From 8b5d1c8e921799f6df15801c083b8a8bfabce2ec Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Tue, 1 Nov 2022 14:00:23 +0900 Subject: [PATCH] feat(cwe, cti): update dictionary (#1553) * feat(cwe): update CWE dictionary * feat(cti): update CTI dictionary * fix(cwe): fix typo --- cti/cti.go | 139 +++- cwe/en.go | 484 +++++++------ cwe/ja.go | 2008 ++++++++++++++++++++++++++++++++++++++-------------- 3 files changed, 1869 insertions(+), 762 deletions(-) diff --git a/cti/cti.go b/cti/cti.go index edcef85f52..7ec00c8e36 100644 --- a/cti/cti.go +++ b/cti/cti.go @@ -660,7 +660,7 @@ var TechniqueDict = map[string]Technique{ Name: "CAPEC-35: Leverage Executable Code in Non-Executable Files", }, "CAPEC-36": { - Name: "CAPEC-36: Using Unpublished Interfaces", + Name: "CAPEC-36: Using Unpublished Interfaces or Functionality", }, "CAPEC-37": { Name: "CAPEC-37: Retrieve Embedded Sensitive Data", @@ -831,7 +831,7 @@ var TechniqueDict = map[string]Technique{ Name: "CAPEC-442: Infected Software", }, "CAPEC-443": { - Name: "CAPEC-443: Malicious Logic Inserted Into Product Software by Authorized Developer", + Name: "CAPEC-443: Malicious Logic Inserted Into Product by Authorized Developer", }, "CAPEC-444": { Name: "CAPEC-444: Development Alteration", @@ -840,7 +840,7 @@ var TechniqueDict = map[string]Technique{ Name: "CAPEC-445: Malicious Logic Insertion into Product Software via Configuration Management Manipulation", }, "CAPEC-446": { - Name: "CAPEC-446: Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency", + Name: "CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component", }, "CAPEC-447": { Name: "CAPEC-447: Design Alteration", @@ -1382,9 +1382,6 @@ var TechniqueDict = map[string]Technique{ "CAPEC-628": { Name: "CAPEC-628: Carry-Off GPS Attack", }, - "CAPEC-629": { - Name: "CAPEC-629: Unauthorized Use of Device Resources", - }, "CAPEC-63": { Name: "CAPEC-63: Cross-Site Scripting (XSS)", }, @@ -1464,7 +1461,7 @@ var TechniqueDict = map[string]Technique{ Name: "CAPEC-652: Use of Known Kerberos Credentials", }, "CAPEC-653": { - Name: "CAPEC-653: Use of Known Windows Credentials", + Name: "CAPEC-653: Use of Known Operating System Credentials", }, "CAPEC-654": { Name: "CAPEC-654: Credential Prompt Impersonation", @@ -1553,9 +1550,39 @@ var TechniqueDict = map[string]Technique{ "CAPEC-681": { Name: "CAPEC-681: Exploitation of Improperly Controlled Hardware Security Identifiers", }, + "CAPEC-682": { + Name: "CAPEC-682: Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities", + }, "CAPEC-69": { Name: "CAPEC-69: Target Programs with Elevated Privileges", }, + "CAPEC-690": { + Name: "CAPEC-690: Metadata Spoofing", + }, + "CAPEC-691": { + Name: "CAPEC-691: Spoof Open-Source Software Metadata", + }, + "CAPEC-692": { + Name: "CAPEC-692: Spoof Version Control System Commit Metadata", + }, + "CAPEC-693": { + Name: "CAPEC-693: StarJacking", + }, + "CAPEC-694": { + Name: "CAPEC-694: System Location Discovery", + }, + "CAPEC-695": { + Name: "CAPEC-695: Repo Jacking", + }, + "CAPEC-696": { + Name: "CAPEC-696: Load Value Injection", + }, + "CAPEC-697": { + Name: "CAPEC-697: DHCP Spoofing", + }, + "CAPEC-698": { + Name: "CAPEC-698: Install Malicious Extension", + }, "CAPEC-7": { Name: "CAPEC-7: Blind SQL Injection", }, @@ -1596,7 +1623,7 @@ var TechniqueDict = map[string]Technique{ Name: "CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic", }, "CAPEC-81": { - Name: "CAPEC-81: Web Logs Tampering", + Name: "CAPEC-81: Web Server Logs Tampering", }, "CAPEC-83": { Name: "CAPEC-83: XPath Injection", @@ -1814,6 +1841,18 @@ var TechniqueDict = map[string]Technique{ Name: "TA0005: Defense Evasion => T1027.006: HTML Smuggling", Platforms: []string{"Linux", "Windows", "macOS"}, }, + "T1027.007": { + Name: "TA0005: Defense Evasion => T1027.007: Dynamic API Resolution", + Platforms: []string{"Windows"}, + }, + "T1027.008": { + Name: "TA0005: Defense Evasion => T1027.008: Stripped Payloads", + Platforms: []string{"Linux", "Windows", "macOS"}, + }, + "T1027.009": { + Name: "TA0005: Defense Evasion => T1027.009: Embedded Payloads", + Platforms: []string{"Linux", "Windows", "macOS"}, + }, "T1029": { Name: "TA0010: Exfiltration => T1029: Scheduled Transfer", Platforms: []string{"Linux", "Windows", "macOS"}, @@ -2087,8 +2126,8 @@ var TechniqueDict = map[string]Technique{ Platforms: []string{"Azure AD", "Google Workspace", "IaaS", "Office 365", "SaaS"}, }, "T1070": { - Name: "TA0005: Defense Evasion => T1070: Indicator Removal on Host", - Platforms: []string{"Containers", "Linux", "Network", "Windows", "macOS"}, + Name: "TA0005: Defense Evasion => T1070: Indicator Removal", + Platforms: []string{"Containers", "Google Workspace", "Linux", "Network", "Office 365", "Windows", "macOS"}, }, "T1070.001": { Name: "TA0005: Defense Evasion => T1070.001: Clear Windows Event Logs", @@ -2114,6 +2153,18 @@ var TechniqueDict = map[string]Technique{ Name: "TA0005: Defense Evasion => T1070.006: Timestomp", Platforms: []string{"Linux", "Windows", "macOS"}, }, + "T1070.007": { + Name: "TA0005: Defense Evasion => T1070.007: Clear Network Connection History and Configurations", + Platforms: []string{"Linux", "Network", "Windows", "macOS"}, + }, + "T1070.008": { + Name: "TA0005: Defense Evasion => T1070.008: Clear Mailbox Data", + Platforms: []string{"Google Workspace", "Linux", "Office 365", "Windows", "macOS"}, + }, + "T1070.009": { + Name: "TA0005: Defense Evasion => T1070.009: Clear Persistence", + Platforms: []string{"Linux", "Windows", "macOS"}, + }, "T1071": { Name: "TA0011: Command and Control => T1071: Application Layer Protocol", Platforms: []string{"Linux", "Windows", "macOS"}, @@ -2152,7 +2203,7 @@ var TechniqueDict = map[string]Technique{ }, "T1078": { Name: "TA0001: Initial Access, TA0003: Persistence, TA0004: Privilege Escalation, TA0005: Defense Evasion => T1078: Valid Accounts", - Platforms: []string{"Azure AD", "Containers", "Google Workspace", "IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS"}, + Platforms: []string{"Azure AD", "Containers", "Google Workspace", "IaaS", "Linux", "Network", "Office 365", "SaaS", "Windows", "macOS"}, }, "T1078.001": { Name: "TA0001: Initial Access, TA0003: Persistence, TA0004: Privilege Escalation, TA0005: Defense Evasion => T1078.001: Default Accounts", @@ -2504,7 +2555,7 @@ var TechniqueDict = map[string]Technique{ }, "T1199": { Name: "TA0001: Initial Access => T1199: Trusted Relationship", - Platforms: []string{"IaaS", "Linux", "SaaS", "Windows", "macOS"}, + Platforms: []string{"IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS"}, }, "T1200": { Name: "TA0001: Initial Access => T1200: Hardware Additions", @@ -2546,6 +2597,10 @@ var TechniqueDict = map[string]Technique{ Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0011: Command and Control => T1205.001: Port Knocking", Platforms: []string{"Linux", "Network", "Windows", "macOS"}, }, + "T1205.002": { + Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0011: Command and Control => T1205.002: Socket Filters", + Platforms: []string{"Linux", "Windows", "macOS"}, + }, "T1207": { Name: "TA0005: Defense Evasion => T1207: Rogue Domain Controller", Platforms: []string{"Windows"}, @@ -2780,7 +2835,7 @@ var TechniqueDict = map[string]Technique{ }, "T1505": { Name: "TA0003: Persistence => T1505: Server Software Component", - Platforms: []string{"Linux", "Windows", "macOS"}, + Platforms: []string{"Linux", "Network", "Windows", "macOS"}, }, "T1505.001": { Name: "TA0003: Persistence => T1505.001: SQL Stored Procedures", @@ -2792,7 +2847,7 @@ var TechniqueDict = map[string]Technique{ }, "T1505.003": { Name: "TA0003: Persistence => T1505.003: Web Shell", - Platforms: []string{"Linux", "Windows", "macOS"}, + Platforms: []string{"Linux", "Network", "Windows", "macOS"}, }, "T1505.004": { Name: "TA0003: Persistence => T1505.004: IIS Components", @@ -2827,8 +2882,8 @@ var TechniqueDict = map[string]Technique{ Platforms: []string{"Linux", "Network", "Windows", "macOS"}, }, "T1530": { - Name: "TA0009: Collection => T1530: Data from Cloud Storage Object", - Platforms: []string{"IaaS"}, + Name: "TA0009: Collection => T1530: Data from Cloud Storage", + Platforms: []string{"IaaS", "SaaS"}, }, "T1531": { Name: "TA0040: Impact => T1531: Account Access Removal", @@ -2900,7 +2955,7 @@ var TechniqueDict = map[string]Technique{ }, "T1546": { Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1546: Event Triggered Execution", - Platforms: []string{"Linux", "Windows", "macOS"}, + Platforms: []string{"IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS"}, }, "T1546.001": { Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1546.001: Change Default File Association", @@ -2962,6 +3017,10 @@ var TechniqueDict = map[string]Technique{ Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1546.015: Component Object Model Hijacking", Platforms: []string{"Windows"}, }, + "T1546.016": { + Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1546.016: Installer Packages", + Platforms: []string{"Linux", "Windows", "macOS"}, + }, "T1547": { Name: "TA0003: Persistence, TA0004: Privilege Escalation => T1547: Boot or Logon Autostart Execution", Platforms: []string{"Linux", "Windows", "macOS"}, @@ -3048,7 +3107,7 @@ var TechniqueDict = map[string]Technique{ }, "T1550.001": { Name: "TA0005: Defense Evasion, TA0008: Lateral Movement => T1550.001: Application Access Token", - Platforms: []string{"Containers", "Google Workspace", "Office 365", "SaaS"}, + Platforms: []string{"Azure AD", "Containers", "Google Workspace", "IaaS", "Office 365", "SaaS"}, }, "T1550.002": { Name: "TA0005: Defense Evasion, TA0008: Lateral Movement => T1550.002: Pass the Hash", @@ -3152,7 +3211,7 @@ var TechniqueDict = map[string]Technique{ }, "T1556": { Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556: Modify Authentication Process", - Platforms: []string{"Linux", "Network", "Windows", "macOS"}, + Platforms: []string{"Azure AD", "Google Workspace", "IaaS", "Linux", "Network", "Office 365", "SaaS", "Windows", "macOS"}, }, "T1556.001": { Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556.001: Domain Controller Authentication", @@ -3174,9 +3233,17 @@ var TechniqueDict = map[string]Technique{ Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556.005: Reversible Encryption", Platforms: []string{"Windows"}, }, + "T1556.006": { + Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556.006: Multi-Factor Authentication", + Platforms: []string{"Azure AD", "Google Workspace", "IaaS", "Linux", "Office 365", "SaaS", "Windows", "macOS"}, + }, + "T1556.007": { + Name: "TA0003: Persistence, TA0005: Defense Evasion, TA0006: Credential Access => T1556.007: Hybrid Identity", + Platforms: []string{"Azure AD", "Google Workspace", "IaaS", "Office 365", "SaaS", "Windows"}, + }, "T1557": { Name: "TA0006: Credential Access, TA0009: Collection => T1557: Adversary-in-the-Middle", - Platforms: []string{"Linux", "Windows", "macOS"}, + Platforms: []string{"Linux", "Network", "Windows", "macOS"}, }, "T1557.001": { Name: "TA0006: Credential Access, TA0009: Collection => T1557.001: LLMNR/NBT-NS Poisoning and SMB Relay", @@ -3550,6 +3617,10 @@ var TechniqueDict = map[string]Technique{ Name: "TA0042: Resource Development => T1583.006: Web Services", Platforms: []string{"PRE"}, }, + "T1583.007": { + Name: "TA0042: Resource Development => T1583.007: Serverless", + Platforms: []string{"PRE"}, + }, "T1584": { Name: "TA0042: Resource Development => T1584: Compromise Infrastructure", Platforms: []string{"PRE"}, @@ -3578,6 +3649,10 @@ var TechniqueDict = map[string]Technique{ Name: "TA0042: Resource Development => T1584.006: Web Services", Platforms: []string{"PRE"}, }, + "T1584.007": { + Name: "TA0042: Resource Development => T1584.007: Serverless", + Platforms: []string{"PRE"}, + }, "T1585": { Name: "TA0042: Resource Development => T1585: Establish Accounts", Platforms: []string{"PRE"}, @@ -3590,6 +3665,10 @@ var TechniqueDict = map[string]Technique{ Name: "TA0042: Resource Development => T1585.002: Email Accounts", Platforms: []string{"PRE"}, }, + "T1585.003": { + Name: "TA0042: Resource Development => T1585.003: Cloud Accounts", + Platforms: []string{"PRE"}, + }, "T1586": { Name: "TA0042: Resource Development => T1586: Compromise Accounts", Platforms: []string{"PRE"}, @@ -3602,6 +3681,10 @@ var TechniqueDict = map[string]Technique{ Name: "TA0042: Resource Development => T1586.002: Email Accounts", Platforms: []string{"PRE"}, }, + "T1586.003": { + Name: "TA0042: Resource Development => T1586.003: Cloud Accounts", + Platforms: []string{"PRE"}, + }, "T1587": { Name: "TA0042: Resource Development => T1587: Develop Capabilities", Platforms: []string{"PRE"}, @@ -3746,6 +3829,10 @@ var TechniqueDict = map[string]Technique{ Name: "TA0043: Reconnaissance => T1593.002: Search Engines", Platforms: []string{"PRE"}, }, + "T1593.003": { + Name: "TA0043: Reconnaissance => T1593.003: Code Repositories", + Platforms: []string{"PRE"}, + }, "T1594": { Name: "TA0043: Reconnaissance => T1594: Search Victim-Owned Websites", Platforms: []string{"PRE"}, @@ -3898,6 +3985,10 @@ var TechniqueDict = map[string]Technique{ Name: "TA0042: Resource Development => T1608.005: Link Target", Platforms: []string{"PRE"}, }, + "T1608.006": { + Name: "TA0042: Resource Development => T1608.006: SEO Poisoning", + Platforms: []string{"PRE"}, + }, "T1609": { Name: "TA0002: Execution => T1609: Container Administration Command", Platforms: []string{"Containers"}, @@ -3950,4 +4041,12 @@ var TechniqueDict = map[string]Technique{ Name: "TA0005: Defense Evasion => T1647: Plist File Modification", Platforms: []string{"macOS"}, }, + "T1648": { + Name: "TA0002: Execution => T1648: Serverless Execution", + Platforms: []string{"IaaS", "Office 365", "SaaS"}, + }, + "T1649": { + Name: "TA0006: Credential Access => T1649: Steal or Forge Authentication Certificates", + Platforms: []string{"Azure AD", "Linux", "Windows", "macOS"}, + }, } diff --git a/cwe/en.go b/cwe/en.go index fe3ff97cf0..5c48ef5c2e 100644 --- a/cwe/en.go +++ b/cwe/en.go @@ -42,8 +42,8 @@ var CweDictEn = map[string]Cwe{ "1022": { CweID: "1022", Name: "Use of Web Link to Untrusted Target with window.opener Access", - Description: "The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.", - ExtendedDescription: `When a user clicks a link to an external site ("target"), the target="_blank" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection.`, + Description: "The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.", + ExtendedDescription: "When a user clicks a link to an external site (\"target\"), the target=\"_blank\" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection.", Lang: "en", }, "1023": { @@ -57,14 +57,14 @@ var CweDictEn = map[string]Cwe{ CweID: "1024", Name: "Comparison of Incompatible Types", Description: "The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.", - ExtendedDescription: `In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same type as another entity will ensure that the comparison will be performed correctly, but this cannot be guaranteed. In languages that are not strictly typed, such as PHP or JavaScript, there may be implicit casting/conversion to a type that the programmer is unaware of, causing unexpected results; for example, the string "123" might be converted to a number type. See examples.`, + ExtendedDescription: "In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same type as another entity will ensure that the comparison will be performed correctly, but this cannot be guaranteed. In languages that are not strictly typed, such as PHP or JavaScript, there may be implicit casting/conversion to a type that the programmer is unaware of, causing unexpected results; for example, the string \"123\" might be converted to a number type. See examples.", Lang: "en", }, "1025": { CweID: "1025", Name: "Comparison Using Wrong Factors", Description: "The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.", - ExtendedDescription: `This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two "equal" objects to be considered unequal.