CWE

Introduction

CWE(Common Weakness Enumeration) aims to provide a common base to identify the type of software weakness (vulnerability).. International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that will enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code. CWE gives a hierarchically structured list of weakness types to help identifying software vulnerabilities that come in a wide variety, such as SQL injection, cross-site scripting and buffer overflow. 

CWE Compatible Certification

Security Reviewer Suite is CWE Compatible Certified. We have achieved the final stage of MITRE's formal CWE Compatibility Program and are now "Officially CWE-Compatible." We are now eligible to use the CWE-Compatible Product/Service logo, and we completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaires are posted here and on the Organizations Participating page as part of their product listings

CWE for Software Resilience Analysis

Security Reviewer SRA analyzes applications for discovering Security, Dead code and Best Practices vulnerabilities, both for Static Analysis and for Software Resilience Analysis.

Automated Source Code Reliability Measure

The quality measure elements (weaknesses violating software quality rules) that compose the Automated
Source Code Reliability Measure are presented in the following table.

This measure contains 35 parent weaknesses and 39 contributing weaknesses (children in the CWE) that represent variants of these weaknesses. The CWE
numbers for contributing weaknesses is presented in light blue cells immediately below the parent weakness
whose CWE number is in a dark blue cell.

For a complete list of covered CWE issues, see CISQ Riability Weakeness doc.

CWE for Security, Dead code and Best Practices Rules

Security Reviewer provides a consistent number of CWE 4.9 rules designed for detecting vulnerabilities inside source code. Each rule defines up to 12 variants and up to 50 API on which will applied, ande has its own CWE Identifier and Description, with related MITRE web site link, on which you can do a Search:

You can Export the rules list in Excel CSV format with CWE details:

CWE Ruleset

You can execute the Static Analysis with CWE ruleset:


CWE Results

After Static Analysis completion, even you chose a different RuleSet, each vulnerability detected has always its own CWE ID with the related web link:

 

You can list and export in Excel CSV all CWEs found during the Static Analysis:

In the Static Analysis Reports, each rule's violation shows the related clickable CWE™ ID:

CWE Capabilities

Requirement

Capability

Fulfillment Method

CWE
Searchability

Security, Dead code, Best practices Rules, Analysis Results and Reports

By using the search function in Security Reviewer, the vulnerability countermeasure information database, users are able to conduct a search using CWE identifiers as the keyword.

CWE
Output

Analysis Results

CWE identifiers are displayed in the “Results” section within each vulnerability countermeasure information pages.

Reports

CWE identifier is displayed in the “Violations” section of the detailed information window of each vulnerability countermeasure information.

CWE
Documentation

Security Reviewer Knowledge Center, User Guide

This material document will become the documentation necessary to describe and demonstrate CWE, CWE association and methods used to satisfy the compatibility requirements.

Mapping
Accuracy

Security, Dead code, Best practices Rules, Analysis Results and Reports

Security Reviewer supports many of CWE 4.4 IDs related to Static Analysis

Supported CWE per Programming Language (Tiobe Index Top 10)

CWE ID

Description

Language

Rule

Severity

111

Avoid invoking a native method

.NET

NativeNET

3

113

Header Checking Disabled

.NET

Header_Checking_Disabled

3

119

Array Index Out Of Bounds

.NET

C67VB

1

200

Deprecated use of Functions returning a Variant

.NET

DEPRECATED_VB_Variant

2

200

Avoid using of System.Console 'Write()' or 'WriteLine()' statements

.NET

Securitymisc07

3

200

Use of deprecated ActiveX/OCX components

.NET

DEPRECATED_VB

3

200

Deprecated type or function

.NET

deprecatedObjectVB

3

200

Deprecated Variable type

.NET

deprecatedVariableVB

3

200

Use of deprecated win32 API

.NET

DEPRECATED_API

3

200

Deprecated Win32 API returning ANY

.NET

DEPRECATED_API_ANY

3

209

Improper call of 'StackTrace' property of System.Exception

.NET

Securitymisc08

3

209

ASP.NET Misconfiguration (Impersonation)

.NET

ACIdentity

1

209

ASP.NET Misconfiguration (ViewStateMac Disabled)

.NET

ACStateMac

1

209

ASP.NET Misconfiguration (Header Checking Disabled)

.NET

ACHeaderChecking

1

212

public instance fields accessed by untrusted class

.NET

Idor06

4

212

public inner classes accessed from untrusted classes

.NET

Idor08

4

215

WCF Misconfiguration (Debug Information)

.NET

WCF_Debug_Information

3

248

Improper invoking of an exception filtering method

.NET

Securitymisc09

3

254

WCF Misconfiguration (Unsafe Revocation Mode)

.NET

WCF_Unsafe_Revocation_Mode

2

254

WCF Misconfiguration (Weak Token)

.NET

WCF_Weak_Token

2

257

Avoid recreating string from SecureString

.NET

Ftorurla01

2

257

Avoid using of String for password

.NET

Ics04

2

285

WCF Misconfiguration (Anonymous MSMQ)

.NET

WCF_Anonymous_MSMQ

1

327

Hardcoded connection strings

.NET

Itl02

3

327

Static Random Number Generator

.NET

Ics07VB

2

327

Static Random Number Generator

.NET

Ics07

2

327

Poor Seeding

.NET

PoorSeeding

2

327

Improper change of RSA/DSA KeySize property

.NET

Ics03

1

327

Hardcoded connection strings VB

.NET

Itl02VB

3

352

Unsecure local 'Cookie' object (XML)

.NET

cookieXML_NET

3

388

Ensure all exceptions are logged in the error blocks

.NET

Securitymisc03

2

388

Avoid using of 'throw' exceptions inside destructors

.NET

Securitymisc06

3

388

WCF Misconfiguration (Insufficient Audit Failure Handling)

.NET

WCF_Insufficient_Audit

3

388

Poor error handling

.NET

OnErrorVB

2

400

Denial of Service (Sleep)

.NET

C14VB

1

400

Denial of Service Threat

.NET

Injection23VB

1

404

Close DB connections in 'finally' block

.NET

Injection15

2

404

Unreleased Resource

.NET

Unreleased

1

404

Unreleased Resource

.NET

Injection14VB

1

404

Close DB objects in 'finally' block

.NET

Injection14

1

495

Static fields that are not readonly

.NET

Idor07

4

495

public instance fields accessed by untrusted classes

.NET

Idor02

3

497

Information Leakage (DDE)

.NET

VBDDE

3

497

LSET and RSET functions are deprecated fields not string

.NET

VBLRSET

3

511

Logic-Time Bomb (.NET)

.NET

TIMEBOMB_NET

2

532

Improper using of System.Console.Write() or WriteLine() in Catch blocks

.NET

Securitymisc05

2

581

Improper equality using hash codes

.NET

Ics01

1

639

System Error printed out

.NET

CE6VB

3

651

WCF Misconfiguration (Service Enumeration)

.NET

WCF_Service_Enumeration

3

665

Readonly Array fields should be cloned

.NET

Idor01

3

665

Improper 'virtual' declaration of a 'Clone()' method

.NET

Securitymisc11

3

667

Improrer locking of typed Objects

.NET

Idor10

3

671

Improper modification to security settings

.NET

Securitymisc15

4

676

Avoid using System Milliseconds

.NET

Securitymisc14

4

676

Setting Timer Interval to zero is deprecated

.NET

Securitymisc14VB

4

73

Setting Manipulation

.NET

Injection04SM

1

732

Improper deny of SkipVerification security permission

.NET

Ics02

1

77

[RunPE-Packed] Malware Suspicious behaviour

.NET

PEPacked

1

77

[RunPE] Malware Suspicious behaviour

.NET

PE

1

778

WCF Misconfiguration (Insufficient Logging)

