CWE Definitions
Common Weakness Enumeration (CWE™) is a list of common software and hardware weakness types that have security ramifications.
A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.
| CWE Number | Name | |
|---|---|---|
| CWE-530 | Exposure of Backup File to an Unauthorized Control Sphere | Vulnerabilities |
| CWE-531 | Inclusion of Sensitive Information in Test Code | Vulnerabilities |
| CWE-532 | Insertion of Sensitive Information into Log File | Vulnerabilities |
| CWE-535 | Exposure of Information Through Shell Error Message | Vulnerabilities |
| CWE-536 | Servlet Runtime Error Message Containing Sensitive Information | Vulnerabilities |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | Vulnerabilities |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | Vulnerabilities |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | Vulnerabilities |
| CWE-540 | Inclusion of Sensitive Information in Source Code | Vulnerabilities |
| CWE-541 | Inclusion of Sensitive Information in an Include File | Vulnerabilities |
| CWE-543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context | Vulnerabilities |
| CWE-544 | Missing Standardized Error Handling Mechanism | Vulnerabilities |
| CWE-546 | Suspicious Comment | Vulnerabilities |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | Vulnerabilities |
| CWE-548 | Exposure of Information Through Directory Listing | Vulnerabilities |
| CWE-549 | Missing Password Field Masking | Vulnerabilities |
| CWE-550 | Server-generated Error Message Containing Sensitive Information | Vulnerabilities |
| CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | Vulnerabilities |
| CWE-552 | Files or Directories Accessible to External Parties | Vulnerabilities |
| CWE-553 | Command Shell in Externally Accessible Directory | Vulnerabilities |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | Vulnerabilities |
| CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File | Vulnerabilities |
| CWE-556 | ASP.NET Misconfiguration: Use of Identity Impersonation | Vulnerabilities |
| CWE-558 | Use of getlogin() in Multithreaded Application | Vulnerabilities |
| CWE-560 | Use of umask() with chmod-style Argument | Vulnerabilities |
| CWE-561 | Dead Code | Vulnerabilities |
| CWE-562 | Return of Stack Variable Address | Vulnerabilities |
| CWE-563 | Assignment to Variable without Use | Vulnerabilities |
| CWE-564 | SQL Injection: Hibernate | Vulnerabilities |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | Vulnerabilities |
| CWE-566 | Authorization Bypass Through User-Controlled SQL Primary Key | Vulnerabilities |
| CWE-567 | Unsynchronized Access to Shared Data in a Multithreaded Context | Vulnerabilities |
| CWE-568 | finalize() Method Without super.finalize() | Vulnerabilities |
| CWE-570 | Expression is Always False | Vulnerabilities |
| CWE-571 | Expression is Always True | Vulnerabilities |
| CWE-572 | Call to Thread run() instead of start() | Vulnerabilities |
| CWE-573 | Improper Following of Specification by Caller | Vulnerabilities |
| CWE-574 | EJB Bad Practices: Use of Synchronization Primitives | Vulnerabilities |
| CWE-575 | EJB Bad Practices: Use of AWT Swing | Vulnerabilities |
| CWE-576 | EJB Bad Practices: Use of Java I/O | Vulnerabilities |
| CWE-577 | EJB Bad Practices: Use of Sockets | Vulnerabilities |
| CWE-578 | EJB Bad Practices: Use of Class Loader | Vulnerabilities |
| CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session | Vulnerabilities |
| CWE-580 | clone() Method Without super.clone() | Vulnerabilities |
| CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined | Vulnerabilities |
| CWE-582 | Array Declared Public, Final, and Static | Vulnerabilities |
| CWE-583 | finalize() Method Declared Public | Vulnerabilities |
| CWE-584 | Return Inside Finally Block | Vulnerabilities |
| CWE-585 | Empty Synchronized Block | Vulnerabilities |
| CWE-586 | Explicit Call to Finalize() | Vulnerabilities |
Please note that CWE definitions are provided as a quick reference only.
Visit http://cwe.mitre.org/ for a complete list of CWE entries
and for more details.