`, + ExtendedDescription: "This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two \"equal\" objects to be considered unequal.", Lang: "en", }, "103": { @@ -105,28 +105,28 @@ var CweDictEn = map[string]Cwe{ "1041": { CweID: "1041", Name: "Use of Redundant Code", - Description: "The software has multiple functions, methods, procedures, macros, etc. that contain the same code.", + Description: "The software has multiple functions, methods, procedures, macros, etc. that contain the same code.", ExtendedDescription: "", Lang: "en", }, "1042": { CweID: "1042", Name: "Static Member Data Element outside of a Singleton Class Element", - Description: "The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.", + Description: "The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.", ExtendedDescription: "", Lang: "en", }, "1043": { CweID: "1043", Name: "Data Element Aggregating an Excessively Large Number of Non-Primitive Elements", - Description: "The software uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.", + Description: "The software uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.", ExtendedDescription: "", Lang: "en", }, "1044": { CweID: "1044", Name: "Architecture with Number of Horizontal Layers Outside of Expected Range", - Description: "The software's architecture contains too many - or too few - horizontal layers.", + Description: "The software's architecture contains too many - or too few - horizontal layers.", ExtendedDescription: "", Lang: "en", }, @@ -154,14 +154,14 @@ var CweDictEn = map[string]Cwe{ "1048": { CweID: "1048", Name: "Invokable Control Element with Large Number of Outward Calls", - Description: "The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.", + Description: "The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.", ExtendedDescription: "", Lang: "en", }, "1049": { CweID: "1049", Name: "Excessive Data Query Operations in a Large Data Table", - Description: "The software performs a data query with a large number of joins and sub-queries on a large data table.", + Description: "The software performs a data query with a large number of joins and sub-queries on a large data table.", ExtendedDescription: "", Lang: "en", }, @@ -175,7 +175,7 @@ var CweDictEn = map[string]Cwe{ "1050": { CweID: "1050", Name: "Excessive Platform Resource Consumption within a Loop", - Description: "The software has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.", + Description: "The software has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.", ExtendedDescription: "", Lang: "en", }, @@ -189,7 +189,7 @@ var CweDictEn = map[string]Cwe{ "1052": { CweID: "1052", Name: "Excessive Use of Hard-Coded Literals in Initialization", - Description: "The software initializes a data element using a hard-coded literal that is not a simple integer or static constant element.", + Description: "The software initializes a data element using a hard-coded literal that is not a simple integer or static constant element.", ExtendedDescription: "", Lang: "en", }, @@ -203,21 +203,21 @@ var CweDictEn = map[string]Cwe{ "1054": { CweID: "1054", Name: "Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer", - Description: "The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.", + Description: "The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.", ExtendedDescription: "", Lang: "en", }, "1055": { CweID: "1055", Name: "Multiple Inheritance from Concrete Classes", - Description: "The software contains a class with inheritance from more than one concrete class.", + Description: "The software contains a class with inheritance from more than one concrete class.", ExtendedDescription: "", Lang: "en", }, "1056": { CweID: "1056", Name: "Invokable Control Element with Variadic Parameters", - Description: "A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.", + Description: "A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.", ExtendedDescription: "", Lang: "en", }, @@ -231,14 +231,14 @@ var CweDictEn = map[string]Cwe{ "1058": { CweID: "1058", Name: "Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element", - Description: "The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.", + Description: "The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.", ExtendedDescription: "", Lang: "en", }, "1059": { CweID: "1059", - Name: "Incomplete Documentation", - Description: "The documentation, whether on paper or in electronic form, does not contain descriptions of all the relevant elements of the product, such as its usage, structure, interfaces, design, implementation, configuration, operation, etc.", + Name: "Insufficient Technical Documentation", + Description: "The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.", ExtendedDescription: "", Lang: "en", }, @@ -280,7 +280,7 @@ var CweDictEn = map[string]Cwe{ "1064": { CweID: "1064", Name: "Invokable Control Element with Signature Containing an Excessive Number of Parameters", - Description: "The software contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.", + Description: "The software contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.", ExtendedDescription: "", Lang: "en", }, @@ -294,21 +294,21 @@ var CweDictEn = map[string]Cwe{ "1066": { CweID: "1066", Name: "Missing Serialization Control Element", - Description: "The software contains a serializable data element that does not have an associated serialization method.", + Description: "The software contains a serializable data element that does not have an associated serialization method.", ExtendedDescription: "", Lang: "en", }, "1067": { CweID: "1067", Name: "Excessive Execution of Sequential Searches of Data Resource", - Description: "The software contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.", + Description: "The software contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.", ExtendedDescription: "", Lang: "en", }, "1068": { CweID: "1068", Name: "Inconsistency Between Implementation and Documented Design", - Description: "The implementation of the product is not consistent with the design as described within the relevant documentation.", + Description: "The implementation of the product is not consistent with the design as described within the relevant documentation.", ExtendedDescription: "", Lang: "en", }, @@ -329,7 +329,7 @@ var CweDictEn = map[string]Cwe{ "1070": { CweID: "1070", Name: "Serializable Data Element Containing non-Serializable Item Elements", - Description: "The software contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.", + Description: "The software contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.", ExtendedDescription: "", Lang: "en", }, @@ -343,7 +343,7 @@ var CweDictEn = map[string]Cwe{ "1072": { CweID: "1072", Name: "Data Resource Access without Use of Connection Pooling", - Description: "The software accesses a data resource through a database without using a connection pooling capability.", + Description: "The software accesses a data resource through a database without using a connection pooling capability.", ExtendedDescription: "", Lang: "en", }, @@ -357,35 +357,35 @@ var CweDictEn = map[string]Cwe{ "1074": { CweID: "1074", Name: "Class with Excessively Deep Inheritance", - Description: "A class has an inheritance level that is too high, i.e., it has a large number of parent classes.", + Description: "A class has an inheritance level that is too high, i.e., it has a large number of parent classes.", ExtendedDescription: "", Lang: "en", }, "1075": { CweID: "1075", Name: "Unconditional Control Flow Transfer outside of Switch Block", - Description: `The software performs unconditional control transfer (such as a "goto") in code outside of a branching structure such as a switch block.`, + Description: "The software performs unconditional control transfer (such as a \"goto\") in code outside of a branching structure such as a switch block.", ExtendedDescription: "", Lang: "en", }, "1076": { CweID: "1076", Name: "Insufficient Adherence to Expected Conventions", - Description: "The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.", + Description: "The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.", ExtendedDescription: "", Lang: "en", }, "1077": { CweID: "1077", Name: "Floating Point Comparison with Incorrect Operator", - Description: "The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.", + Description: "The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.", ExtendedDescription: "", Lang: "en", }, "1078": { CweID: "1078", Name: "Inappropriate Source Code Style or Formatting", - Description: "The source code does not follow desired style or formatting for indentation, white space, comments, etc.", + Description: "The source code does not follow desired style or formatting for indentation, white space, comments, etc.", ExtendedDescription: "", Lang: "en", }, @@ -406,7 +406,7 @@ var CweDictEn = map[string]Cwe{ "1080": { CweID: "1080", Name: "Source Code File with Excessive Number of Lines of Code", - Description: "A source code file has too many lines of code.", + Description: "A source code file has too many lines of code.", ExtendedDescription: "", Lang: "en", }, @@ -427,21 +427,21 @@ var CweDictEn = map[string]Cwe{ "1084": { CweID: "1084", Name: "Invokable Control Element with Excessive File or Data Access Operations", - Description: "A function or method contains too many operations that utilize a data manager or file resource.", + Description: "A function or method contains too many operations that utilize a data manager or file resource.", ExtendedDescription: "", Lang: "en", }, "1085": { CweID: "1085", Name: "Invokable Control Element with Excessive Volume of Commented-out Code", - Description: "A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.", + Description: "A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.", ExtendedDescription: "", Lang: "en", }, "1086": { CweID: "1086", Name: "Class with Excessive Number of Child Classes", - Description: "A class contains an unnecessarily large number of children.", + Description: "A class contains an unnecessarily large number of children.", ExtendedDescription: "", Lang: "en", }, @@ -462,7 +462,7 @@ var CweDictEn = map[string]Cwe{ "1089": { CweID: "1089", Name: "Large Data Table with Excessive Number of Indices", - Description: "The software uses a large data table that contains an excessively large number of indices.", + Description: "The software uses a large data table that contains an excessively large number of indices.", ExtendedDescription: "", Lang: "en", }, @@ -476,21 +476,21 @@ var CweDictEn = map[string]Cwe{ "1090": { CweID: "1090", Name: "Method Containing Access of a Member Element from Another Class", - Description: "A method for a class performs an operation that directly accesses a member element from another class.", + Description: "A method for a class performs an operation that directly accesses a member element from another class.", ExtendedDescription: "", Lang: "en", }, "1091": { CweID: "1091", Name: "Use of Object without Invoking Destructor Method", - Description: "The software contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.", + Description: "The software contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.", ExtendedDescription: "", Lang: "en", }, "1092": { CweID: "1092", Name: "Use of Same Invokable Control Element in Multiple Architectural Layers", - Description: "The software uses the same control element across multiple architectural layers.", + Description: "The software uses the same control element across multiple architectural layers.", ExtendedDescription: "", Lang: "en", }, @@ -504,14 +504,14 @@ var CweDictEn = map[string]Cwe{ "1094": { CweID: "1094", Name: "Excessive Index Range Scan for a Data Resource", - Description: "The software contains an index range scan for a large data table, but the scan can cover a large number of rows.", + Description: "The software contains an index range scan for a large data table, but the scan can cover a large number of rows.", ExtendedDescription: "", Lang: "en", }, "1095": { CweID: "1095", Name: "Loop Condition Value Update within the Loop", - Description: "The software uses a loop with a control flow condition based on a value that is updated within the body of the loop.", + Description: "The software uses a loop with a control flow condition based on a value that is updated within the body of the loop.", ExtendedDescription: "", Lang: "en", }, @@ -525,7 +525,7 @@ var CweDictEn = map[string]Cwe{ "1097": { CweID: "1097", Name: "Persistent Storable Data Element without Associated Comparison Control Element", - Description: "The software uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.", + Description: "The software uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.", ExtendedDescription: "", Lang: "en", }, @@ -539,7 +539,7 @@ var CweDictEn = map[string]Cwe{ "1099": { CweID: "1099", Name: "Inconsistent Naming Conventions for Identifiers", - Description: "The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.", + Description: "The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.", ExtendedDescription: "", Lang: "en", }, @@ -560,70 +560,70 @@ var CweDictEn = map[string]Cwe{ "1100": { CweID: "1100", Name: "Insufficient Isolation of System-Dependent Functions", - Description: "The product or code does not isolate system-dependent functionality into separate standalone modules.", + Description: "The product or code does not isolate system-dependent functionality into separate standalone modules.", ExtendedDescription: "", Lang: "en", }, "1101": { CweID: "1101", Name: "Reliance on Runtime Component in Generated Code", - Description: "The product uses automatically-generated code that cannot be executed without a specific runtime support component.", + Description: "The product uses automatically-generated code that cannot be executed without a specific runtime support component.", ExtendedDescription: "", Lang: "en", }, "1102": { CweID: "1102", Name: "Reliance on Machine-Dependent Data Representation", - Description: "The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.", + Description: "The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.", ExtendedDescription: "", Lang: "en", }, "1103": { CweID: "1103", Name: "Use of Platform-Dependent Third Party Components", - Description: "The product relies on third-party software components that do not provide equivalent functionality across all desirable platforms.", + Description: "The product relies on third-party software components that do not provide equivalent functionality across all desirable platforms.", ExtendedDescription: "", Lang: "en", }, "1104": { CweID: "1104", Name: "Use of Unmaintained Third Party Components", - Description: "The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.", + Description: "The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.", ExtendedDescription: "", Lang: "en", }, "1105": { CweID: "1105", Name: "Insufficient Encapsulation of Machine-Dependent Functionality", - Description: "The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.", + Description: "The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.", ExtendedDescription: "", Lang: "en", }, "1106": { CweID: "1106", Name: "Insufficient Use of Symbolic Constants", - Description: "The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.", + Description: "The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.", ExtendedDescription: "", Lang: "en", }, "1107": { CweID: "1107", Name: "Insufficient Isolation of Symbolic Constant Definitions", - Description: "The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.", + Description: "The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.", ExtendedDescription: "", Lang: "en", }, "1108": { CweID: "1108", Name: "Excessive Reliance on Global Variables", - Description: "The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.", + Description: "The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.", ExtendedDescription: "", Lang: "en", }, "1109": { CweID: "1109", Name: "Use of Same Variable for Multiple Purposes", - Description: "The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.", + Description: "The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.", ExtendedDescription: "", Lang: "en", }, @@ -637,70 +637,70 @@ var CweDictEn = map[string]Cwe{ "1110": { CweID: "1110", Name: "Incomplete Design Documentation", - Description: "The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.", + Description: "The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.", ExtendedDescription: "", Lang: "en", }, "1111": { CweID: "1111", Name: "Incomplete I/O Documentation", - Description: "The product's documentation does not adequately define inputs, outputs, or system/software interfaces.", + Description: "The product's documentation does not adequately define inputs, outputs, or system/software interfaces.", ExtendedDescription: "", Lang: "en", }, "1112": { CweID: "1112", Name: "Incomplete Documentation of Program Execution", - Description: "The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.", + Description: "The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.", ExtendedDescription: "", Lang: "en", }, "1113": { CweID: "1113", Name: "Inappropriate Comment Style", - Description: "The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.", + Description: "The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.", ExtendedDescription: "", Lang: "en", }, "1114": { CweID: "1114", Name: "Inappropriate Whitespace Style", - Description: "The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.", + Description: "The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.", ExtendedDescription: "", Lang: "en", }, "1115": { CweID: "1115", Name: "Source Code Element without Standard Prologue", - Description: "The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.", + Description: "The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.", ExtendedDescription: "", Lang: "en", }, "1116": { CweID: "1116", Name: "Inaccurate Comments", - Description: "The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.", + Description: "The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.", ExtendedDescription: "", Lang: "en", }, "1117": { CweID: "1117", Name: "Callable with Insufficient Behavioral Summary", - Description: "The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.", + Description: "The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.", ExtendedDescription: "", Lang: "en", }, "1118": { CweID: "1118", Name: "Insufficient Documentation of Error Handling Techniques", - Description: "The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.", + Description: "The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.", ExtendedDescription: "", Lang: "en", }, "1119": { CweID: "1119", Name: "Excessive Use of Unconditional Branching", - Description: `The code uses too many unconditional branches (such as "goto").