.NET

WCF_Insufficient_Logging

3

78

Improper call to late-binding methods

.NET

Securitymisc10

3

79

Reflected XSS ASP-ASPX / Security Decisions Via Untrusted Inputs

.NET

Injection26

3

798

Avoid using of hardcoded string for password related parameters

.NET

Ics05

2

822

Exposing Pointer type fields

.NET

Idor03

2

822

Deprecated ObjPtr VarPtr StrPtr

.NET

idor03VB

2

829

Class outside namespace

.NET

Securitymisc02

2

863

Access Control: Database (VB)

.NET

accessControlVB

1

89

SQL Connection Injection

.NET

Injection11

1

111

Avoid user-defined Native methods (JSNI)

ALL

NativeJS

3

117

Log Forging

ALL

Injection19

1

15

External Control of System or Configuration Setting

ALL

ExternalSCS

2

190

Integer Overflow

ALL

IntegerOverflow

1

200

Deprecated DOS command

ALL

DeprecatedDOScommand

1

200

toString on Array

ALL

ArrayToString

1

200

Reflected Exposing of Sensitive data

ALL

Securitymisc17

3

209

Hardcoded credentials (JavaScript)

ALL

Hardcodedjs

1

213

Exposing of Sensitive data

ALL

Securitymisc01

1

22

Path Traversal

ALL

Injection05

1

242

Dangerous Function

ALL

deprecatedObjectFunction

1

311

Hardcoded credentials

ALL

HardcodedCredentials

1

326

Insecure algorithms for cryptography

ALL

Ics06

2

327

Weak Cryptography (JavaScript)

ALL

Cryptographic_JS

2

327

Weak Cryptography (SQL)

ALL

Cwe327SQL

2

327

Insecure TLS configuration

ALL

TLS_XML

2

328

Insecure TLS Cipher (Medium)

ALL

TLS_MEDIUM

3

328

Insecure SSL Cipher/Protocol

ALL

SSL

1

328

Insecure SSL Cipher (Medium)

ALL

SSL_MEDIUM

3

328

Insecure SSL configuration

ALL

SSL_XML

1

328

Weak TLS Cipher/Protocol

ALL

TLS

2

330

Use window.Crypto.getRandomValues()

ALL

Ics07JS

2

344

Hardcoded IP address

ALL

Itl03

1

349

JavaScript DB Injection

ALL

DBInjectionJS

1

352

Cross Site Request Forgery (JavaScript) - Missed datafilter

ALL

Csrfjs

2

352

HTTP Response Splitting

ALL

Csrf01

1

352

Cross Site Request Forgery (JavaScript)

ALL

Csrfjs_2

2

359

e-mail address in Source Code

ALL

EmailCode

3

36

Absolute Path in comment

ALL

Securitymisc19

4

36

Absolute path to a Shared Resource in source code

ALL

AbsoluteResource

3

36

Absolute Path in Source Code

ALL

Securitymisc18

3

388

Missing Custom Errors Page(s)

ALL

PageXML

3

388

Excessive Session Timeout

ALL

ExcessiveTimeOutXML

3

388

Avoid return break continue or throw in finally block

ALL

FinallyReturn

3

395

Denial of Service Threat - Resource consumption (CPU)

ALL

Sr_NullPointerException

1

400

Denial of Service (JavaScript)

ALL

DenialOfService_JS

1

434

Unrestricted Upload

ALL

InjectionUnrestricted

1

447

Unsupported Feature

ALL

UnsupportedIEW7

1

448

Deprecated Element

ALL

deprecatedBrowserIE

2

465

Second order Injection / Security Decisions Via Untrusted Inputs

ALL

Injection18

3

476

Null Pointer Deference (Nullable object)

ALL

NullableObject

1

476

Numeric method returns null

ALL

ReturnNumberNull

3

476

Null Pointer Deference (throw null)

ALL

NullableThrow

1

476

Null Pointer Deference (Nullable formal parameter)

ALL

NullableFormalParameter

1

476

Boolean Method returns null

ALL

NullableReturns

2

477

Statement is Deprecated (JavaScript)

ALL

deprecatedJS

3

478

switch/Select' statement should have a 'default'/'case else' condition

ALL

CWE200SC

4

494

Download of Code Without Integrity Check

ALL

Idor494

2

501

Cross-Session Contamination (JavaSCript)

ALL

CrossSessionContamination_JS

1

501

Trusted Bound Violation

ALL

Injection24

1

501

Trust Boundary Violation

ALL

Injection24_2

1

511

Logic-Time Bomb (DOS Command)

ALL

DangerousDOSCommand_BOMB

2

522

Password in Configuration file

ALL

Pcf

1

531

Unit Test Libraries  should be used in a separate source file

ALL

CWE395TEST_2

3

531

TestCase should be in a separate source file

ALL

CWE395TEST_1

2

564

SQL Injection (HibernateJS)

ALL

Injection564

1

601

HTTP Redirect

ALL

Csrf03

1

610

File or Directory Name Manipulation (JavaScript)

ALL

FileManipulation_JS

1

612

JavaScript IndexedDB Injection

ALL

IndexedDBInjectionJS

1

614

Insecure Cookie (JavaScript)

ALL

idorjs_unsecure_cookie

1

614

Cookie Session too long (JavaScript)

ALL

idorjs_cookie

2

614

Insecure Cookie

ALL

IdorCOOKIE

3

614

Insecure Cookie Path (JavaScript)

ALL

idorjs_unsecure_cookie_path

2

639

Avoid Debug/Trace mode in production

ALL

BrokenauthXML

5

642

Improper Granting of all privileges on an object

ALL

idorjs

1

664

Unsecure XML setting

ALL

IdorXML

3

668

Improper Logger (JavaScript)

ALL

Securitymisc12js

3

669

Avoid using Components NW.js

ALL

NWJS

1

669

Avoid using Components with Known Vulnerabilities  in POM-JAR  or Project File (Low)

ALL

Uckv08

3

669

Avoid using Components with Known Vulnerabilities  (Medium)

ALL

Uckv02

2

669

Avoid using Components with Known Vulnerabilities  in POM-JAR  or Project File (Medium)

ALL

Uckv07

2

669

Avoid using Components with Known Vulnerabilities  (Low)

ALL

Uckv03

3

669

Avoid using Components with Known Vulnerabilities  (High)

ALL

Uckv01

1

669

No Project Files were found

ALL

Uckv04

1

669

No POM.XML Files were found

ALL

Uckv05

1

669

Avoid using Components with Known Vulnerabilities  in POM-JAR  or Project File (High)

ALL

Uckv06

1

676

Dangerous DOS command

ALL

DangerousDOScommand

1

676

Missing wrapping of 'dangerous' functions

ALL

Securitymisc13

3

676

Dangerous Linux command

ALL

DangerousLinuxcommand

1

77

Code Injection - Tag

ALL

Injection01Tag

1

77

Command Injection

ALL

Injection01

1

78

OS Command Injection (JavaScript)

ALL

OSINJECTION_JS

1

79

Reflected XSS (JavaScript) / Security Decisions Via Untrusted Inputs

ALL

XSS_JS

3

79

Cross-Site Scripting (Web2py)

