" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.', 'Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "20", "@Name": "Improper Input Validation", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Stable", "Description": "The product receives input or data, but it does\n        not validate or incorrectly validates that the input has the\n        properties that are required to process the data safely and\n        correctly.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "707", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "345", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "22", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "41", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "74", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "119", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "770", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build \"recognizers\" for that language.  This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]']"}, {"@Mitigation_ID": "MIT-7", "Description": "['Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).']"}, {"@Mitigation_ID": "MIT-6", "Description": "['Understand all the potential areas where untrusted inputs can enter the product, including but not limited to: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.']"}, {"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\"]"}, {"@Mitigation_ID": null, "Description": "['For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.', 'Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings.']"}, {"@Mitigation_ID": null, "Description": "['When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.']"}, {"@Mitigation_ID": "MIT-35", "Description": "['Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.']"}, {"@Mitigation_ID": null, "Description": "[\"Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.\"]"}, {"@Mitigation_ID": null, "Description": "[\"Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.\", 'Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.']"}, {"@Mitigation_ID": null, "Description": "['When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.']"}]}, "Mapping_Notes": {"Usage": "Discouraged"}}, {"@ID": "186", "@Name": "Overly Restrictive Regular Expression", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "A regular expression is overly restrictive, which prevents dangerous values from being detected.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "185", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanAlsoBe", "@CWE_ID": "184", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanAlsoBe", "@CWE_ID": "183", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-45", "Description": "['Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor your regular expression.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "185", "@Name": "Incorrect Regular Expression", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product specifies a regular expression in a way that causes data to be improperly matched or compared.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "697", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "187", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "182", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-45", "Description": "['Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression.']"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review"}}, {"@ID": "150", "@Name": "Improper Neutralization of Escape, Meta, or Control Sequences", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "138", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.']"}, {"@Mitigation_ID": "MIT-5", "Description": "['Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.', 'When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\"', \"Do not rely exclusively on looking for malicious or malformed inputs.  This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\"]"}, {"@Mitigation_ID": "MIT-28", "Description": "['While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).']"}, {"@Mitigation_ID": "MIT-20", "Description": "[\"Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.\"]"}, {"@Mitigation_ID": null, "Description": "['When using output from an LLM, neutralize\\n              or strip escape codes before redirecting output to the\\n              terminal or other rendering engine that would process\\n              the codes. The neutralization could require that the\\n              character be printable and/or allowable whitespace, such\\n              as a carriage return or newline. Be deliberate about\\n              what to allow.']"}, {"@Mitigation_ID": null, "Description": "[\"When using an LLM: during tokenizer\\n              training, suppress escape codes from the tokenizer's\\n              vocabulary. Depending on context, this could be\\n              accomplished by removing the codes from input to the\\n              tokenizer, or removing the map from the string to its\\n              token ID. It is generally unlikely that this removal\\n              would adversely affect the quality or correctness of\\n              what is generated, e.g. advice requests for terminal\\n              settings to change colors.\"]"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "1434", "@Name": "Insecure Setting of Generative AI/ML Model Inference Parameters", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product has a component that relies on a\n\t  generative AI/ML model configured with inference parameters that\n\t  produce an unacceptably high rate of erroneous or unexpected\n\t  outputs.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "440", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "665", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "CanPrecede", "@CWE_ID": "684", "@View_ID": "1000", "@Ordinal": null}, {"@Nature": "PeerOf", "@CWE_ID": "691", "@View_ID": "1000", "@Ordinal": null}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['Develop and adhere to robust parameter tuning\\n\\t\\t\\tprocesses that include extensive testing and\\n\\t\\t\\tvalidation.']"}, {"@Mitigation_ID": null, "Description": "['Implement feedback mechanisms to continuously\\n\\t\\t\\tassess and adjust model performance.']"}, {"@Mitigation_ID": null, "Description": "['Provide comprehensive documentation and\\n\\t\\t\\tguidelines for parameter settings to ensure consistent and\\n\\t\\t\\taccurate model behavior.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}, {"@ID": "1427", "@Name": "Improper Neutralization of Input Used for LLM Prompting", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product uses externally-provided data to build prompts provided to\nlarge language models (LLMs), but the way these prompts are constructed\ncauses the LLM to fail to distinguish between user-supplied inputs and\ndeveloper provided system directives.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "77", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": null, "Description": "['LLM-enabled applications should be designed to ensure\\nproper sanitization of user-controllable input, ensuring that no\\nintentionally misleading or dangerous characters can be\\nincluded. Additionally, they should be designed in a way that ensures\\nthat user-controllable input is identified as untrusted and\\npotentially dangerous.']"}, {"@Mitigation_ID": null, "Description": "['LLM prompts should be constructed in a way that\\neffectively differentiates between user-supplied input and\\ndeveloper-constructed system prompting to reduce the chance of model\\nconfusion at inference-time.']"}, {"@Mitigation_ID": null, "Description": "['LLM-enabled applications should be designed to ensure\\nproper sanitization of user-controllable input, ensuring that no\\nintentionally misleading or dangerous characters can be\\nincluded. Additionally, they should be designed in a way that ensures\\nthat user-controllable input is identified as untrusted and\\npotentially dangerous.']"}, {"@Mitigation_ID": null, "Description": "[\"Ensure that model training includes training examples\\nthat avoid leaking secrets and disregard malicious inputs. Train the\\nmodel to recognize secrets, and label training data\\nappropriately. Note that due to the non-deterministic nature of\\nprompting LLMs, it is necessary to perform testing of the same test\\ncase several times in order to ensure that troublesome behavior is not\\npossible. Additionally, testing should be performed each time a new\\nmodel is used or a model's weights are updated.\"]"}, {"@Mitigation_ID": null, "Description": "['During deployment/operation, use components that operate externally to the system to\\nmonitor the output and act as a moderator. These components are called\\ndifferent terms, such as supervisors or guardrails.']"}, {"@Mitigation_ID": null, "Description": "['During system configuration, the model could be\\nfine-tuned to better control and neutralize potentially dangerous\\ninputs.']"}]}, "Mapping_Notes": {"Usage": "Allowed"}}]}