`, + Description: "The code uses too many unconditional branches (such as \"goto\").", ExtendedDescription: "", Lang: "en", }, @@ -714,7 +714,7 @@ var CweDictEn = map[string]Cwe{ "1120": { CweID: "1120", Name: "Excessive Code Complexity", - Description: "The code is too complex, as calculated using a well-defined, quantitative measure.", + Description: "The code is too complex, as calculated using a well-defined, quantitative measure.", ExtendedDescription: "", Lang: "en", }, @@ -728,49 +728,49 @@ var CweDictEn = map[string]Cwe{ "1122": { CweID: "1122", Name: "Excessive Halstead Complexity", - Description: "The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.", + Description: "The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.", ExtendedDescription: "", Lang: "en", }, "1123": { CweID: "1123", Name: "Excessive Use of Self-Modifying Code", - Description: "The product uses too much self-modifying code.", + Description: "The product uses too much self-modifying code.", ExtendedDescription: "", Lang: "en", }, "1124": { CweID: "1124", Name: "Excessively Deep Nesting", - Description: "The code contains a callable or other code grouping in which the nesting / branching is too deep.", + Description: "The code contains a callable or other code grouping in which the nesting / branching is too deep.", ExtendedDescription: "", Lang: "en", }, "1125": { CweID: "1125", Name: "Excessive Attack Surface", - Description: "The product has an attack surface whose quantitative measurement exceeds a desirable maximum.", + Description: "The product has an attack surface whose quantitative measurement exceeds a desirable maximum.", ExtendedDescription: "", Lang: "en", }, "1126": { CweID: "1126", Name: "Declaration of Variable with Unnecessarily Wide Scope", - Description: "The source code declares a variable in one scope, but the variable is only used within a narrower scope.", + Description: "The source code declares a variable in one scope, but the variable is only used within a narrower scope.", ExtendedDescription: "", Lang: "en", }, "1127": { CweID: "1127", Name: "Compilation with Insufficient Warnings or Errors", - Description: "The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.", + Description: "The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.", ExtendedDescription: "", Lang: "en", }, "113": { CweID: "113", - Name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", - Description: "The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.", + Name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + Description: "The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.", ExtendedDescription: "", Lang: "en", }, @@ -798,7 +798,7 @@ var CweDictEn = map[string]Cwe{ "1164": { CweID: "1164", Name: "Irrelevant Code", - Description: "The program contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.", + Description: "The program contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.", ExtendedDescription: "", Lang: "en", }, @@ -826,14 +826,14 @@ var CweDictEn = map[string]Cwe{ "1176": { CweID: "1176", Name: "Inefficient CPU Computation", - Description: "The program performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.", + Description: "The program performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.", ExtendedDescription: "", Lang: "en", }, "1177": { CweID: "1177", Name: "Use of Prohibited Code", - Description: "The software uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.", + Description: "The software uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.", ExtendedDescription: "", Lang: "en", }, @@ -911,20 +911,20 @@ var CweDictEn = map[string]Cwe{ CweID: "120", Name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", Description: "The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.", - ExtendedDescription: `A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.`, + ExtendedDescription: "A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the \"classic\" case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.", Lang: "en", }, "1204": { CweID: "1204", Name: "Generation of Weak Initialization Vector (IV)", - Description: "The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.", - ExtendedDescription: "By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.", + Description: "The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.", + ExtendedDescription: "By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.", Lang: "en", }, "1209": { CweID: "1209", Name: "Failure to Disable Reserved Bits", - Description: "The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.", + Description: "The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.", ExtendedDescription: "", Lang: "en", }, @@ -973,7 +973,7 @@ var CweDictEn = map[string]Cwe{ "1224": { CweID: "1224", Name: "Improper Restriction of Write-Once Bit Fields", - Description: `The hardware design control register "sticky bits" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.`, + Description: "The hardware design control register \"sticky bits\" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.", ExtendedDescription: "", Lang: "en", }, @@ -1037,7 +1037,7 @@ var CweDictEn = map[string]Cwe{ CweID: "1236", Name: "Improper Neutralization of Formula Elements in a CSV File", Description: "The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.", - ExtendedDescription: "User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script. Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software.", + ExtendedDescription: "User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script. Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software.", Lang: "en", }, "1239": { @@ -1085,7 +1085,7 @@ var CweDictEn = map[string]Cwe{ "1244": { CweID: "1244", Name: "Internal Asset Exposed to Unsafe Debug Access Level or State", - Description: "The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.", + Description: "The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.", ExtendedDescription: "", Lang: "en", }, @@ -1128,7 +1128,7 @@ var CweDictEn = map[string]Cwe{ CweID: "125", Name: "Out-of-bounds Read", Description: "The software reads data past the end, or before the beginning, of the intended buffer.", - ExtendedDescription: "Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.", + ExtendedDescription: "Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.", Lang: "en", }, "1250": { @@ -1176,7 +1176,7 @@ var CweDictEn = map[string]Cwe{ "1256": { CweID: "1256", Name: "Improper Restriction of Software Interfaces to Hardware Features", - Description: "The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.", + Description: "The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.", ExtendedDescription: "", Lang: "en", }, @@ -1253,7 +1253,7 @@ var CweDictEn = map[string]Cwe{ "1266": { CweID: "1266", Name: "Improper Scrubbing of Sensitive Data from Decommissioned Device", - Description: "The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.", + Description: "The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.", ExtendedDescription: "", Lang: "en", }, @@ -1337,8 +1337,8 @@ var CweDictEn = map[string]Cwe{ "1277": { CweID: "1277", Name: "Firmware Not Updateable", - Description: "The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.", - ExtendedDescription: "Without the ability to patch or update firmware, consumers will be left vulnerable to exploitation of any known vulnerabilities, or any vulnerabilities that are discovered in the future. This can expose consumers to permanent risk throughout the entire lifetime of the device, which could be years or decades. Some external protective measures and mitigations might be employed to aid in preventing or reducing the risk of malicious attack, but the root weakness cannot be corrected.", + Description: "The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.", + ExtendedDescription: "Without the ability to patch or update firmware, consumers will be left vulnerable to exploitation of any known vulnerabilities, or any vulnerabilities that are discovered in the future. This can expose consumers to permanent risk throughout the entire lifetime of the device, which could be years or decades. Some external protective measures and mitigations might be employed to aid in preventing or reducing the risk of malicious attack, but the root weakness cannot be corrected.", Lang: "en", }, "1278": { @@ -1358,7 +1358,7 @@ var CweDictEn = map[string]Cwe{ "128": { CweID: "128", Name: "Wrap-around Error", - Description: `Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.`, + Description: "Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore \"wraps around\" to a very small, negative, or undefined value.", ExtendedDescription: "", Lang: "en", }, @@ -1379,7 +1379,7 @@ var CweDictEn = map[string]Cwe{ "1282": { CweID: "1282", Name: "Assumed-Immutable Data is Stored in Writable Memory", - Description: `Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.`, + Description: "Immutable data, such as a first-stage bootloader, device identifiers, and \"write-once\" configuration settings are stored in writable memory that can be re-programmed or updated in the field.", ExtendedDescription: "", Lang: "en", }, @@ -1505,7 +1505,7 @@ var CweDictEn = map[string]Cwe{ "1299": { CweID: "1299", Name: "Missing Protection Mechanism for Alternate Hardware Interface", - Description: "The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.", + Description: "The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.", ExtendedDescription: "", Lang: "en", }, @@ -1554,7 +1554,7 @@ var CweDictEn = map[string]Cwe{ "1304": { CweID: "1304", Name: "Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation", - Description: "The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.", + Description: "The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.", ExtendedDescription: "", Lang: "en", }, @@ -1616,8 +1616,8 @@ var CweDictEn = map[string]Cwe{ }, "1317": { CweID: "1317", - Name: "Missing Security Checks in Fabric Bridge", - Description: "A bridge that is connected to a fabric without security features forwards transactions to the slave without checking the privilege level of the master. Similarly, it does not check the hardware identity of the transaction received from the slave interface of the bridge.", + Name: "Improper Access Control in Fabric Bridge", + Description: "The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.", ExtendedDescription: "", Lang: "en", }, @@ -1644,7 +1644,7 @@ var CweDictEn = map[string]Cwe{ }, "1320": { CweID: "1320", - Name: "Improper Protection for Out of Bounds Signal Level Alerts", + Name: "Improper Protection for Outbound Error Messages and Alert Signals", Description: "Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.", ExtendedDescription: "", Lang: "en", @@ -1659,21 +1659,21 @@ var CweDictEn = map[string]Cwe{ "1322": { CweID: "1322", Name: "Use of Blocking Code in Single-threaded, Non-blocking Context", - Description: "The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.", + Description: "The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.", ExtendedDescription: "", Lang: "en", }, "1323": { CweID: "1323", Name: "Improper Management of Sensitive Trace Data", - Description: "Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.", + Description: "Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.", ExtendedDescription: "", Lang: "en", }, "1324": { CweID: "1324", Name: "Sensitive Information Accessible by Physical Probing of JTAG Interface", - Description: "Sensitive information in clear text on the JTAG interface may be examined by an eavesdropper, e.g. by placing a probe device on the interface such as a logic analyzer, or a corresponding software technique.", + Description: "Sensitive information in clear text on the JTAG interface may be examined by an eavesdropper, e.g. by placing a probe device on the interface such as a logic analyzer, or a corresponding software technique.", ExtendedDescription: "", Lang: "en", }, @@ -1737,7 +1737,7 @@ var CweDictEn = map[string]Cwe{ CweID: "1333", Name: "Inefficient Regular Expression Complexity", Description: "The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.", - ExtendedDescription: `Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met:`, + ExtendedDescription: "Some regular expression engines have a feature called \"backtracking\". If the token cannot match, the engine \"backtracks\" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met:", Lang: "en", }, "1334": { @@ -1771,7 +1771,7 @@ var CweDictEn = map[string]Cwe{ "1339": { CweID: "1339", Name: "Insufficient Precision or Accuracy of a Real Number", - Description: "The program processes a real number with an implementation in which the number’s representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.", + Description: "The program processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.", ExtendedDescription: "", Lang: "en", }, @@ -1785,7 +1785,7 @@ var CweDictEn = map[string]Cwe{ "1341": { CweID: "1341", Name: "Multiple Releases of Same Resource or Handle", - Description: "The product attempts to close or release a resource or handle more than once, without an intervening successful open.", + Description: "The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.", ExtendedDescription: "", Lang: "en", }, @@ -1806,7 +1806,14 @@ var CweDictEn = map[string]Cwe{ "1351": { CweID: "1351", Name: "Improper Handling of Hardware Behavior in Exceptionally Cold Environments", - Description: "A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.", + Description: "A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.", + ExtendedDescription: "", + Lang: "en", + }, + "1357": { + CweID: "1357", + Name: "Reliance on Uncontrolled Component", + Description: "The product's design or architecture is built from multiple separate components, but one or more components are not under complete control of the developer, such as a third-party software library or a physical component that is built by an original equipment manufacturer (OEM).", ExtendedDescription: "", Lang: "en", }, @@ -1814,13 +1821,76 @@ var CweDictEn = map[string]Cwe{ CweID: "138", Name: "Improper Neutralization of Special Elements", Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.", - ExtendedDescription: `Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If software does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".