ALL

PYTHON_S60

1

79

Cross Site Scripting / Security Decisions Via Untrusted Inputs

ALL

Xss01

1

798

User-Password-Profile-ID in Comment

ALL

Uohcc01

4

798

Hardcoded IP address in comment

ALL

Itl04

4

798

Suspicious  Hardcoded  URL/URI

ALL

Dangerous_Hardcoded_URL

3

863

Access Control: Database (JavaScript)

ALL

accessControl_JS

1

88

Avoid SELECT * statements

ALL

Injection17

3

88

NET injection

ALL

Injection20

1

89

SQL Query Injection

ALL

Injection10

1

90

LDAP Injection

ALL

Injection07

1

90

Possible LDAP Injection

ALL

InjectionCert

3

91

Weak XML Schema (tag Any)

ALL

XSDAny

3

91

Weak XML Schema (type Unbounded)

ALL

XSDmaxOccurs

3

91

XPath Injection

ALL

Injection13

1

91

Weak XML Schema (Lax-Skip tags)

ALL

LaxSkip

1

94

CORS - Overly permissive target origin

ALL

CodeInjection_JS3

1

94

JQuery Code Injection (JavaScript)

ALL

jqueryjs

1

94

Second Order Code Injection (JavaScript)

ALL

MooToolsjs

1

94

Overly permissive target origin

ALL

CodeInjection_JS2

1

94

HTML Injection (JavaScript)

ALL

HTMLInjectionJS

1

94

Code Injection (JavaScript)

ALL

CodeInjection_JS

1

94

Second Order File Injection (JavaScript)

ALL

MooToolsFilejs

1

94

Second Order Unsecure JSON decoding (JavaScript)

ALL

MooToolsJsonjs

1

95

Eval Injection (JavaScript)

ALL

EvalInjection

1

96

SQL Injection (JavaScript)

ALL

SQL_Injection_JS

1

97

Server Side Include (SSI) Injection

ALL

SSI

1

99

Resource Injection (JavaScript)

ALL

ResourceInjection_JS

1

119

Array Index Out Of Bounds

CCPP

C67

1

119

Buffer Overflow (Containers)

CCPP

C03

1

120

Second order Buffer Overflow (sizeof of sizeof)

CCPP

C46

3

120

Buffer Overflow (Buffer)

CCPP

C08

1

120

Buffer Overflow (Array pointer)

CCPP

C04

1

120

Memory Leak (ctype isalnum|isalpha|isascii|is..)

CCPP

C35

2

120

Buffer Overflow (Array Index)

CCPP

C02

2

121

scanf without field width limits

CCPP

C86

3

122

Buffer Overflow (strncpy/memset/memcpy)

CCPP

C10

1

125

Buffer Access Out Of Bounds

CCPP

C68

1

125

Buffer Overflow (Array)

CCPP

C07

1

125

Second order Buffer Overflow (Array)

CCPP

C49

3

126

Second order Buffer Overflow (strncpy)

CCPP

C50

2

126

Buffer Overlap (s[n]printf())

CCPP

C11

2

129

Buffer Overflow (Index is out of range)

CCPP

C06

1

131

Avoid using of Unitialized Variable (Wrong buffer write)

CCPP

C62

1

134

sprintf: insufficient format string parameters

CCPP

C87

3

134

Stack Overflow (scanf)

CCPP

C81

3

135

Incorrect Calculation of Multi-Byte String Length

CCPP

C135

3

170

Buffer Not Zero Terminated (After a call to a function)

CCPP

C70

1

190

Buffer Overflow (strncat)

CCPP

C09

1

195

Stack Overflow (printf sint)

CCPP

C79

3

196

Stack Overflow (printf uint)

CCPP

C80

3

20

Memory Leak (Same iterator)

CCPP

C24

2

200

Information Leakage (#pragma ibm critical)

CCPP

CE11

3

214

Information Leakage (#pragma ibm parallel_loop)

CCPP

CE12

3

233

Invalid Length Modifier (printf)

CCPP

C73

3

243

Creation of chroot Jail Without Changing Working Directory

CCPP

CE243

1

256

Plaintext Storage of a Password

CCPP

CE256

2

257

Avoid using of String for password

CCPP

CE7

2

311

Memory Leak (Unsafe root Class)

CCPP

C29

2

327

Cryptographic key too short

CCPP

CE8

3

344

Hardcoded IP address

CCPP

CE9

1

369

Division by zero

CCPP

C15

1

369

Potential division by zero

CCPP

C42

2

388

Invalid c_str() after a call

CCPP

C20

2

388

Invalid c_str() after throwing exception

CCPP

C21

2

396

Improper Logger (Rethrow)

CCPP

C41

1

398

Memory Leak (Missing virtual destructor)

CCPP

C34

2

399

Memory Leak (Class provides constructors)

CCPP

C27

2

400

Denial of Service (usleep)

CCPP

C14

1

401

Memory Leak (Copy 'auto_ptr' pointer)

CCPP

C33

2

401

Memory Leak (when executing)

CCPP

C39

1

404

Resource Leak (when executing)

CCPP

C40

1

456

Avoid using of Unitialized Variable (Leak)

CCPP

C60

1

457

Avoid using of Unitialized Variable (Member Variable)

CCPP

C59

1

457

Memory Leak (Data not initialized)

CCPP

C28

2

466

Stack Overflow (Wrong returning reference)

CCPP

C57

2

467

Buffer Overflow (pointer)

CCPP

C01

1

467

Second order Buffer Overflow (sizeof for Array)

CCPP

C48

3

468

Stack Overflow (printf *)

CCPP

C77

3

476

Second order null Pointer Dereference (null Pointer)

CCPP

C51

2

476

Second order null Pointer Dereference (shifting negative)

CCPP

C53

2

476

Memory Leak (New)

CCPP

C37

1

477

Obsolete Functions

CCPP

C32

3

480

Assign Bool To Pointer (converting bool value to address)

CCPP

C69

3

487

Invalid Scope Object ('auto-ptr' pointer)

CCPP

C23

1

495

Stack Overflow (local Array variable)

CCPP

C56

2

497

Information Leakage (#pragma ibm schedule)

CCPP

CE13

3

511

Logic-Time Bomb (C/C++)

CCPP

TIMEBOMB_C

2

523

Avoid using of non-SSL communications

CCPP

CE4

2

531

Unit Test Libraries  should be used in a separate source file

CCPP

CWE395TEST_2_CPP

3

532

Improper Logger (Destructor)

CCPP

C30

1

534

Ensure all exceptions are either logged with a standard logger or rethrow

CCPP

C31

2

562

Stack Overflow (auto-variable)

CCPP

C55

2

562

Stack Overflow (temporary)

CCPP

C58

2

569

Memory Leak (Class contains a std::string)

CCPP

C26

2

569

Second order Buffer Overflow (strlen/sizeof)

CCPP

C44

3

569

Second order Buffer Overflow (sizeof)

CCPP

C45

3

590

Memory Leak (Memory allocated not freed)

CCPP

C25

2

617

Call Settings manipulation (Assert)

CCPP

C12

3

628

Stack Overflow (printf char*)

CCPP

C78

3

628

Call Settings manipulation (pipe())

CCPP

C13

2

639

System Error stored in a variable

CCPP

CE6_S

4

639

System Error printed out

CCPP

CE6

3

665

Avoid using of Unitialized Variable (inside constructor)

CCPP

C65

1

665

Second order null Pointer Dereference (passing NULL)

CCPP

C52

2

665

Avoid using of Unitialized Variable (Missing use of constructor)

