CWE视图:2019年CWE中的弱点前25个最危险的软件错误
 Objective观众关系
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
显示详细资料:
1200- 2019年CWE中的弱点前25个最危险的软件错误
 班级- a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.内存缓冲区范围内操作的不当限制- (119)
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.缓冲区溢出缓冲区超支记忆安全
 根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.网页生成期间输入的中和不当(“跨站点脚本”)- (79)
该产品不会将用户控制输入放入输出中,该产品被用作提供给其他用户的网页之前,不会对用户控制输入进行中和。XSSHTML注射CSS
班级- a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.输入验证不当- (20)
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
班级- a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Exposure of Sensitive Information to an Unauthorized Actor- (200)
该产品将敏感信息暴露于未被明确授权访问该信息的演员。信息披露信息泄漏
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.越野读- (125)
该产品在预期的缓冲区的末端或开始之前读取数据。
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.SQL命令中使用的特殊元素的中和不当('SQL注入')- (89)
该产品使用来自上游组件的外部影响的输入构建SQL命令的全部或部分,但是它不会中和或错误地中和特殊元素,这些元素可能会在将其发送到下游组件时可以修改预期的SQL命令。
 变体 - 与某种类型的产品相关的弱点,通常涉及特定的语言或技术。比基本弱点更具体。变体级别的弱点通常以以下维度的3到5来描述问题:行为,财产,技术,语言和资源。免费使用后使用- (416)
引用内存释放后可能会导致程序崩溃,使用意外值或执行代码。悬挂的指针无使用后
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.整数溢出或环绕- (190)
当逻辑假设结果值始终大于原始值时,产品执行的计算可以产生整数溢出或环绕。当计算用于资源管理或执行控制时,这可能会引入其他弱点。
 复合材料 - 一个由两个或更多不同的弱点组成的复合元素,其中所有弱点必须同时存在,以便出现潜在的脆弱性。消除任何弱点都消除或大幅降低了风险。一个弱点x可以被“分解”成y和z的组分弱点。在某些情况下,一个弱点对于复合材料可能不是必不可少的,但是当复合材料变成脆弱性时,它会改变其性质。跨站点伪造(CSRF)- (352)
Web应用程序没有或无法充分验证提交请求的用户有意提供了形成良好,有效,一致的请求。Session Riding跨站点参考伪造XSRF
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.路径名的不当限制到限制目录(“路径遍历”)- (22)
该产品使用外部输入来构建旨在识别位于受限制的父目录下方的文件或目录的路径名,但是该产品不能适当地中和路径名中的特殊元素,该路径名中的特殊元素可以使PATHNAME解析到该位置到一个位置,该位置是不在限制目录之外。目录遍历路径遍历
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.OS命令中使用的特殊元素的中和不当(“ OS命令注入”)- (78)
该产品使用来自上游组件的外部影响的输入构建全部或部分OS命令,但是它不会中和或错误地中和特殊元素,这些元素可能会在将其发送到下游组件时可以修改预期的OS命令。壳注射壳化元
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.外面写作- (787)
The product writes data past the end, or before the beginning, of the intended buffer.内存腐败
班级- a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.身份验证不当- (287)
当演员声称具有给定的身份时,该产品不会证明或不充分证明索赔是正确的。authentificationauthnauthc
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.空指针解除- (476)
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.NPDnull deref零指针解除
班级- a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.Incorrect Permission Assignment for Critical Resource- (732)
该产品以允许意想不到的参与者读取或修改该资源的方式指定了关键资源的权限。
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.不受限制地上传危险类型的文件- (434)
该产品允许攻击者上传或传输可以在产品环境中自动处理的危险类型的文件。无限制的文件上传
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.Improper Restriction of XML External Entity Reference- (611)
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.xxe
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.不当控制代码(“代码注入”)- (94)
该产品使用来自上游组件的外部影响的输入构建代码段的全部或部分,但并不会中和或错误地中和可能会修改预期代码段语法或行为的特殊元素。
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.使用硬编码凭证- (798)
该产品包含硬编码的凭据,例如密码或加密密钥,其用于自身的入站身份验证,与外部组件的出站通信或内部数据的加密。
班级- a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.不受控制的资源消耗- (400)
该产品无法正确控制有限资源的分配和维护,从而使演员能够影响所消耗的资源数量,最终导致可用资源的耗尽。资源耗尽
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.有效的一生后缺少资源的释放- (772)
该产品在其有效的生命周期结束后不会发布资源,即不再需要资源之后。
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.不信任的搜索路径- (426)
产品使用外部供应搜索路径来搜索关键资源,该搜索路径可以指向不在产品直接控制下的资源。不受信任的路径
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.不受信任数据的次要化- (502)
该产品在没有充分验证所得数据是否有效的情况下对不受信任的数据进行了挑选。Marshaling, Unmarshaling腌制,没有挑剔PHP对象注入
班级- a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.特权管理不当- (269)
该产品无法正确分配,修改,跟踪或检查演员的特权,为该演员创建意外的控制领域。
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.证书验证不当- (295)
该产品未验证或错误验证证书。
References查看指标内容历史记录
提供更多信息 - 请选择其他过滤器。
|
|||||||||||||||||||||||