`, + ExtendedDescription: "Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If software does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < (\"less than\") as meaning \"read input from a file\".", + Lang: "en", + }, + "1384": { + CweID: "1384", + Name: "Improper Handling of Physical or Environmental Conditions", + Description: "The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.", + ExtendedDescription: "", + Lang: "en", + }, + "1385": { + CweID: "1385", + Name: "Missing Origin Validation in WebSockets", + Description: "The software uses a WebSocket, but it does not properly verify that the source of data or communication is valid.", + ExtendedDescription: "", + Lang: "en", + }, + "1386": { + CweID: "1386", + Name: "Insecure Operation on Windows Junction / Mount Point", + Description: "The software opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.", + ExtendedDescription: "", + Lang: "en", + }, + "1389": { + CweID: "1389", + Name: "Incorrect Parsing of Numbers with Different Radices", + Description: "The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).", + ExtendedDescription: "", + Lang: "en", + }, + "1390": { + CweID: "1390", + Name: "Weak Authentication", + Description: "The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.", + ExtendedDescription: "", + Lang: "en", + }, + "1391": { + CweID: "1391", + Name: "Use of Weak Credentials", + Description: "The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.", + ExtendedDescription: "", + Lang: "en", + }, + "1392": { + CweID: "1392", + Name: "Use of Default Credentials", + Description: "The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.", + ExtendedDescription: "It is common practice for products to be designed to use default keys, passwords, or other mechanisms for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.", + Lang: "en", + }, + "1393": { + CweID: "1393", + Name: "Use of Default Password", + Description: "The product uses default passwords for potentially critical functionality.", + ExtendedDescription: "It is common practice for products to be designed to use default passwords for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, then it makes it easier for attackers to quickly bypass authentication across multiple organizations. There are many lists of default passwords and default-password scanning tools that are easily available from the World Wide Web.", + Lang: "en", + }, + "1394": { + CweID: "1394", + Name: "Use of Default Cryptographic Key", + Description: "The product uses a default cryptographic key for potentially critical functionality.", + ExtendedDescription: "It is common practice for products to be designed to use default keys. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.", Lang: "en", }, "14": { CweID: "14", Name: "Compiler Removal of Code to Clear Buffers", - Description: `Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."`, + Description: "Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka \"dead store removal.\"", ExtendedDescription: "", Lang: "en", }, @@ -1877,13 +1947,13 @@ var CweDictEn = map[string]Cwe{ CweID: "147", Name: "Improper Neutralization of Input Terminators", Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.", - ExtendedDescription: `For example, a "." in SMTP signifies the end of mail message data, whereas a null character can be used for the end of a string.`, + ExtendedDescription: "For example, a \".\" in SMTP signifies the end of mail message data, whereas a null character can be used for the end of a string.", Lang: "en", }, "148": { CweID: "148", Name: "Improper Neutralization of Input Leaders", - Description: `The application does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be allowed.`, + Description: "The application does not properly handle when a leading character or sequence (\"leader\") is missing or malformed, or if multiple leaders are used when only one should be allowed.", ExtendedDescription: "", Lang: "en", }, @@ -1933,7 +2003,7 @@ var CweDictEn = map[string]Cwe{ CweID: "154", Name: "Improper Neutralization of Variable Name Delimiters", Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.", - ExtendedDescription: `As data is parsed, an injected delimiter may cause the process to take unexpected actions that result in an attack. Example: "$" for an environment variable.`, + ExtendedDescription: "As data is parsed, an injected delimiter may cause the process to take unexpected actions that result in an attack. Example: \"$\" for an environment variable.", Lang: "en", }, "155": { @@ -2114,7 +2184,7 @@ var CweDictEn = map[string]Cwe{ "182": { CweID: "182", Name: "Collapse of Data into Unsafe Value", - Description: `The software filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.`, + Description: "The software filters data in a way that causes it to be reduced or \"collapsed\" into an unsafe value that violates an expected security property.", ExtendedDescription: "", Lang: "en", }, @@ -2129,7 +2199,7 @@ var CweDictEn = map[string]Cwe{ CweID: "184", Name: "Incomplete List of Disallowed Inputs", Description: "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.", - ExtendedDescription: "Developers often try to protect their products against malicious input by performing tests against inputs that are known to be bad, such as special characters that can invoke new commands. However, such lists often only account for the most well-known bad inputs. Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.", + ExtendedDescription: "Developers often try to protect their products against malicious input by performing tests against inputs that are known to be bad, such as special characters that can invoke new commands. However, such lists often only account for the most well-known bad inputs. Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.", Lang: "en", }, "185": { @@ -2143,7 +2213,7 @@ var CweDictEn = map[string]Cwe{ CweID: "186", Name: "Overly Restrictive Regular Expression", Description: "A regular expression is overly restrictive, which prevents dangerous values from being detected.", - ExtendedDescription: `This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it.`, + ExtendedDescription: "This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not \"complex\" but the value \"9\" is not matched when maybe the programmer planned to check for it.", Lang: "en", }, "187": { @@ -2226,7 +2296,7 @@ var CweDictEn = map[string]Cwe{ "20": { CweID: "20", Name: "Improper Input Validation", - Description: "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.", + Description: "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.", ExtendedDescription: "", Lang: "en", }, @@ -2248,7 +2318,7 @@ var CweDictEn = map[string]Cwe{ CweID: "202", Name: "Exposure of Sensitive Information Through Data Queries", Description: "When trying to keep information confidential, an attacker can often infer some of the information by using statistics.", - ExtendedDescription: `In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.`, + ExtendedDescription: "In situations where data should not be tied to individual users, but a large number of users should be able to make queries that \"scrub\" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.", Lang: "en", }, "203": { @@ -2269,28 +2339,28 @@ var CweDictEn = map[string]Cwe{ CweID: "205", Name: "Observable Behavioral Discrepancy", Description: "The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.", - ExtendedDescription: "Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of these internal operations to simplify or optimize their attack. In some cases, behavioral discrepancies can be used by attackers to form a side channel.", + ExtendedDescription: "Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of these internal operations to simplify or optimize their attack. In some cases, behavioral discrepancies can be used by attackers to form a side channel.", Lang: "en", }, "206": { CweID: "206", Name: "Observable Internal Behavioral Discrepancy", Description: "The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.", - ExtendedDescription: "Ideally, a product should provide as little information as possible to an attacker. Any hints that the attacker may be making progress can then be used to simplify or optimize the attack. For example, in a login procedure that requires a username and password, ultimately there is only one decision: success or failure. However, internally, two separate actions are performed: determining if the username exists, and checking if the password is correct. If the product behaves differently based on whether the username exists or not, then the attacker only needs to concentrate on the password.", + ExtendedDescription: "Ideally, a product should provide as little information as possible to an attacker. Any hints that the attacker may be making progress can then be used to simplify or optimize the attack. For example, in a login procedure that requires a username and password, ultimately there is only one decision: success or failure. However, internally, two separate actions are performed: determining if the username exists, and checking if the password is correct. If the product behaves differently based on whether the username exists or not, then the attacker only needs to concentrate on the password.", Lang: "en", }, "207": { CweID: "207", Name: "Observable Behavioral Discrepancy With Equivalent Products", Description: "The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.", - ExtendedDescription: `For many kinds of products, multiple products may be available that perform the same functionality, such as a web server, network interface, or intrusion detection system. Attackers often perform "fingerprinting," which uses discrepancies in order to identify which specific product is in use. Once the specific product has been identified, the attacks can be made more customized and efficient. Often, an organization might intentionally allow the specific product to be identifiable. However, in some environments, the ability to identify a distinct product is unacceptable, and it is expected that every product would behave in exactly the same way. In these more restricted environments, a behavioral difference might pose an unacceptable risk if it makes it easier to identify the product's vendor, model, configuration, version, etc.`, + ExtendedDescription: "For many kinds of products, multiple products may be available that perform the same functionality, such as a web server, network interface, or intrusion detection system. Attackers often perform \"fingerprinting,\" which uses discrepancies in order to identify which specific product is in use. Once the specific product has been identified, the attacks can be made more customized and efficient. Often, an organization might intentionally allow the specific product to be identifiable. However, in some environments, the ability to identify a distinct product is unacceptable, and it is expected that every product would behave in exactly the same way. In these more restricted environments, a behavioral difference might pose an unacceptable risk if it makes it easier to identify the product's vendor, model, configuration, version, etc.", Lang: "en", }, "208": { CweID: "208", Name: "Observable Timing Discrepancy", Description: "Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.", - ExtendedDescription: "In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.", + ExtendedDescription: "In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.", Lang: "en", }, "209": { @@ -2339,13 +2409,13 @@ var CweDictEn = map[string]Cwe{ CweID: "215", Name: "Insertion of Sensitive Information Into Debugging Code", Description: "The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.", - ExtendedDescription: "When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the application is operating in a production environment, then this sensitive information may be exposed to attackers.", + ExtendedDescription: "When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the application is operating in a production environment, then this sensitive information may be exposed to attackers.", Lang: "en", }, "216": { CweID: "216", Name: "DEPRECATED: Containment Errors (Container Errors)", - Description: `This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.`, + Description: "This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the \"container\" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.", ExtendedDescription: "", Lang: "en", }, @@ -2367,7 +2437,7 @@ var CweDictEn = map[string]Cwe{ CweID: "219", Name: "Storage of File with Sensitive Data Under Web Root", Description: "The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.", - ExtendedDescription: "Besides public-facing web pages and code, applications may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data.", + ExtendedDescription: "Besides public-facing web pages and code, applications may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data.", Lang: "en", }, "22": { @@ -2422,7 +2492,7 @@ var CweDictEn = map[string]Cwe{ "226": { CweID: "226", Name: "Sensitive Information in Resource Not Removed Before Reuse", - Description: `The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.`, + Description: "The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or \"zeroize\" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.", ExtendedDescription: "", Lang: "en", }, @@ -2443,7 +2513,7 @@ var CweDictEn = map[string]Cwe{ "23": { CweID: "23", Name: "Relative Path Traversal", - Description: `The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.`, + Description: "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as \"..\" that can resolve to a location that is outside of that directory.", ExtendedDescription: "This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.", Lang: "en", }, @@ -2520,7 +2590,7 @@ var CweDictEn = map[string]Cwe{ "24": { CweID: "24", Name: "Path Traversal: '../filedir'", - Description: `The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.`, + Description: "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"../\" sequences that can resolve to a location that is outside of that directory.", ExtendedDescription: "", Lang: "en", }, @@ -2556,7 +2626,7 @@ var CweDictEn = map[string]Cwe{ CweID: "244", Name: "Improper Clearing of Heap Memory Before Release ('Heap Inspection')", Description: "Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.", - ExtendedDescription: `When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a "heap inspection" attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed.`, + ExtendedDescription: "When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a \"heap inspection\" attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed.", Lang: "en", }, "245": { @@ -2590,14 +2660,14 @@ var CweDictEn = map[string]Cwe{ "249": { CweID: "249", Name: "DEPRECATED: Often Misused: Path Manipulation", - Description: `This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. This entry was deprecated for several reasons. The primary reason is over-loading of the "path manipulation" term and the description. The original description for this entry was the same as that for the "Often Misused: File System" item in the original Seven Pernicious Kingdoms paper. However, Seven Pernicious Kingdoms also has a "Path Manipulation" phrase that is for external control of pathnames (CWE-73), which is a factor in symbolic link following and path traversal, neither of which is explicitly mentioned in 7PK. Fortify uses the phrase "Often Misused: Path Manipulation" for a broader range of problems, generally for issues related to buffer management. Given the multiple conflicting uses of this term, there is a chance that CWE users may have incorrectly mapped to this entry. The second reason for deprecation is an implied combination of multiple weaknesses within buffer-handling functions. The focus of this entry was generally on the path-conversion functions and their association with buffer overflows. However, some of Fortify's Vulncat entries have the term "path manipulation" but describe a non-overflow weakness in which the buffer is not guaranteed to contain the entire pathname, i.e., there is information truncation (see CWE-222 for a similar concept). A new entry for this non-overflow weakness may be created in a future version of CWE.`, + Description: "This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.", ExtendedDescription: "", Lang: "en", }, "25": { CweID: "25", Name: "Path Traversal: '/../filedir'", - Description: `The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/../" sequences that can resolve to a location that is outside of that directory.