CCPP

C66

1

665

Avoid using of Unitialized Variable (Wrong reassignement)

CCPP

C61

3

665

Invalid Scope Object

CCPP

C22

1

665

Avoid using of Unitialized Variable

CCPP

C63

1

665

Avoid using of Unitialized Variable (struct)

CCPP

C64

1

676

Stack Overflow (Pure virtual call)

CCPP

C54

1

680

Buffer Overflow (operator)

CCPP

C05

1

681

Invalid printf argument type (floating point)

CCPP

C74

3

681

Stack Overflow (printf int)

CCPP

C75

3

686

Stack Overflow (printf int*)

CCPP

C76

3

695

Improper usage of I/O Stream

CCPP

C16

2

695

Avoid using of I/O Stream (Read)

CCPP

C17

2

695

Avoid using of I/O Stream

CCPP

C18

2

695

Avoid using of I/O Stream (Write)

CCPP

C19

2

762

Memory Leak (New mismatch)

CCPP

C38

3

763

Portability failure (CastIntegerToAddressAtReturn)

CCPP

C85

1

763

Portability failure (AssignmentIntegerToAddress)

CCPP

C83

1

78

OS command Injection (Unvalidated command string)

CCPP

CE5

1

783

Second order Buffer Overflow (sizeof with a numeric constant)

CCPP

C47

3

79

Cross Site Scripting / Security Decisions Via Untrusted Inputs

CCPP

CE2

1

79

Reflected Cross Site Scripting / Security Decisions Via Untrusted Inputs

CCPP

C43

2

825

Memory Leak (deallocated pointer)

CCPP

C36

1

86

OS command Injection (Buffer overrun)

CCPP

C82

2

86

Portability failure (AssignmentAddressToInteger)

CCPP

C82

1

86

Portability failure (CastAddressToIntegerAtReturn)

CCPP

C84

1

88

NET injection

CCPP

CE3

1

89

SQL Query Injection

CCPP

CE1

1

113

HTTP Response Splitting

COBOL

Cwe113

1

117

COBOL LOG Forging

COBOL

Cwe117

1

15

CALL Settings Manipulation

COBOL

Cwe15

2

200

Information Leakage - ACCEPT ... FROM CONSOLE

COBOL

Cwe200P3

3

200

Information Leakage - DUMPCODE

COBOL

Cwe200

3

200

Information Leakage - DISPLAY

COBOL

Cwe200P1

3

200

Information Leakage - EVALUATE

COBOL

Cwe200P2

4

307

Access Control: MQ

COBOL

Cwe307

1

327

Weak Cryptography 

COBOL

Cwe327

2

359

Privacy Violation : Hardened Credentials 

COBOL

Cwe359

2

388

Include SQLCA MISSED

COBOL

Cwe388P2

2

388

Ignored Error Condition

COBOL

Cwe388

3

388

Multiple HANDLE ABEND

COBOL

Cwe388P1

4

457

Avoid using of Unitialized Variable

COBOL

Cwe457

3

546

Suspicious Comment

COBOL

Cwe546

4

610

URL Redirection to Untrusted Site

COBOL

Cwe610

1

692

Reflected Cross Site Scripting / Security Decisions Via Untrusted Inputs

COBOL

Cwe692

2

692

Stored Cross Site Scripting / Security Decisions Via Untrusted Inputs

COBOL

Cwe692P1

1

692

UTF-7 Cross-Site Scripting (COBOL)

COBOL

Cwe692P2

3

73

FILE Path Manipulation

COBOL

Cwe73

2

78

OS Command Injection

COBOL

Cwe78

1

79

Cross-site Scripting

COBOL

Cwe79

1

798

Password in Comment

COBOL

Cwe798P2

4

798

Password Stored in plain text

COBOL

Cwe798

2

798

Hardcoded Password

COBOL

Cwe798P1

2

863

Access Control: DLI

COBOL

Cwe863

1

89

Access Control: Database

COBOL

Cwe89

1

99

QUEUE Resource Injection

COBOL

Cwe732

1

11

Flex Misconfiguration (Debug Information)

JAVA

XML_Debug_Information

2

114

Library injection

JAVA

Injection08

1

16

Build misconfiguration (Dynamic Dependency)

JAVA

Dynamic_Dependency

3

16

Build Misconfiguration (External Maven Dependency Repository)

JAVA

External_Maven_Dependency_Repository

4

16

Build Misconfiguration (External Ant Dependency Repository)

JAVA

External_Ant_Dependency_Repository

4

20

ADF Bad Practice (Unsecure Attribute)

JAVA

ADF_Unsecure_Attribute

2

20

ADF Bad Practice (url-invoke)

JAVA

ADF_url_invoke

2

20

addAccount vulnerability (CVE-2014-8609)

JAVA

addAccount

1

20

ADF Bad Practice (Missing Converter)

JAVA

ADF_Missing_Converter

2

200

Deprecated Functions

JAVA

DEPRECATED_1

3

200

Improper using of System.err.println() in Catch blocks

JAVA

Securitymisc04

2

200

Avoid use of com.sun or sun packages

JAVA

DEPRECATED_2

3

200

System information leak- Direct JSP Access

JAVA

LeakXML

1

200

Information Exposure - HTML comment in JSP

JAVA

CommentHTML

5

209

Debug statements can be leaked

JAVA

Brokenauth04

5

209

Debug level of 3 or greater could cause sensitive data including passwords to be logged. Debug #[Object]

JAVA

DebugXML

3

209

HTTP Verb Tampering

JAVA

TamperingXML

1

213

Unecessary temporaries when using toString()

JAVA

UnecessarytoString

1

246

JAVA Bad Practices: Direct Use of Sockets

JAVA

use_of_Sockets

1

254

WebSphere Misconfiguration (Missing Outbound Timestamp)

JAVA

WSP_Missing_Outbound_Timestamp

3

254

WebSphere Misconfiguration (Missing Inbound Timestamp)

JAVA

WSP_Missing_Inbound_Timestamp

3

254

Weblogic Misconfiguration (Missing Timestamp)

JAVA

Weblogic_Missing_Timestamp

3

254

WWS-Security Misconfiguration (Weak Token)

JAVA

WWS_Weak_Token

2

257

Avoid recreating string from GuardedString

JAVA

Ftorurla01Java

2

257

Avoid using of String for password

JAVA

jcs04

2

311

WebSphere Misconfiguration (Weak Token)

JAVA

WSP_Weak_Token

3

327

Missing transport-guarantee Constraint

JAVA

GuaranteeXML

1

327

Cipher.getInstance with ECB

JAVA

GetInstance_lint

3

327

Cryptographic key too short

JAVA

Ics08

3

330

Weak pseudo-random numbers

JAVA

Ics07Java

2

330

Weak RNG

JAVA

TrulyRandom_lint

3

330

Using a fixed seed with SecureRandom

JAVA

SecureRandom_lint

3

345

WebSphere Misconfiguration (Missing Outbound WS-Security)

JAVA

WSP_Missing_Outbound_WS_Security

3

345

WebSphere Misconfiguration (Servlets)

JAVA

WSP_Servlets

3

345

WebSphere Misconfiguration (Missing Inbound WS-Security)

JAVA

WSP_Missing_Inbound

3

345

WebSphere Misconfiguration (Missing Inbound Encryption)

JAVA

WSP_Missing_Inbound_Encryption

3

345

WebSphere Misconfiguration (Missing Outbound Signature)

JAVA

WSP_Missing_Outbound_Signature

3

345

WebSphere Misconfiguration (Missing Outbound Encryption)