`, + Description: "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/../\" sequences that can resolve to a location that is outside of that directory.", ExtendedDescription: "", Lang: "en", }, @@ -2612,7 +2682,7 @@ var CweDictEn = map[string]Cwe{ CweID: "252", Name: "Unchecked Return Value", Description: "The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.", - ExtendedDescription: `Two common programmer assumptions are "this function call can never fail" and "it doesn't matter if this function call fails". If an attacker can force the function to fail or otherwise return a value that is not expected, then the subsequent program logic could lead to a vulnerability, because the software is not in a state that the programmer assumes. For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges.`, + ExtendedDescription: "Two common programmer assumptions are \"this function call can never fail\" and \"it doesn't matter if this function call fails\". If an attacker can force the function to fail or otherwise return a value that is not expected, then the subsequent program logic could lead to a vulnerability, because the software is not in a state that the programmer assumes. For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges.", Lang: "en", }, "253": { @@ -2653,7 +2723,7 @@ var CweDictEn = map[string]Cwe{ "26": { CweID: "26", Name: "Path Traversal: '/dir/../filename'", - Description: `The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/dir/../filename" sequences that can resolve to a location that is outside of that directory.`, + Description: "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/dir/../filename\" sequences that can resolve to a location that is outside of that directory.", ExtendedDescription: "", Lang: "en", }, @@ -2674,15 +2744,15 @@ var CweDictEn = map[string]Cwe{ "262": { CweID: "262", Name: "Not Using Password Aging", - Description: "If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.", - ExtendedDescription: "Security experts have often recommended that users change their passwords regularly and avoid reusing passwords. Although this can be an effective mitigation, if the expiration window is too short, it can cause users to generate poor or predictable passwords. As such, it is important to discourage creating similar passwords. It is also useful to have a password aging mechanism that notifies users when passwords are considered old and requests that they replace them with new, strong passwords. Companion documentation which stresses how important this practice is can help users understand and better support this approach.", + Description: "The product does not have a mechanism in place for managing password aging.", + ExtendedDescription: "", Lang: "en", }, "263": { CweID: "263", Name: "Password Aging with Long Expiration", - Description: "Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.", - ExtendedDescription: "Just as neglecting to include functionality for the management of password aging is dangerous, so is allowing password aging to continue unchecked. Passwords must be given a maximum life span, after which a user is required to update with a new and different password.", + Description: "The product supports password aging, but the expiration period is too long.", + ExtendedDescription: "", Lang: "en", }, "266": { @@ -2716,7 +2786,7 @@ var CweDictEn = map[string]Cwe{ "27": { CweID: "27", Name: "Path Traversal: 'dir/../../filename'", - Description: `The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.`, + Description: "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal \"../\" sequences that can resolve to a location that is outside of that directory.", ExtendedDescription: "", Lang: "en", }, @@ -2786,7 +2856,7 @@ var CweDictEn = map[string]Cwe{ "28": { CweID: "28", Name: "Path Traversal: '..\\filedir'", - Description: `The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "..\\" sequences that can resolve to a location that is outside of that directory.`, + Description: "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"..\\\" sequences that can resolve to a location that is outside of that directory.", ExtendedDescription: "", Lang: "en", }, @@ -2989,14 +3059,14 @@ var CweDictEn = map[string]Cwe{ "306": { CweID: "306", Name: "Missing Authentication for Critical Function", - Description: "The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.", + Description: "The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.", ExtendedDescription: "", Lang: "en", }, "307": { CweID: "307", Name: "Improper Restriction of Excessive Authentication Attempts", - Description: "The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.", + Description: "The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.", ExtendedDescription: "", Lang: "en", }, @@ -3031,8 +3101,8 @@ var CweDictEn = map[string]Cwe{ "312": { CweID: "312", Name: "Cleartext Storage of Sensitive Information", - Description: "The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.", - ExtendedDescription: "Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.", + Description: "The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.", + ExtendedDescription: "", Lang: "en", }, "313": { @@ -3081,7 +3151,7 @@ var CweDictEn = map[string]Cwe{ CweID: "319", Name: "Cleartext Transmission of Sensitive Information", Description: "The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.", - ExtendedDescription: `Many communication channels can be "sniffed" by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers.`, + ExtendedDescription: "Many communication channels can be \"sniffed\" by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers.", Lang: "en", }, "32": { @@ -3102,7 +3172,7 @@ var CweDictEn = map[string]Cwe{ CweID: "322", Name: "Key Exchange without Entity Authentication", Description: "The software performs a key exchange with an actor without verifying the identity of that actor.", - ExtendedDescription: "Performing a key exchange will preserve the integrity of the information sent between two entities, but this will not guarantee that the entities are who they claim they are. This may enable an attacker to impersonate an actor by modifying traffic between the two entities. Typically, this involves a victim client that contacts a malicious server that is impersonating a trusted server. If the client skips authentication or ignores an authentication failure, the malicious server may request authentication information from the user. The malicious server can then use this authentication information to log in to the trusted server using the victim's credentials, sniff traffic between the victim and trusted server, etc.", + ExtendedDescription: "Performing a key exchange will preserve the integrity of the information sent between two entities, but this will not guarantee that the entities are who they claim they are. This may enable an attacker to impersonate an actor by modifying traffic between the two entities. Typically, this involves a victim client that contacts a malicious server that is impersonating a trusted server. If the client skips authentication or ignores an authentication failure, the malicious server may request authentication information from the user. The malicious server can then use this authentication information to log in to the trusted server using the victim's credentials, sniff traffic between the victim and trusted server, etc.", Lang: "en", }, "323": { @@ -3340,13 +3410,13 @@ var CweDictEn = map[string]Cwe{ CweID: "353", Name: "Missing Support for Integrity Check", Description: "The software uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.", - ExtendedDescription: `If integrity check values or "checksums" are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets.`, + ExtendedDescription: "If integrity check values or \"checksums\" are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets.", Lang: "en", }, "354": { CweID: "354", Name: "Improper Validation of Integrity Check Value", - Description: `The software does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.`, + Description: "The software does not validate or incorrectly validates the integrity check values or \"checksums\" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.", ExtendedDescription: "Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the algorithm used for calculating the checksum. It is then a simple matter of implementing the calculation and verifying that the calculated checksum and the received checksum match. Improper verification of the calculated checksum and the received checksum can lead to far greater consequences.", Lang: "en", }, @@ -3381,7 +3451,7 @@ var CweDictEn = map[string]Cwe{ "36": { CweID: "36", Name: "Absolute Path Traversal", - Description: `The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.`, + Description: "The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as \"/abs/path\" that can resolve to a location that is outside of that directory.", ExtendedDescription: "This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.", Lang: "en", }, @@ -3415,9 +3485,9 @@ var CweDictEn = map[string]Cwe{ }, "365": { CweID: "365", - Name: "Race Condition in Switch", - Description: "The code contains a switch statement in which the switched variable can be modified while the switch is still executing, resulting in unexpected behavior.", - ExtendedDescription: "This issue is particularly important in the case of switch statements that involve fall-through style case statements - i.e., those which do not end with break. If the variable being tested by the switch changes in the course of execution, this could change the intended logic of the switch so much that it places the process in a contradictory state and in some cases could even result in memory corruption.", + Name: "DEPRECATED: Race Condition in Switch", + Description: "This entry has been deprecated. There are no documented cases in which a switch's control expression is evaluated more than once.", + ExtendedDescription: "It is likely that this entry was initially created based on a misinterpretation of the original source material. The original source intended to explain how switches could be unpredictable when using threads, if the control expressions used data or variables that could change between execution of different threads. That weakness is already covered by CWE-367. Despite the ambiguity in the documentation for some languages and compilers, in practice, they all evaluate the switch control expression only once. If future languages state that the code explicitly evaluates the control expression more than once, then this would not be a weakness, but the language performing as designed.", Lang: "en", }, "366": { @@ -3606,7 +3676,7 @@ var CweDictEn = map[string]Cwe{ CweID: "396", Name: "Declaration of Catch for Generic Exception", Description: "Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.", - ExtendedDescription: `Multiple catch blocks can get ugly and repetitive, but "condensing" catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of Java's typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention.`, + ExtendedDescription: "Multiple catch blocks can get ugly and repetitive, but \"condensing\" catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of Java's typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention.", Lang: "en", }, "397": { @@ -3634,7 +3704,7 @@ var CweDictEn = map[string]Cwe{ CweID: "401", Name: "Missing Release of Memory after Effective Lifetime", Description: "The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.", - ExtendedDescription: "This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.", + ExtendedDescription: "This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.", Lang: "en", }, "402": { @@ -3690,7 +3760,7 @@ var CweDictEn = map[string]Cwe{ CweID: "409", Name: "Improper Handling of Highly Compressed Data (Data Amplification)", Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.", - ExtendedDescription: `An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.`, + ExtendedDescription: "An example of data amplification is a \"decompression bomb,\" a small ZIP file that can produce a large amount of data when it is decompressed.", Lang: "en", }, "41": { @@ -3704,7 +3774,7 @@ var CweDictEn = map[string]Cwe{ CweID: "410", Name: "Insufficient Resource Pool", Description: "The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.", - ExtendedDescription: `Frequently the consequence is a "flood" of connection or sessions.`, + ExtendedDescription: "Frequently the consequence is a \"flood\" of connection or sessions.", Lang: "en", }, "412": { @@ -3816,7 +3886,7 @@ var CweDictEn = map[string]Cwe{ CweID: "428", Name: "Unquoted Search Path or Element", Description: "The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.", - ExtendedDescription: `If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\\Program.exe" to be run by a privileged program making use of WinExec.`, + ExtendedDescription: "If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as \"C:\\Program.exe\" to be run by a privileged program making use of WinExec.", Lang: "en", }, "43": { @@ -3829,8 +3899,8 @@ var CweDictEn = map[string]Cwe{ "430": { CweID: "430", Name: "Deployment of Wrong Handler", - Description: `The wrong "handler" is assigned to process an object.`, - ExtendedDescription: `An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically "determining" type of the object even if it is contradictory to an explicitly specified type.`, + Description: "The wrong \"handler\" is assigned to process an object.", + ExtendedDescription: "An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically \"determining\" type of the object even if it is contradictory to an explicitly specified type.", Lang: "en", }, "431": { @@ -3851,7 +3921,7 @@ var CweDictEn = map[string]Cwe{ CweID: "433", Name: "Unparsed Raw Web Content Delivery", Description: "The software stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.", - ExtendedDescription: `If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.`, + ExtendedDescription: "If code is stored in a file with an extension such as \".inc\" or \".pl\", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.", Lang: "en", }, "434": { @@ -3865,7 +3935,7 @@ var CweDictEn = map[string]Cwe{ CweID: "435", Name: "Improper Interaction Between Multiple Correctly-Behaving Entities", Description: "An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.", - ExtendedDescription: "When a system or process combines multiple independent components, this often produces new, emergent behaviors at the system level. However, if the interactions between these components are not fully accounted for, some of the emergent behaviors can be incorrect or even insecure.", + ExtendedDescription: "When a system or process combines multiple independent components, this often produces new, emergent behaviors at the system level. However, if the interactions between these components are not fully accounted for, some of the emergent behaviors can be incorrect or even insecure.", Lang: "en", }, "436": { @@ -3919,8 +3989,8 @@ var CweDictEn = map[string]Cwe{ }, "444": { CweID: "444", - Name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", - Description: `When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.`, + Name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + Description: "The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.", ExtendedDescription: "", Lang: "en", }, @@ -3928,7 +3998,7 @@ var CweDictEn = map[string]Cwe{ CweID: "446", Name: "UI Discrepancy for Security Feature", Description: "The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.", - ExtendedDescription: `When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the software does not actually enable the encryption. Alternately, the user might provide a "restrict ALL'" access control rule, but the software only implements "restrict SOME".`, + ExtendedDescription: "When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the software does not actually enable the encryption. Alternately, the user might provide a \"restrict ALL'\" access control rule, but the software only implements \"restrict SOME\".", Lang: "en", }, "447": { @@ -4018,7 +4088,7 @@ var CweDictEn = map[string]Cwe{ "459": { CweID: "459", Name: "Incomplete Cleanup", - Description: `The software does not properly "clean up" and remove temporary or supporting resources after they have been used.`, + Description: "The software does not properly \"clean up\" and remove temporary or supporting resources after they have been used.", ExtendedDescription: "", Lang: "en", }, @@ -4150,9 +4220,9 @@ var CweDictEn = map[string]Cwe{ }, "478": { CweID: "478", - Name: "Missing Default Case in Switch Statement", - Description: "The code does not have a default case in a switch statement, which might lead to complex logical errors and resultant weaknesses.", - ExtendedDescription: "This flaw represents a common problem in software development, in which not all possible values for a variable are considered or handled by a given process. Because of this, further decisions are made based on poor information, and cascading failure results. This cascading failure may result in any number of security issues, and constitutes a significant failure in the system.", + Name: "Missing Default Case in Multiple Condition Expression", + Description: "The code does not have a default case in an expression with multiple conditions, such as a switch statement.", + ExtendedDescription: "If a multiple-condition expression (such as a switch in C) omits the default case but does not consider or handle all possible values that could occur, then this might lead to complex logical errors and resultant weaknesses. Because of this, further decisions are made based on poor information, and cascading failure results. This cascading failure may result in any number of security issues, and constitutes a significant failure in the system.", Lang: "en", }, "479": { @@ -4229,7 +4299,7 @@ var CweDictEn = map[string]Cwe{ CweID: "489", Name: "Active Debug Code", Description: "The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.", - ExtendedDescription: `A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.`, + ExtendedDescription: "A common development practice is to add \"back door\" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.", Lang: "en", }, "49": { @@ -4390,7 +4460,7 @@ var CweDictEn = map[string]Cwe{ CweID: "512", Name: "Spyware", Description: "The software collects personally identifiable information about a human user or the user's activities, but the software accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the software.", - ExtendedDescription: `"Spyware" is a commonly used term with many definitions and interpretations. In general, it is meant to software that collects information or installs functionality that human users might not allow if they were fully aware of the actions being taken by the software. For example, a user might expect that tax software would collect a social security number and include it when filing a tax return, but that same user would not expect gaming software to obtain the social security number from that tax software's data.`, + ExtendedDescription: "\"Spyware\" is a commonly used term with many definitions and interpretations. In general, it is meant to software that collects information or installs functionality that human users might not allow if they were fully aware of the actions being taken by the software. For example, a user might expect that tax software would collect a social security number and include it when filing a tax return, but that same user would not expect gaming software to obtain the social security number from that tax software's data.", Lang: "en", }, "514": { @@ -4453,7 +4523,7 @@ var CweDictEn = map[string]Cwe{ CweID: "524", Name: "Use of Cache Containing Sensitive Information", Description: "The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.", - ExtendedDescription: "Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.", + ExtendedDescription: "Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.", Lang: "en", }, "525": { @@ -4474,7 +4544,7 @@ var CweDictEn = map[string]Cwe{ CweID: "527", Name: "Exposure of Version-Control Repository to an Unauthorized Control Sphere", Description: "The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.", - ExtendedDescription: `Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added to an archive, then these could be used by an attacker. This information may include usernames, filenames, path root, IP addresses, and detailed "diff" data about how files have been changed - which could reveal source code snippets that were never intended to be made public.`, + ExtendedDescription: "Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added to an archive, then these could be used by an attacker. This information may include usernames, filenames, path root, IP addresses, and detailed \"diff\" data about how files have been changed - which could reveal source code snippets that were never intended to be made public.", Lang: "en", }, "528": { @@ -4522,14 +4592,14 @@ var CweDictEn = map[string]Cwe{ "533": { CweID: "533", Name: "DEPRECATED: Information Exposure Through Server Log Files", - Description: "This entry has been deprecated because its abstraction was too low-level. See CWE-532.", + Description: "This entry has been deprecated because its abstraction was too low-level. See CWE-532.", ExtendedDescription: "", Lang: "en", }, "534": { CweID: "534", Name: "DEPRECATED: Information Exposure Through Debug Log Files", - Description: "This entry has been deprecated because its abstraction was too low-level. See CWE-532.", + Description: "This entry has been deprecated because its abstraction was too low-level. See CWE-532.", ExtendedDescription: "", Lang: "en", }, @@ -4565,7 +4635,7 @@ var CweDictEn = map[string]Cwe{ CweID: "539", Name: "Use of Persistent Cookies Containing Sensitive Information", Description: "The web application uses persistent cookies, but the cookies contain sensitive information.", - ExtendedDescription: "Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is stored in a cookie and how it is used. Typical types of information stored in cookies are session identifiers, personalization and customization information, and in rare cases even usernames to enable automated logins. There are two different types of cookies: session cookies and persistent cookies. Session cookies just live in the browser's memory and are not stored anywhere, but persistent cookies are stored on the browser's hard drive. This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed.", + ExtendedDescription: "Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is stored in a cookie and how it is used. Typical types of information stored in cookies are session identifiers, personalization and customization information, and in rare cases even usernames to enable automated logins. There are two different types of cookies: session cookies and persistent cookies. Session cookies just live in the browser's memory and are not stored anywhere, but persistent cookies are stored on the browser's hard drive. This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed.", Lang: "en", }, "54": { @@ -4592,7 +4662,7 @@ var CweDictEn = map[string]Cwe{ "542": { CweID: "542", Name: "DEPRECATED: Information Exposure Through Cleanup Log Files", - Description: "This entry has been deprecated because its abstraction was too low-level. See CWE-532.", + Description: "This entry has been deprecated because its abstraction was too low-level. See CWE-532.", ExtendedDescription: "", Lang: "en", }, @@ -4670,7 +4740,7 @@ var CweDictEn = map[string]Cwe{ CweID: "552", Name: "Files or Directories Accessible to External Parties", Description: "The product makes files or directories accessible to unauthorized actors, even though they should not be.", - ExtendedDescription: `Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories.`, + ExtendedDescription: "Web servers, FTP servers, and similar servers may store a set of files underneath a \"root\" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories.", Lang: "en", }, "553": { @@ -4817,35 +4887,35 @@ var CweDictEn = map[string]Cwe{ CweID: "574", Name: "EJB Bad Practices: Use of Synchronization Primitives", Description: "The program violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.", - ExtendedDescription: `The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances." The specification justifies this requirement in the following way: "This rule is required to ensure consistent runtime semantics because while some EJB containers may use a single JVM to execute all enterprise bean's instances, others may distribute the instances across multiple JVMs."`, + ExtendedDescription: "The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: \"An enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances.\" The specification justifies this requirement in the following way: \"This rule is required to ensure consistent runtime semantics because while some EJB containers may use a single JVM to execute all enterprise bean's instances, others may distribute the instances across multiple JVMs.\"", Lang: "en", }, "575": { CweID: "575", Name: "EJB Bad Practices: Use of AWT Swing", Description: "The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.", - ExtendedDescription: `The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard." The specification justifies this requirement in the following way: "Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system."`, + ExtendedDescription: "The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: \"An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard.\" The specification justifies this requirement in the following way: \"Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system.\"", Lang: "en", }, "576": { CweID: "576", Name: "EJB Bad Practices: Use of Java I/O", Description: "The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package.", - ExtendedDescription: `The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not use the java.io package to attempt to access files and directories in the file system." The specification justifies this requirement in the following way: "The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data."`, + ExtendedDescription: "The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: \"An enterprise bean must not use the java.io package to attempt to access files and directories in the file system.\" The specification justifies this requirement in the following way: \"The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data.\"", Lang: "en", }, "577": { CweID: "577", Name: "EJB Bad Practices: Use of Sockets", Description: "The program violates the Enterprise JavaBeans (EJB) specification by using sockets.", - ExtendedDescription: `The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast." The specification justifies this requirement in the following way: "The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean-- to serve the EJB clients."`, + ExtendedDescription: "The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: \"An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast.\" The specification justifies this requirement in the following way: \"The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean-- to serve the EJB clients.\"", Lang: "en", }, "578": { CweID: "578", Name: "EJB Bad Practices: Use of Class Loader", Description: "The program violates the Enterprise JavaBeans (EJB) specification by using the class loader.", - ExtendedDescription: `The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "The enterprise bean must not attempt to create a class loader; obtain the current class loader; set the context class loader; set security manager; create a new security manager; stop the JVM; or change the input, output, and error streams." The specification justifies this requirement in the following way: "These functions are reserved for the EJB container. Allowing the enterprise bean to use these functions could compromise security and decrease the container's ability to properly manage the runtime environment."`, + ExtendedDescription: "The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: \"The enterprise bean must not attempt to create a class loader; obtain the current class loader; set the context class loader; set security manager; create a new security manager; stop the JVM; or change the input, output, and error streams.\" The specification justifies this requirement in the following way: \"These functions are reserved for the EJB container. Allowing the enterprise bean to use these functions could compromise security and decrease the container's ability to properly manage the runtime environment.\"", Lang: "en", }, "579": { @@ -4858,8 +4928,8 @@ var CweDictEn = map[string]Cwe{ "58": { CweID: "58", Name: "Path Equivalence: Windows 8.3 Filename", - Description: `The software contains a protection mechanism that restricts access to a long filename on a Windows operating system, but the software does not properly restrict access to the equivalent short "8.3" filename.`, - ExtendedDescription: `On later Windows operating systems, a file can have a "long name" and a short name that is compatible with older Windows file systems, with up to 8 characters in the filename and 3 characters for the extension. These "8.3" filenames, therefore, act as an alternate name for files with long names, so they are useful pathname equivalence manipulations.`, + Description: "The software contains a protection mechanism that restricts access to a long filename on a Windows operating system, but the software does not properly restrict access to the equivalent short \"8.3\" filename.", + ExtendedDescription: "On later Windows operating systems, a file can have a \"long name\" and a short name that is compatible with older Windows file systems, with up to 8 characters in the filename and 3 characters for the extension. These \"8.3\" filenames, therefore, act as an alternate name for files with long names, so they are useful pathname equivalence manipulations.", Lang: "en", }, "580": { @@ -4984,14 +5054,14 @@ var CweDictEn = map[string]Cwe{ "596": { CweID: "596", Name: "DEPRECATED: Incorrect Semantic Object Comparison", - Description: "This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023.", + Description: "This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023.", ExtendedDescription: "", Lang: "en", }, "597": { CweID: "597", Name: "Use of Wrong Operator in String Comparison", - Description: `The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.`, + Description: "The product uses the wrong operator when comparing a string, such as using \"==\" when the .equals() method should be used instead.", ExtendedDescription: "In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.", Lang: "en", }, @@ -4999,7 +5069,7 @@ var CweDictEn = map[string]Cwe{ CweID: "598", Name: "Use of GET Request Method With Sensitive Query Strings", Description: "The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.", - ExtendedDescription: "The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks.", + ExtendedDescription: "The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks.", Lang: "en", }, "599": { @@ -5033,8 +5103,8 @@ var CweDictEn = map[string]Cwe{ "602": { CweID: "602", Name: "Client-Side Enforcement of Server-Side Security", - Description: "The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.", - ExtendedDescription: "When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.", + Description: "The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.", + ExtendedDescription: "When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.", Lang: "en", }, "603": { @@ -5104,13 +5174,13 @@ var CweDictEn = map[string]Cwe{ CweID: "612", Name: "Improper Authorization of Index Containing Sensitive Information", Description: "The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.", - ExtendedDescription: "Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index's results are available to parties who do not have access to the documents being indexed, then attackers could obtain portions of the documents by conducting targeted searches and reading the results. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them.", + ExtendedDescription: "Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index's results are available to parties who do not have access to the documents being indexed, then attackers could obtain portions of the documents by conducting targeted searches and reading the results. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them.", Lang: "en", }, "613": { CweID: "613", Name: "Insufficient Session Expiration", - Description: `According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."