JAVA

WSP_Missing_Outbound_Encryption

3

345

WebSphere Misconfiguration (Missing Inbound Signature)

JAVA

WSP_Missing_Inbound_Signature

3

345

WebSphere Misconfiguration (Missing Timestamp Expiration)

JAVA

WSP_Missing_Timestamp_Expiration

3

352

Unsecure local 'Cookie' object

JAVA

Brokenauth03

3

352

Avoid using of 'get' for credential transfers

JAVA

Csrf02

2

372

Incorrect Static Field Access

JAVA

StateDistinction

3

382

JAVA Bad Practice - System.exit()

JAVA

USE_SYSTEM_EXIT

1

388

Throw in main() method

JAVA

ThrowInMain

3

388

Ensure all exceptions are either logged with a standard logger or rethrow

JAVA

Securitymisc12

3

388

Unsecure tracking.mode

JAVA

TrackingXML

3

394

Host Name or Address in a condition

JAVA

SecurityBreach

2

400

Denial of Service Threat

JAVA

Injection23

1

404

Memory Leak (ObjectOutputStream)

JAVA

MemoryLeakObjectOutputStream

4

404

Missing call to super

JAVA

MissingCallSuper

2

470

Reflection injection

JAVA

Injection09

1

471

Immutable Classes: Non-final Fields

JAVA

ImmutableClass

3

476

Null Pointer Deference (sinchronized)

JAVA

NullableSinchronized

1

476

Null Pointer Deference (condition)

JAVA

NullableCondition

1

476

Empty arrays and collections should be returned instead of null

JAVA

ReturnEmptyArrays

2

477

Unsupported Feature

JAVA

UnsupportedFeatureJS

2

499

Incorrect Serializable Method Signature

JAVA

IncorrectSerializable

3

499

Incorrect Serialization of inner classes

JAVA

InnerClassSerializable

4

5

ACEGI Security Bad Practice (Insecure Channel Mixing)

JAVA

ACEGI_Insecure_Channel_Mixing

2

506

JAVA Bad Practice - Dangerous access to local resources

JAVA

writePathName

1

511

Logic-Time Bomb (JavaScript)

JAVA

TIMEBOMB_JS

2

511

Logic-Time Bomb

JAVA

TIMEBOMB_JAVA

2

522

Weak LDAP Authentication (Anonymous)

JAVA

SECURITY_AUTHENTICATION

2

523

Insecure SSL Connection

JAVA

InsecureSSLconnection

2

523

Titanium Broken default HTTPS

JAVA

NonValidatingTrustManager

2

523

Avoid using of non-SSL communications

JAVA

Itl01

2

532

Improper call to printStackTrace() method of Throwable objects

JAVA

Securitymisc16

5

572

Denial Of Service (Thread)

JAVA

ThreadRUN

2

573

Bean Class should be serialized

JAVA

NonSerializableBean

3

594

Missing writeObject or serialVersionUID

JAVA

ClassSerializable

3

639

Custom Security Manager outside of 'main'

JAVA

Brokenauth01

2

662

Denial Of Service (Synchronization)

JAVA

Notify

2

668

Exposing dangerous data

JAVA

Ftorurla02

2

693

Missing 'SecurityManager' checks

JAVA

Idor09

4

693

Missing security manager

JAVA

Idor11

3

693

Custom 'SecurityManager'

JAVA

Idor05

3

708

ACEGI Security Bad Practice (Run-As)

JAVA

ACEGI_Run_As

2

73

File Contents Injection

JAVA

Injection04

1

73

Empty Jar o Zip file creation

JAVA

EmptyJarZip

2

73

File Inclusion Vulnerability

JAVA

IncludeFile

2

732

Bean class should be public

JAVA

BeanClassPublic

2

732

Bean class without ejbCreate() method

JAVA

BeanClassejbCreate

2

732

Bean class should not have finalize() method

JAVA

BeanClassFinalize

2

732

Abstract Bean class

JAVA

AbstractBeanClass

2

732

Uncorrect declaring of ejbCreate() method

JAVA

UncorrectDeclaring

2

732

Uncorrect declaring of ejbCreate() method

JAVA

UncorrectDdeclaring

2

732

Final Bean class

JAVA

FinalBeanClass

2

732

Bean class shloud not return 'this'

JAVA

BeanClassThis

2

77

Malicious package name was found

JAVA

MaliciousPackage

1

78

Environment Variable Injection

JAVA

Injection03

1

79

Second order reflected XSS / Security Decisions Via Untrusted Inputs

JAVA

Injection99

2

79

Stored XSS

JAVA

JSPStored

1

79

Reflected XSS / Security Decisions Via Untrusted Inputs

JAVA

Injection25

2

798

Autocompleted password fields

JAVA

Brokenauth02

2

798

Password stored in plaintext (JAVA)

JAVA

PasswordStored

2

798

Dangerous Hardcoded TCP Port

JAVA

Itl03Port

1

813

Exposing of internal representations by returning mutable fields

JAVA

Idor04

3

829

Avoid user-defined Native methods

JAVA

NativeJava

2

88

Attribute injection

JAVA

Injection22

1

88

Unsecure Properties setting

JAVA

UnsecurePropertiesSetting

2

89

Second order SQL Injection

JAVA

Injection16

3

89

Jakarta Digester Injection

JAVA

Injection02

1

89

Second Order SQL Injection - Primary Key

JAVA

Injection10Key

3

91

XML Injection

JAVA

Injection12

1

91

XXE - XML External Entities

JAVA

XMLExternalEntities

1

91

XXE - XML External Entity Injection

JAVA

InjectionXXE

1

91

JXPath Injection

JAVA

Injection06

1

94

addJavascriptInterface Called

JAVA

AddJavascriptInterface_lint

3

94

Code injection

JAVA

Injection21

1

94

Code Injection-Insecure loading of a JAVA Class or a Child Process

JAVA

createPackageContext

1

117

User-Passwords logging

PHP

PHP.26

1

117

Unsanitized Data Written to Logs

PHP

PHP.27

3

16

Failure to use 'disable_functions'

PHP

PHP.16

4

200

Information Leakage ($_GET['test'])

PHP

PHP.14

3

200

Improper Use of 'register_globals'

PHP

PHP.38

1

200

Improper Use of 'register_globals'

PHP

PHP.31

3

200

Information Leakage through Deprecated Functions

PHP

PHP.13

3

200

Information Exposure Through an Error Message (phpinfo)

PHP

PHP.12

3

257

Avoid Hardcoded Passwords

PHP

PHP.17

1

261

Unsafe Password Management

PHP

PHP.28

1

284

File Access Vulnerability

PHP

PHP.23

2

284

Package Running Under Potentially Excessive Permissions (AUTHID DEFINER)

PHP

PHP.46

4

327

Insecure pseudo-random number generation(mt_rand)

PHP

PHP.15

3

338

Deterministic Pseudo-Random Values (openssl_random_pseudo_bytes)

PHP

PHP.36

3

338

Deterministic Pseudo-Random Values ('secure' value deliberately set to 'false')

PHP

PHP.35

3

434

Unsafe Processing of $_FILES Array

PHP

PHP.25

3

601

Indiscriminate Merging of Input Variables

PHP

PHP.40

2

79

Potential DOM-Based XSS / Security Decisions Via Untrusted Inputs

PHP

PHP.42

2

79

Stored XSS

PHP

PHP.45

3

79

Potential XSS (user-supplied) / Security Decisions Via Untrusted Inputs

PHP

PHP.41

2

812

Log in to MySQL as 'root'