`, + Description: "According to WASC, \"Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.\"", ExtendedDescription: "", Lang: "en", }, @@ -5132,7 +5202,7 @@ var CweDictEn = map[string]Cwe{ CweID: "616", Name: "Incomplete Identification of Uploaded File Variables (PHP)", Description: "The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.", - ExtendedDescription: `These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd".`, + ExtendedDescription: "These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as \"/etc/passwd\".", Lang: "en", }, "617": { @@ -5152,7 +5222,7 @@ var CweDictEn = map[string]Cwe{ "619": { CweID: "619", Name: "Dangling Database Cursor ('Cursor Injection')", - Description: `If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling."`, + Description: "If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor \"dangling.\"", ExtendedDescription: "For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor's role, but SQL injection attacks are commonly possible.", Lang: "en", }, @@ -5230,7 +5300,7 @@ var CweDictEn = map[string]Cwe{ CweID: "636", Name: "Not Failing Securely ('Failing Open')", Description: "When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.", - ExtendedDescription: `By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe."`, + ExtendedDescription: "By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to \"fail functional\" to minimize administration and support costs, instead of \"failing safe.\"", Lang: "en", }, "637": { @@ -5307,7 +5377,7 @@ var CweDictEn = map[string]Cwe{ CweID: "646", Name: "Reliance on File Name or Extension of Externally-Supplied File", Description: "The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.", - ExtendedDescription: `An application might use the file name or extension of of a user-supplied file to determine the proper course of action, such as selecting the correct process to which control should be passed, deciding what data should be made available, or what resources should be allocated. If the attacker can cause the code to misclassify the supplied file, then the wrong action could occur. For example, an attacker could supply a file that ends in a ".php.gif" extension that appears to be a GIF image, but would be processed as PHP code. In extreme cases, code execution is possible, but the attacker could also cause exhaustion of resources, denial of service, exposure of debug or system data (including application source code), or being bound to a particular server side process. This weakness may be due to a vulnerability in any of the technologies used by the web and application servers, due to misconfiguration, or resultant from another flaw in the application itself.`, + ExtendedDescription: "An application might use the file name or extension of of a user-supplied file to determine the proper course of action, such as selecting the correct process to which control should be passed, deciding what data should be made available, or what resources should be allocated. If the attacker can cause the code to misclassify the supplied file, then the wrong action could occur. For example, an attacker could supply a file that ends in a \".php.gif\" extension that appears to be a GIF image, but would be processed as PHP code. In extreme cases, code execution is possible, but the attacker could also cause exhaustion of resources, denial of service, exposure of debug or system data (including application source code), or being bound to a particular server side process. This weakness may be due to a vulnerability in any of the technologies used by the web and application servers, due to misconfiguration, or resultant from another flaw in the application itself.", Lang: "en", }, "647": { @@ -5384,7 +5454,7 @@ var CweDictEn = map[string]Cwe{ CweID: "656", Name: "Reliance on Security Through Obscurity", Description: "The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.", - ExtendedDescription: `This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.`, + ExtendedDescription: "This reliance on \"security through obscurity\" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.", Lang: "en", }, "657": { @@ -5397,7 +5467,7 @@ var CweDictEn = map[string]Cwe{ "66": { CweID: "66", Name: "Improper Handling of File Names that Identify Virtual Resources", - Description: `The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.`, + Description: "The product does not handle or incorrectly handles a file name that identifies a \"virtual\" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.", ExtendedDescription: "Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories.", Lang: "en", }, @@ -5495,7 +5565,7 @@ var CweDictEn = map[string]Cwe{ "674": { CweID: "674", Name: "Uncontrolled Recursion", - Description: "The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.", + Description: "The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.", ExtendedDescription: "", Lang: "en", }, @@ -5608,14 +5678,14 @@ var CweDictEn = map[string]Cwe{ CweID: "692", Name: "Incomplete Denylist to Cross-Site Scripting", Description: "The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.", - ExtendedDescription: `While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.`, + ExtendedDescription: "While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The \"XSS Cheat Sheet\" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.", Lang: "en", }, "693": { CweID: "693", Name: "Protection Mechanism Failure", Description: "The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.", - ExtendedDescription: `This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.`, + ExtendedDescription: "This weakness covers three distinct situations. A \"missing\" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An \"insufficient\" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an \"ignored\" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.", Lang: "en", }, "694": { @@ -5811,7 +5881,7 @@ var CweDictEn = map[string]Cwe{ CweID: "76", Name: "Improper Neutralization of Equivalent Special Elements", Description: "The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.", - ExtendedDescription: `The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the software might filter a dangerous "-e" command-line switch when calling an external program, but it might not account for "--exec" or other switches that have the same semantics.`, + ExtendedDescription: "The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the software might filter a dangerous \"-e\" command-line switch when calling an external program, but it might not account for \"--exec\" or other switches that have the same semantics.", Lang: "en", }, "760": { @@ -6021,14 +6091,14 @@ var CweDictEn = map[string]Cwe{ CweID: "787", Name: "Out-of-bounds Write", Description: "The software writes data past the end, or before the beginning, of the intended buffer.", - ExtendedDescription: "Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.", + ExtendedDescription: "Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.", Lang: "en", }, "788": { CweID: "788", Name: "Access of Memory Location After End of Buffer", Description: "The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.", - ExtendedDescription: "This typically occurs when a pointer or its index is decremented to a position before the buffer; when pointer arithmetic results in a position before the buffer; or when a negative index is used, which generates a position before the buffer.", + ExtendedDescription: "This typically occurs when a pointer or its index is incremented to a position after the buffer; or when pointer arithmetic results in a position after the buffer.", Lang: "en", }, "789": { @@ -6090,14 +6160,14 @@ var CweDictEn = map[string]Cwe{ "796": { CweID: "796", Name: "Only Filtering Special Elements Relative to a Marker", - Description: `The software receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; the second argument"), thereby missing remaining special elements that may exist before sending it to a downstream component.`, + Description: "The software receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. \"at the beginning/end of a string; the second argument\"), thereby missing remaining special elements that may exist before sending it to a downstream component.", ExtendedDescription: "", Lang: "en", }, "797": { CweID: "797", Name: "Only Filtering Special Elements at an Absolute Position", - Description: `The software receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing remaining special elements that may exist before sending it to a downstream component.`, + Description: "The software receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. \"byte number 10\"), thereby missing remaining special elements that may exist before sending it to a downstream component.", ExtendedDescription: "", Lang: "en", }, @@ -6125,7 +6195,7 @@ var CweDictEn = map[string]Cwe{ "80": { CweID: "80", Name: "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", - Description: `The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.`, + Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as \"<\", \">\", and \"&\" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.", ExtendedDescription: "This may allow such characters to be treated as control characters, which are executed client-side in the context of the user's session. Although this can be classified as an injection problem, the more pertinent issue is the improper conversion of such special characters to respective context-appropriate entities before displaying them to the user.", Lang: "en", }, @@ -6244,7 +6314,7 @@ var CweDictEn = map[string]Cwe{ "83": { CweID: "83", Name: "Improper Neutralization of Script in Attributes in a Web Page", - Description: `The software does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.`, + Description: "The software does not neutralize or incorrectly neutralizes \"javascript:\" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.", ExtendedDescription: "", Lang: "en", }, @@ -6301,7 +6371,7 @@ var CweDictEn = map[string]Cwe{ CweID: "837", Name: "Improper Enforcement of a Single, Unique Action", Description: "The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly enforces this restriction.", - ExtendedDescription: `In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to "stuff the ballot box" by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the software.`, + ExtendedDescription: "In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to \"stuff the ballot box\" by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the software.", Lang: "en", }, "838": { @@ -6357,7 +6427,7 @@ var CweDictEn = map[string]Cwe{ CweID: "86", Name: "Improper Neutralization of Invalid Characters in Identifiers in Web Pages", Description: "The software does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.", - ExtendedDescription: `Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the software may attempt to remove a "javascript:" URI scheme, but a "java%00script:" URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks.`, + ExtendedDescription: "Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the software may attempt to remove a \"javascript:\" URI scheme, but a \"java%00script:\" URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks.", Lang: "en", }, "862": { @@ -6384,7 +6454,7 @@ var CweDictEn = map[string]Cwe{ "88": { CweID: "88", Name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", - Description: "The software constructs a string for a command to executed by a separate componentin another control sphere, but it does not properly delimit theintended arguments, options, or switches within that command string.", + Description: "The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.", ExtendedDescription: "", Lang: "en", }, @@ -6427,7 +6497,7 @@ var CweDictEn = map[string]Cwe{ CweID: "91", Name: "XML Injection (aka Blind XPath Injection)", Description: "The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.", - ExtendedDescription: `Within XML, special elements could include reserved words or characters such as "<", ">", """, and "&", which could then be used to add new data or modify XML syntax.`, + ExtendedDescription: "Within XML, special elements could include reserved words or characters such as \"<\", \">\", \"\"\", and \"&\", which could then be used to add new data or modify XML syntax.", Lang: "en", }, "910": { @@ -6448,7 +6518,7 @@ var CweDictEn = map[string]Cwe{ CweID: "912", Name: "Hidden Functionality", Description: "The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators.", - ExtendedDescription: `Hidden functionality can take many forms, such as intentionally malicious code, "Easter Eggs" that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the software's attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.`, + ExtendedDescription: "Hidden functionality can take many forms, such as intentionally malicious code, \"Easter Eggs\" that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the software's attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.", Lang: "en", }, "913": { @@ -6482,8 +6552,8 @@ var CweDictEn = map[string]Cwe{ "917": { CweID: "917", Name: "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", - Description: "The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.", - ExtendedDescription: "", + Description: "The software constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.", + ExtendedDescription: "Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.", Lang: "en", }, "918": { @@ -6496,7 +6566,7 @@ var CweDictEn = map[string]Cwe{ "92": { CweID: "92", Name: "DEPRECATED: Improper Sanitization of Custom Special Characters", - Description: `This entry has been deprecated. It originally came from PLOVER, which sometimes defined "other" and "miscellaneous" categories in order to satisfy exhaustiveness requirements for taxonomies. Within the context of CWE, the use of a more abstract entry is preferred in mapping situations. CWE-75 is a more appropriate mapping.`, + Description: "This entry has been deprecated. It originally came from PLOVER, which sometimes defined \"other\" and \"miscellaneous\" categories in order to satisfy exhaustiveness requirements for taxonomies. Within the context of CWE, the use of a more abstract entry is preferred in mapping situations. CWE-75 is a more appropriate mapping.", ExtendedDescription: "", Lang: "en", }, @@ -6608,7 +6678,7 @@ var CweDictEn = map[string]Cwe{ "95": { CweID: "95", Name: "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - Description: `The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").`, + Description: "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. \"eval\").", ExtendedDescription: "This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.", Lang: "en", }, @@ -6629,7 +6699,7 @@ var CweDictEn = map[string]Cwe{ "98": { CweID: "98", Name: "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", - Description: `The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.