PHP

PHP.34

1

812

De-Activation of 'safe_mode'

PHP

PHP.32

3

88

Function allowing execution of commands coming (proc_open)

PHP

PHP.06

1

88

Function allowing execution of commands coming (pcntl_exec)

PHP

PHP.07

1

88

Function allowing execution of commands (exec)

PHP

PHP.03

1

88

Function allowing execution of commands (system)

PHP

PHP.02

1

88

Function allowing execution of commands (shell_exec)

PHP

PHP.01

1

88

Function allowing execution of commands (passthru)

PHP

PHP.05

1

88

Function allowing execution of commands (popen)

PHP

PHP.04

1

88

Application Variable Used on System Command Line

PHP

PHP.19

1

88

User Controlled Variable Used on System Command Line

PHP

PHP.18

2

89

Potential SQL Injection (pre-prepared dynamic SQL)

PHP

PHP.43

1

89

Potential SQL Injection (dynamic SQL)

PHP

PHP.44

1

94

User's input contains code syntax  (preg_replace)

PHP

PHP.10

1

94

User's input contains code syntax (eval)

PHP

PHP.08

1

94

User's input contains code syntax  (assert)

PHP

PHP.09

1

94

User's input contains code syntax (create_function)

PHP

PHP.11

1

94

De-Activation of 'magic_quotes'

PHP

PHP.33

2

94

Function May Evaluate PHP Code Contained in User Controlled Variable

PHP

PHP.29

2

98

Variable Used as FileName

PHP

PHP.24

5

98

File Inclusion Vulnerability

PHP

PHP.20

2

98

Variable Used as FileName

PHP

PHP.21

1

98

File Inclusion Vulnerability (uncompiled)

PHP

PHP.22

2

113

Header Manipulation - Cookies (Python)

PYTHON

PYTHON_S14

2

117

Log Forging (Python)

PYTHON

PYTHON_S16

1

15

Setting Manipulation (Python)

PYTHON

PYTHON_S23

2

20

Memcached Injection

PYTHON

PYTHON_S17

2

200

Suspicious long-term packet sniffing

PYTHON

PYTHON_S57

3

200

Suspicious multi-port Sniffing

PYTHON

PYTHON_S66

3

200

System Information Leak - External (Python)

PYTHON

PYTHON_S05

4

22

Path Traversal (Python)

PYTHON

PYTHON_S39

1

23

Relative Path Traversal (Python)

PYTHON

PYTHON_S76

3

246

Suspicious Socket/Scapy packets send

PYTHON

PYTHON_S51

1

256

Password in connection string

PYTHON

PYTHON_S34

1

261

Weak Cryptography (Python)

PYTHON

PYTHON_S36

2

314

Command Injection

PYTHON

PYTHON_S47

2

321

Empty or Null Encryption Key

PYTHON

PYTHON_S31

2

321

Empty HMAC Key

PYTHON

PYTHON_S32

2

321

Empty PBE Password

PYTHON

PYTHON_S33

2

327

Weak Cryptography (Python)

PYTHON

PYTHON_S70

2

330

Insecure Randomness - Hardcoded Seed

PYTHON

PYTHON_S30

2

330

Insecure Randomness (Python)

PYTHON

PYTHON_S29

2

340

Predictable Resource Name

PYTHON

PYTHON_S08

1

359

Privacy Violation : Hardened Credentials 

PYTHON

PYTHON_S45

2

387

Information Leakage-Signal (Python)

PYTHON

PYTHON_S50

2

387

Information leakage-Keyboard (Python)

PYTHON

PYTHON_S49

2

388

Improper print of sensitive information during exception handling

PYTHON

PYTHON_S74

3

388

Improper masking of exceptions (Python)

PYTHON

PYTHON_S52

3

388

Unsecure Callback function (Django-hotsauce)

PYTHON

PYTHON_S62

3

388

Poor Exception Handling (Python)

PYTHON

PYTHON_S68

3

400

Denial of Service (Sleep)

PYTHON

PYTHON_S53

1

434

Unrestricted Upload (Django)

PYTHON

PYTHON_S02

1

477

Obsolete Python Framework

PYTHON

PYTHON_S67

3

494

Unsafe Pickle Deserialization

PYTHON

PYTHON_S13

3

494

Reflection Injection (Python)

PYTHON

PYTHON_S41

2

497

System Information Leak - Internal (Python)

PYTHON

PYTHON_S06

1

501

Trust Boundary Violation (Python)

PYTHON

PYTHON_S07

1

522

Unsecure URL/URI in a condition (Python)

PYTHON

PYTHON_S75

3

531

Assert code found (Python)

PYTHON

PYTHON_S43

2

531

Test code found in production (Python)

PYTHON

PYTHON_S42

2

539

Unsecure Cookie (Python)

PYTHON

PYTHON_S27

2

539

Unsecure Cookie - HTTPOnly not Set (Python)

PYTHON

PYTHON_S28

2

552

File Disclusure (Django)

PYTHON

PYTHON_S01

1

601

Open Redirect (Python)

PYTHON

PYTHON_S18

1

610

File or Directory Name Manipulation (Python)

PYTHON

PYTHON_S46

1

631

XSLT Injection (Python)

PYTHON

PYTHON_S26

1

643

XPath Injection (Python)

PYTHON

PYTHON_S24

1

692

Blacklisted Attributes (Django)

PYTHON

PYTHON_S03

3

73

Path Manipulation (Python)

PYTHON

PYTHON_S19

2

77

Command Injection (Python)

PYTHON

PYTHON_S10

1

78

Suspicious user input (OS Prompt)

PYTHON

PYTHON_S56

1

78

Suspicious Win32 usage (SID)

PYTHON

PYTHON_S71

1

78

Suspicious Win32 usage (Win32Security)

PYTHON

PYTHON_S72

1

78

Environment Variable Injection

PYTHON

PYTHON_S73

1

78

OS Command Injection (Python)

PYTHON

PYTHON_S44

1

78

Suspicious Win32 usage (Console Window)

PYTHON

PYTHON_S48

1

79

Cross-Site Scripting (Web2py)

PYTHON

PYTHON_S64

1

79

Cross-Site Scripting (Python)

PYTHON

PYTHON_S63

1

79

Stored XSS (Python)

PYTHON

PYTHON_S11

2

79

ReDoS In Replace

PYTHON

PYTHON_S40

1

798

Dangerous Hardcoded TCP Port

PYTHON

PYTHON_S65

1

798

Hardcoded Password (Python)

PYTHON

PYTHON_S35

1

88

Suspicious DNS Dynamic Update

PYTHON

PYTHON_S55

1

88

Direct use of Sockets (Python)

PYTHON

PYTHON_S58

1

88

Suspicious DNS Transfer

PYTHON

PYTHON_S54

1

89

SQL Injection (Web2py)

PYTHON

PYTHON_S59

1

89

Possible SQL Injection (cubicweb)

PYTHON

PYTHON_S61

1

89

SQL Injection (Python)

PYTHON

PYTHON_S21

1

91

XML Injection (Python)

PYTHON

PYTHON_S25

1

918

Server-Side Request Forgery

PYTHON

PYTHON_S22

1

93

Mail Content Injection

PYTHON

PYTHON_S15

1

94

Overly Permissive CORS Policy (Python)

PYTHON

PYTHON_S04

1

94

Code Injection (Python)

PYTHON

PYTHON_S12

1

99

Resource Injection (Python)

PYTHON

PYTHON_S20

1

117

Information disclosure (detailed exceptions)

RUBY

INJECTION_RUBY_62.1

1

117

Information disclosure

RUBY

INJECTION_RUBY_61.1

1

117

Information disclosure (detailed exceptions)

RUBY

INJECTION_RUBY_62.2

2

117

Second order Information disclosure

RUBY

INJECTION_RUBY_61.2

2

200

Default Routes

RUBY

IMP_RUBY_12.1

1

200

Default Routes

RUBY

IMP_RUBY_12.2

2

209

Hardcoded credentials (CVE-2013-0333)

RUBY

BROKEN_RUBY_9.0

3

212

'serialize' vulnerability (CVE-2013-0277)

RUBY

INSECURE_RUBY_50.1

1

212

Unsafe deserialization

RUBY

INSECURE_RUBY_25.2

2

212

'serialize' vulnerability (CVE-2013-0277)

RUBY

INSECURE_RUBY_50.2

2

269

Unsafe instances

RUBY

FAILURE_RUBY_70.2

2

269

Unsecure mass assignment

RUBY

FAILURE_RUBY_17.2

2

269

Unsecure mass assignment

RUBY

FAILURE_RUBY_54.2

2

269

Dangerous attributes in Model

RUBY

IMP_RUBY_60.1

1

269

Nested attributes in Rails 2.3.9 and 3.0.0 (CVE-2010-3933)

RUBY

FAILURE_RUBY_31.1

1

269

Unsecure mass assignment

RUBY

FAILURE_RUBY_17.1

1

269

Unsecure mass assignment

RUBY

FAILURE_RUBY_54.1

1

269

Dangerous attributes in Model

RUBY

IMP_RUBY_60.2

2

269

Improper Session key length

RUBY

FAILURE_RUBY_26.1

1

269

Unsafe instances

RUBY

FAILURE_RUBY_70.1

1

269

Unsecure mass assignment

RUBY

FAILURE_RUBY_17.3

3

269

Dangerous attributes in Model

RUBY

IMP_RUBY_60.3

3

269

Unsafe instances

RUBY

FAILURE_RUBY_70.3

3

352

CSRF or authentication checks wrongly skipping

RUBY

CSRF_RUBY_10.2

2

352

'protect_from_forgery' not enabled in ApplicationController (csrf_protection_missing)

RUBY

CSRF_RUBY_7.1

1

352

Response splitting (CVE-2011-3186)

RUBY

CSRF_RUBY_37.2

2

352

Verifies that protect_from_forgery is enabled in ApplicationController (CVE-2011-0447)

RUBY

CSRF_RUBY_33.1

1

352

CSRF or authentication checks wrongly skipping

RUBY

CSRF_RUBY_8.2

2

352

Verifies that protect_from_forgery is enabled in ApplicationController (csrf_protection_disabled)

RUBY

CSRF_RUBY_6.1

1

400

Header DoS (CVE-2011-2930)

RUBY

INJECTION_RUBY_35.1

1

400

Render :text DoS (CVE_2014_0082)

RUBY

INJECTION_RUBY_75.1

1

400

Second order DoS (CVE-2012-3424)

RUBY

INJECTION_RUBY_42.3

3

400

Denial of Service (CVE-2012-3424)

RUBY

INJECTION_RUBY_42.1

1

400

Second order Header DoS (CVE-2011-2930)

RUBY

INJECTION_RUBY_35.2

2

400

Symbol DoS (ActiveRecord or 'unsafe_symbol_creation')

RUBY

INJECTION_RUBY_59.1

1

400

Header DoS (CVE-2013-6414)

RUBY

INJECTION_RUBY_64.2

2

400

Symbol DoS (ActiveRecord or 'unsafe_symbol_creation')

RUBY

INJECTION_RUBY_59.2

2

400

Symbol DoS (ActiveRecord) (CVE-2013-1854)

RUBY

INJECTION_RUBY_55.2

2

470

Unsafe reflection

RUBY

INJECTION_RUBY_24.1

1

470

Unsafe reflection

RUBY

INJECTION_RUBY_24.2

2

601

Dangerous 'redirect_to'

RUBY

URL_RUBY_18.3

3

601

Dangerous 'redirect_to'

RUBY

URL_RUBY_18.1

1

639

Unsafe hrefs value

RUBY

FAILURE_RUBY_4.2

2

639

Unsafe hrefs value

RUBY

FAILURE_RUBY_4.1

1

665

Rails versions with SafeBuffer bug

RUBY

INSECURE_RUBY_21.2

2

669

Avoid using Components with Known Vulnerabilities

RUBY

LAYER_RUBY_1.2013

1

676

Vulnerable sanitize helper (CVE-2013-1857)

RUBY

SECURITMISC_RUBY_58.2

2

676

Unsafe use of select() helper

RUBY

SECURITMISC_RUBY_22.2

2

676

Versions with vulnerable sanitize and sanitize_css (CVE-2013-1855)

RUBY

SECURITMISC_RUBY_56.2

2

676

Versions with vulnerable sanitize and sanitize_css (CVE-2013-1855)

RUBY

SECURITMISC_RUBY_56.1

1

676

Vulnerable sanitize helper (CVE-2013-1857)

RUBY

SECURITMISC_RUBY_58.1

1

676

Unsafe use of select() helper

RUBY

SECURITMISC_RUBY_22.3

3

676

Unsafe use of Object#send

RUBY

SECURITMISC_RUBY_23.1

1

676

unsafe uses of select_tag() (CVE-2012-3463)

RUBY

SECURITMISC_RUBY_43.1

1

73

Unpredictable file access through user input 

RUBY

INJECTION_RUBY_16.1

1

73

Unsafe file access

RUBY

INJECTION_RUBY_15.1

1

73

Possible Unsafe file access

RUBY

INJECTION_RUBY_15.3

3

73

Possible Unpredictable file access

RUBY

INJECTION_RUBY_16.3

3

73

Second order Unsafe file access

RUBY

INJECTION_RUBY_15.2

2

73

Second order Unpredictable file access

RUBY

INJECTION_RUBY_16.2

2

732

Dangerous attributes in Model

RUBY

IMP_RUBY_19.1

1

732

Dangerous public attributes in Model (CVE-2013-0276)

RUBY

IMP_RUBY_51.1

1

732

Dangerous public attributes in Model

RUBY

IMP_RUBY_20.1

1

732

Dangerous public attributes in Model (CVE-2013-0276)

RUBY

IMP_RUBY_51.2

2

732

Dangerous public attributes in Model

RUBY

IMP_RUBY_20.2

2

732

Dangerous attributes in Model

RUBY

IMP_RUBY_19.2

2

732

Dangerous public attributes in Model

RUBY

IMP_RUBY_20.3

3

78

YAML parsing vulnerabilities (CVE-2013-0156)

RUBY

INJECTION_RUBY_48.1

1

78

Code injection (CVE-2013-0333)

RUBY

INJECTION_RUBY_14.1

1

79

Simple_format XSS (CVE-2013-6416) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_67.2

2

79

XSS (helper) (CVE-2014-0081) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_73.2

2

79

Cross Site Scripting (Unescaped JSON) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_5.2

2

79

Cross Site Scripting (Unescaped JSON) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_5.1

1

79

Cross Site Scripting (CVE-2011-2929) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_34.1

1

79

Possible XSS (link_to) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_3.2

2

79

Cross Site Scripting (JRuby) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_53.1

1

79

i18n XSS (CVE-2013-4491) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_63.2

2

79

Cross Site Scripting (Unescaped Output) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_2.1

1

79

Missing escape on single quotes (CVE-2012-3464) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_44.2

2

79

XSS vulnerability in translate helper / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_28.2

2

79

Cross Site Scripting (Unescaped JSON) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_5.3

3

79

Second order SQL injection (CVE-2013-0333)

RUBY

INJECTION_RUBY_14.2

2

79

Cross Site Scripting (Unescaped Output) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_2.3

3

79

Strip_tags vulnerabilities (CVE-2012-3465) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_45.1

1

79

Vulnerable 'strip_tags' or other escape method (CVE-2011-2931) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_36.1

1

79

XSS (sanitize and sanitize_css) (CVE-2013-1855) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_30.1

1

79

XSS vulnerability in translate helper / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_28.1

1

79

Cross Site Scripting (JRuby) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_53.2

2

79

Cross Site Scripting (Unescaped Output) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_2.2

2

79

XSS (Mail_to) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_32.1

1

79

XSS (link_to) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_3.1

1

798

Insecure SSL certificate

RUBY

LAYER_RUBY_71.1

1

89

SQL injection (:limit and :offset)

RUBY

INJECTION_RUBY_1.2

2

89

SQL injection

RUBY

INJECTION_RUBY_0.2

2

89

SQL injection (CVE-2014-0080)

RUBY

INJECTION_RUBY_72.1

1

89

SQL injection (:limit and :offset)

RUBY

INJECTION_RUBY_1.1

1

89

SQL injection

RUBY

INJECTION_RUBY_0.1

1

89

Missed evaluation of user input

RUBY

INJECTION_RUBY_13.1

1

89

SQL injection (CVE-2012-2660)

RUBY

INJECTION_RUBY_38.1

1

89

SQL injection (CVE-2012-6496)

RUBY

INJECTION_RUBY_46.1

1

89

SQL injection (CVE-2013-0155)

RUBY

INJECTION_RUBY_47.1

1

89

SQL injection (CVE-2013-6417)

RUBY

INJECTION_RUBY_69.1

1

89

SQL injection (CVE-2012-2695)

RUBY

INJECTION_RUBY_40.1

1

89

SQL injection (CVE-2012-2661)

RUBY

INJECTION_RUBY_39.1

1

91

JSON parsing vulnerabilities (CVE-2013-0269) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_49.1

1

91

Versions with JRuby XML parsing backend (CVE-2013-1856)

RUBY

INJECTION_RUBY_57.1

1

91

JSON parsing vulnerabilities (CVE-2013-0333) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_52.3

3

91

JSON parsing vulnerabilities (CVE-2013-0333) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_52.1

1

91

JSON parsing vulnerabilities (CVE-2013-0333) / Security Decisions Via Untrusted Inputs

RUBY

XSS_RUBY_52.2

2

200

Information Leakage (DBMS_OUTPUT.PUT_LINE)

SQL

PLSQL.15

3

200

Improper using of WHEN OTHERS as only exception handler.

SQL

PLSQL.21

3

200

Error Handling With Output Parameters.

SQL

PLSQL.03

3

200

Information Leakage (WHEN OTHERS THEN)

SQL

PLSQL.01

3

200

Dangerous Deprecated Feature (T-SQL)

SQL

SQL.02

2

200

Deprecated Feature (T-SQL)

SQL

SQL.01

3

200

Avoid using DBMS_UTILITY.EXEC_DDL_STATEMENT

SQL

PLSQL.33

3

200

Information Leakage (FUNCTION with OUT parameters)

SQL

PLSQL.20

2

200

Deprecated Functions Teradata SQL

SQL

SQL.04

3

200

Useless Feature (T-SQL)

SQL

SQL.03

4

257

Hardcoded Passwords

SQL

PLSQL.13

1

265

Improper Granting of all privileges on an object

SQL

PLSQL.38

1

284

Avoid using Invoker's rights (AUTHID CURRENT_USER)

SQL

PLSQL.35

1

284

Improper using of Packages to administer the network Access Control List functions inside a procedure (DBMS_NETWORK)

SQL

PLSQL.26

1

284

Package Running Under Potentially Excessive Permissions (AUTHID CURRENT_USER)

SQL

PLSQL.05

4

284

Package Running Under Potentially Excessive Permissions (AUTHID DEFINER)

SQL

PLSQL.04

4

284

The use of one of these SYS procedures performed by a SYS user will give to any user the rights of database admin and therefore allows to do everything possible including deleting all access rights.

SQL

PLSQL.25

1

311

Missing DBMS_LDAP.free_mod_array

SQL

PLSQL.29

2

326

MD5 MD4 and SHA-1 should no longer be relied upon to verify the authenticity of data in security-critical contexts.

SQL

PLSQL.39

2

327

Static Random Number Generator

SQL

PLSQL.32

2

36

Absolute Path in Source Code (SQL)

SQL

PLSQL.30

3

388

Improper masking exceptions with NULL statements

SQL

PLSQL.18

1

388

Avoid disabling DBMS_LDAP.USE_EXCEPTION.

SQL

PLSQL.27

1

388

Avoid decentralized EXCEPTION_INIT statements

SQL

PLSQL.19

3

388

Improper processing of User-Password-IP Address

SQL

PLSQL.02

2

400

SQL statement DoS (CROSS JOIN in a LOOP-FOR)

SQL

PLSQL.23

1

400

Avoid using DELETE or UPDATE without a WHERE clause

SQL

PLSQL.22

1

400

Denial Of Service Threat (dbms_lock.sleep)

SQL

PLSQL.41

1

400

SQL statement DoS (GROUP BY in a loop)

SQL

PLSQL.24

1

400

Data Formatting Within VIEW

SQL

PLSQL.07

4

477

Use DBMS_STATS instead.

SQL

PLSQL.34

3

497

Information Leakage (OWA_UTIL.print)

SQL

PLSQL.36

3

501

Improper accepting of untrusted sensitive data from a Cookie and using it without validation

SQL

PLSQL.37

1

79

Stored XSS

SQL

PLSQL.06

5

798

Hardcoded IP address

SQL

PLSQL.31

1

89

SQL Injection (deprecated DBMS_SQL.* statement)

SQL

PLSQL.16

1

89

Variable concatenated with dynamic SQL statement.

SQL

PLSQL.08

1

89

SQL injection through use of an input variable within a query.

SQL

PLSQL.9

1

89

Avoid SELECT * statements (SQL)

SQL

PLSQL.17

3

90

Populating a mod_array and using it directly in DBMS_LDAP.add_s DBMS_LDAP.modify_s DBMS_LDAP.delete_s may expose it to a LDAP Injection

SQL

PLSQL.28

1

References

(*1)CWE: Common Weakness Enumeration.
http://cwe.mitre.org/index.html

(*2)MITRE Corporation: A not-for-profit organization that provides information technology support and R&D development to the U.S. government.
http://www.mitre.org/

(*3)NIST: National Institute of Standards and Technology. A federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/

(*4)NVD: National Vulnerability Database. A vulnerability database run by NIST.
http://nvd.nist.gov/

(*5)OWASP: Open Web Application Security Project. An open, not-for-profit community dedicated to enhancing software security by developing open source software to secure Web applications and Web sites and promoting software security.
http://www.owasp.org/

(*6)WASC: Web Application Security Consortium is a non profit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.

http://www.webappsec.org/

(*7)TIOBE: The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors.

https://www.tiobe.com/tiobe-index/

 

 







COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.