`, + Description: "The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in \"require,\" \"include,\" or similar functions.", ExtendedDescription: "In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.", Lang: "en", }, diff --git a/cwe/ja.go b/cwe/ja.go index 4b1d7dc8df..e4e7a3ac02 100644 --- a/cwe/ja.go +++ b/cwe/ja.go @@ -2,527 +2,520 @@ package cwe // CweDictJa is the Cwe dictionary var CweDictJa = map[string]Cwe{ - "669": { - CweID: "669", - Name: "領域間での誤ったリソース移動(CWE-669)", + "1": { + CweID: "1", + Name: "ロケーション(CWE-1)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "405": { - CweID: "405", - Name: "非対称のリソース消費に関する脆弱性(CWE-405)", + "1004": { + CweID: "1004", + Name: "HttpOnly 属性のない重要な Cookie(CWE-1004)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "912": { - CweID: "912", - Name: "非公開の機能(CWE-912)", + "1021": { + CweID: "1021", + Name: "レンダリングされたユーザインターフェースレイヤまたはフレームの不適切な制限(CWE-1021)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "320": { - CweID: "320", - Name: "鍵管理のエラー(CWE-320)", + "1076": { + CweID: "1076", + Name: "期待した規則への不十分な順守(CWE-1076)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "539": { - CweID: "539", - Name: "重要情報を含む永続 Cookie の使用(CWE-539)", + "1104": { + CweID: "1104", + Name: "メンテナンスされていないサードパーティ製コンポーネントの使用(CWE-1104)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "642": { - CweID: "642", - Name: "重要な状態データの外部制御(CWE-642)", + "112": { + CweID: "112", + Name: "XML 検証の欠如(CWE-112)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "306": { - CweID: "306", - Name: "重要な機能に対する認証の欠如(CWE-306)", + "113": { + CweID: "113", + Name: "HTTP レスポンスの分割(CWE-113)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "312": { - CweID: "312", - Name: "重要な情報の平文保存(CWE-312)", + "115": { + CweID: "115", + Name: "入力の誤った解釈(CWE-115)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "319": { - CweID: "319", - Name: "重要な情報の平文での送信(CWE-319)", + "116": { + CweID: "116", + Name: "不適切なエンコード、または出力のエスケープ(CWE-116)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "922": { - CweID: "922", - Name: "重要な情報のセキュアでない格納(CWE-922)", + "117": { + CweID: "117", + Name: "不適切なログ出力の無効化(CWE-117)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "732": { - CweID: "732", - Name: "重要なリソースに対する不適切なパーミッションの割り当て(CWE-732)", + "118": { + CweID: "118", + Name: "インデックス化が可能なリソースの不適切なアクセス (範囲エラー)(CWE-118)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "311": { - CweID: "311", - Name: "重要なデータの暗号化の欠如(CWE-311)", + "1187": { + CweID: "1187", + Name: "初期化されていないリソースの使用(CWE-1187)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "129": { - CweID: "129", - Name: "配列インデックスの不適切な検証(CWE-129)", + "1188": { + CweID: "1188", + Name: "リソースの安全ではないデフォルト値への初期化(CWE-1188)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "645": { - CweID: "645", - Name: "過度に制限されたアカウントロックアウトメカニズム(CWE-645)", + "119": { + CweID: "119", + Name: "バッファエラー(CWE-119)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "307": { - CweID: "307", - Name: "過度な認証試行の不適切な制限(CWE-307)", + "120": { + CweID: "120", + Name: "古典的バッファオーバーフロー(CWE-120)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "834": { - CweID: "834", - Name: "過度なイテレーション(CWE-834)", + "121": { + CweID: "121", + Name: "スタックベースのバッファオーバーフロー(CWE-121)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "789": { - CweID: "789", - Name: "過剰なサイズ値のメモリ割り当て(CWE-789)", + "122": { + CweID: "122", + Name: "ヒープベースのバッファオーバーフロー(CWE-122)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "924": { - CweID: "924", - Name: "通信チャネルで送信中のメッセージの整合性への不適切な強制(CWE-924)", + "123": { + CweID: "123", + Name: "任意の場所に任意の値を書き込み可能な状態(CWE-123)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "201": { - CweID: "201", - Name: "送信データへの重要な情報の挿入(CWE-201)", + "1236": { + CweID: "1236", + Name: "CSV ファイル内の数式要素の不適切な中和(CWE-1236)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "706": { - CweID: "706", - Name: "誤って解決された名前や参照の使用(CWE-706)", + "124": { + CweID: "124", + Name: "バッファアンダーフロー (CWE-124)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "668": { - CweID: "668", - Name: "誤った領域へのリソースの漏えい(CWE-668)", + "125": { + CweID: "125", + Name: "境界外読み取り(CWE-125)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "256": { - CweID: "256", - Name: "認証情報の平文保存(CWE-256)", + "126": { + CweID: "126", + Name: "バッファオーバーリード(CWE-126)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "523": { - CweID: "523", - Name: "認証情報の保護しない転送(CWE-523)", + "1278": { + CweID: "1278", + Name: "集積回路(IC)イメージング技術を用いたハードウェアリバースエンジニアリングへの保護の欠如(CWE-1278)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "522": { - CweID: "522", - Name: "認証情報の不十分な保護(CWE-522)", + "1284": { + CweID: "1284", + Name: "入力で指定された数量の不適切な検証(CWE-1284)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "302": { - CweID: "302", - Name: "認証回避の脆弱性(CWE-302)", + "1286": { + CweID: "1286", + Name: "入力の構文的正当性の不適切な検証(CWE-1286)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "303": { - CweID: "303", - Name: "認証アルゴリズムの不適切な実装(CWE-303)", + "129": { + CweID: "129", + Name: "配列インデックスの不適切な検証(CWE-129)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "862": { - CweID: "862", - Name: "認証の欠如(CWE-862)", + "130": { + CweID: "130", + Name: "レングスパラメーターの不整合による不適切な処理(CWE-130)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "264": { - CweID: "264", - Name: "認可・権限・アクセス制御(CWE-264)", + "131": { + CweID: "131", + Name: "バッファサイズの計算の誤り(CWE-131)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "497": { - CweID: "497", - Name: "認可されていない制御領域への重要情報の漏えい(CWE-497)", + "1321": { + CweID: "1321", + Name: "オブジェクトプロトタイプ属性の不適切に制御された変更 (プロトタイプの汚染)(CWE-1321)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "359": { - CweID: "359", - Name: "認可されていないアクターへの個人情報の漏えい(CWE-359)", + "134": { + CweID: "134", + Name: "書式文字列の問題(CWE-134)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "299": { - CweID: "299", - Name: "証明書失効の不適切なチェック(CWE-299)", + "15": { + CweID: "15", + Name: "システム構成または設定の外部制御(CWE-15)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "255": { - CweID: "255", - Name: "証明書・パスワードの管理(CWE-255)", + "150": { + CweID: "150", + Name: "エスケープ、メタ、またはコントロールシーケンスの不適切な無効化(CWE-150)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "DesignError": { - CweID: "DesignError", - Name: "設計上の問題(CWE-DesignError)", + "158": { + CweID: "158", + Name: "NULL バイトまたは NULL キャラクタの不適切な無害化(CWE-158)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "260": { - CweID: "260", - Name: "設定ファイル内のパスワード(CWE-260)", + "16": { + CweID: "16", + Name: "環境設定(CWE-16)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "682": { - CweID: "682", - Name: "計算の誤り(CWE-682)", + "17": { + CweID: "17", + Name: "コード(CWE-17)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "917": { - CweID: "917", - Name: "言語構文の表現に使用される特殊な要素の不適切な無効化(CWE-917)", + "170": { + CweID: "170", + Name: "不適切な NULL による終了(CWE-170)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "436": { - CweID: "436", - Name: "解釈の競合(CWE-436)", + "171": { + CweID: "171", + Name: "クレンジング、正規化、および比較エラー(CWE-171)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "416": { - CweID: "416", - Name: "解放済みメモリの使用(CWE-416)", + "172": { + CweID: "172", + Name: "エンコーディングエラー(CWE-172)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "435": { - CweID: "435", - Name: "複数の正しく動作するエンティティ間における不適切な相互作用(CWE-435)", + "178": { + CweID: "178", + Name: "大文字と小文字の区別の不適切な処理(CWE-178)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "521": { - CweID: "521", - Name: "脆弱なパスワードの要求(CWE-521)", + "18": { + CweID: "18", + Name: "ソースコード(CWE-18)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "36": { - CweID: "36", - Name: "絶対パストラバーサル(CWE-36)", + "184": { + CweID: "184", + Name: "不完全なブラックリスト(CWE-184)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "362": { - CweID: "362", - Name: "競合状態(CWE-362)", + "185": { + CweID: "185", + Name: "不正な正規表現(CWE-185)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "694": { - CweID: "694", - Name: "競合する識別子を使用した複数のリソースの使用(CWE-694)", + "189": { + CweID: "189", + Name: "数値処理の問題(CWE-189)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "385": { - CweID: "385", - Name: "秘密のタイミングチャネル(CWE-385)", + "19": { + CweID: "19", + Name: "データ処理(CWE-19)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "23": { - CweID: "23", - Name: "相対パストラバーサル(CWE-23)", + "190": { + CweID: "190", + Name: "整数オーバーフローまたはラップアラウンド(CWE-190)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "16": { - CweID: "16", - Name: "環境設定(CWE-16)", + "191": { + CweID: "191", + Name: "整数アンダーフロー(CWE-191)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "371": { - CweID: "371", - Name: "状態の問題(CWE-371)", + "193": { + CweID: "193", + Name: "境界条件の判定(CWE-193)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "75": { - CweID: "75", - Name: "特殊要素の不適切なサニタイジング(CWE-75)", + "194": { + CweID: "194", + Name: "予期しない符号拡張(CWE-194)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "271": { - CweID: "271", - Name: "特権の削除/エラーの低下(CWE-271)", + "197": { + CweID: "197", + Name: "数値打ち切り誤差(CWE-197)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "835": { - CweID: "835", - Name: "無限ループ(CWE-835)", + "199": { + CweID: "199", + Name: "情報管理の問題(CWE-199)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "763": { - CweID: "763", - Name: "無効なポインタや参照の解放(CWE-763)", + "20": { + CweID: "20", + Name: "不適切な入力確認(CWE-20)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "676": { - CweID: "676", - Name: "潜在的に危険な関数の使用(CWE-676)", + "200": { + CweID: "200", + Name: "情報漏えい(CWE-200)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "920": { - CweID: "920", - Name: "消費電力の不適切な制限(CWE-920)", + "201": { + CweID: "201", + Name: "送信データへの重要な情報の挿入(CWE-201)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "565": { - CweID: "565", - Name: "検証および完全性チェックを行っていない Cookie への依存(CWE-565)", + "202": { + CweID: "202", + Name: "データクエリからの重要な情報の漏えい(CWE-202)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "305": { - CweID: "305", - Name: "根本の脆弱性による認証回避(CWE-305)", + "2020-7809 | Estsoft ALSong DOM-Based XSS Vulnerability": { + CweID: "2020-7809 | Estsoft ALSong DOM-Based XSS Vulnerability", + Name: "", Description: "", ExtendedDescription: "", Lang: "ja", }, - "242": { - CweID: "242", - Name: "本質的に危険な機能の使用(CWE-242)", + "203": { + CweID: "203", + Name: "観測可能な不一致(CWE-203)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "252": { - CweID: "252", - Name: "未チェックの戻り値(CWE-252)", + "204": { + CweID: "204", + Name: "リクエストに対するレスポンス内容の違いに起因する情報漏えい(CWE-204)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "1076": { - CweID: "1076", - Name: "期待した規則への不十分な順守(CWE-1076)", + "208": { + CweID: "208", + Name: "タイミングの違いに起因する情報漏えい(CWE-208)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "672": { - CweID: "672", - Name: "有効期限後または解放後のリソースの操作(CWE-672)", - Description: "", - ExtendedDescription: "", - Lang: "ja", - }, - "401": { - CweID: "401", - Name: "有効期限後のメモリの解放の欠如(CWE-401)", + "209": { + CweID: "209", + Name: "エラーメッセージによる情報漏えい(CWE-209)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "775": { - CweID: "775", - Name: "有効期限後のファイル記述子またはハンドルの解放の欠如(CWE-775)", + "21": { + CweID: "21", + Name: "パス名トラバーサルおよび同値エラー(CWE-21)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "772": { - CweID: "772", - Name: "有効なライフタイム後のリソースの解放の欠如(CWE-772)", + "212": { + CweID: "212", + Name: "保存または転送前の重要な情報の不適切な削除(CWE-212)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "134": { - CweID: "134", - Name: "書式文字列の問題(CWE-134)", + "214": { + CweID: "214", + Name: "重要な情報を使用しているプロセスの呼び出し(CWE-214)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "325": { - CweID: "325", - Name: "暗号化処理の不備(CWE-325)", + "216": { + CweID: "216", + Name: "コンテナエラー(CWE-216)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "310": { - CweID: "310", - Name: "暗号の問題(CWE-310)", + "22": { + CweID: "22", + Name: "パス・トラバーサル(CWE-22)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "338": { - CweID: "338", - Name: "暗号における脆弱な PRNG の使用(CWE-338)", + "228": { + CweID: "228", + Name: "不正な構文構造の不適切な処理(CWE-228)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "361": { - CweID: "361", - Name: "時間とステータス(CWE-361)", + "23": { + CweID: "23", + Name: "相対パストラバーサル(CWE-23)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "190": { - CweID: "190", - Name: "整数オーバーフローまたはラップアラウンド(CWE-190)", + "240": { + CweID: "240", + Name: "一貫性のない構造要素の不適切な処理(CWE-240)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "191": { - CweID: "191", - Name: "整数アンダーフロー(CWE-191)", + "242": { + CweID: "242", + Name: "本質的に危険な機能の使用(CWE-242)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "197": { - CweID: "197", - Name: "数値打ち切り誤差(CWE-197)", + "248": { + CweID: "248", + Name: "キャッチされない例外(CWE-248)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "681": { - CweID: "681", - Name: "数値型間の変換の誤り(CWE-681)", + "250": { + CweID: "250", + Name: "不要な特権による実行(CWE-250)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "189": { - CweID: "189", - Name: "数値処理の問題(CWE-189)", + "252": { + CweID: "252", + Name: "未チェックの戻り値(CWE-252)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "199": { - CweID: "199", - Name: "情報管理の問題(CWE-199)", + "254": { + CweID: "254", + Name: "セキュリティ機能(CWE-254)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "200": { - CweID: "200", - Name: "情報漏えい(CWE-200)", + "255": { + CweID: "255", + Name: "証明書・パスワードの管理(CWE-255)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "noinfo": { - CweID: "noinfo", - Name: "情報不足(CWE-noinfo)", + "256": { + CweID: "256", + Name: "認証情報の平文保存(CWE-256)", Description: "", ExtendedDescription: "", Lang: "ja", @@ -534,667 +527,681 @@ var CweDictJa = map[string]Cwe{ ExtendedDescription: "", Lang: "ja", }, - "916": { - CweID: "916", - Name: "強度が不十分なパスワードハッシュの使用(CWE-916)", + "259": { + CweID: "259", + Name: "ハードコードされたパスワードの使用(CWE-259)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "428": { - CweID: "428", - Name: "引用されない検索パスまたは要素(CWE-428)", + "260": { + CweID: "260", + Name: "設定ファイル内のパスワード(CWE-260)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "88": { - CweID: "88", - Name: "引数の挿入または変更(CWE-88)", + "261": { + CweID: "261", + Name: "パスワードの弱い暗号の使用(CWE-261)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "670": { - CweID: "670", - Name: "常に不適切な制御フローの実装(CWE-670)", + "264": { + CweID: "264", + Name: "認可・権限・アクセス制御(CWE-264)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "353": { - CweID: "353", - Name: "完全性チェックの欠如(CWE-353)", + "266": { + CweID: "266", + Name: "不適切な権限設定(CWE-266)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "377": { - CweID: "377", - Name: "安全でない一時ファイル(CWE-377)", + "269": { + CweID: "269", + Name: "不適切な権限管理(CWE-269)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "552": { - CweID: "552", - Name: "外部からアクセス可能なファイルまたはディレクトリ(CWE-552)", + "270": { + CweID: "270", + Name: "特権コンテキストの切り替えエラー(CWE-270)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "412": { - CweID: "412", - Name: "外部からの操作の制限不備(CWE-412)", + "271": { + CweID: "271", + Name: "特権の削除/エラーの低下(CWE-271)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "453": { - CweID: "453", - Name: "変数の安全ではないデフォルト値への初期化(CWE-453)", + "273": { + CweID: "273", + Name: "削除された特権に対する不適切なチェック(CWE-273)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "193": { - CweID: "193", - Name: "境界条件の判定(CWE-193)", + "275": { + CweID: "275", + Name: "パーミッションの問題(CWE-275)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "125": { - CweID: "125", - Name: "境界外読み取り(CWE-125)", + "276": { + CweID: "276", + Name: "不適切なデフォルトパーミッション(CWE-276)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "787": { - CweID: "787", - Name: "境界外書き込み(CWE-787)", + "279": { + CweID: "279", + Name: "割り当てられたパーミッションの不適切な実行(CWE-279)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "506": { - CweID: "506", - Name: "埋め込まれた悪意のあるコード(CWE-506)", + "281": { + CweID: "281", + Name: "パーミッションの不適切な保持(CWE-281)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "843": { - CweID: "843", - Name: "型の取り違え(CWE-843)", + "283": { + CweID: "283", + Name: "未検証の所有権(CWE-283)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "820": { - CweID: "820", - Name: "同期の欠如(CWE-820)", + "284": { + CweID: "284", + Name: "不適切なアクセス制御(CWE-284)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "346": { - CweID: "346", - Name: "同一生成元ポリシー違反(CWE-346)", + "285": { + CweID: "285", + Name: "不適切な認可(CWE-285)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "605": { - CweID: "605", - Name: "同一ポートに複数のソケットをバインドする問題(CWE-605)", + "287": { + CweID: "287", + Name: "不適切な認証(CWE-287)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "120": { - CweID: "120", - Name: "古典的バッファオーバーフロー(CWE-120)", + "288": { + CweID: "288", + Name: "代替パスまたはチャネルを使用した認証回避(CWE-288)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "357": { - CweID: "357", - Name: "危険な操作に対する不十分な警告(CWE-357)", + "290": { + CweID: "290", + Name: "スプーフィングによる認証回避(CWE-290)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "749": { - CweID: "749", - Name: "危険なメソッドや機能の公開(CWE-749)", + "294": { + CweID: "294", + Name: "Capture-replay による認証回避(CWE-294)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "434": { - CweID: "434", - Name: "危険なタイプのファイルの無制限アップロード(CWE-434)", + "295": { + CweID: "295", + Name: "不正な証明書検証(CWE-295)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "915": { - CweID: "915", - Name: "動的に決定されたオブジェクト属性の不適切に制御された変更(CWE-915)", + "297": { + CweID: "297", + Name: "ホストの不一致による証明書の不適切な検証(CWE-297)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "913": { - CweID: "913", - Name: "動的に操作されるコードリソースの不適切な制御(CWE-913)", + "299": { + CweID: "299", + Name: "証明書失効の不適切なチェック(CWE-299)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "279": { - CweID: "279", - Name: "割り当てられたパーミッションの不適切な実行(CWE-279)", + "300": { + CweID: "300", + Name: "中間者の問題(CWE-300)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "273": { - CweID: "273", - Name: "削除された特権に対する不適切なチェック(CWE-273)", + "302": { + CweID: "302", + Name: "認証回避の脆弱性(CWE-302)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "770": { - CweID: "770", - Name: "制限またはスロットリング無しのリソースの割り当て(CWE-770)", + "303": { + CweID: "303", + Name: "認証アルゴリズムの不適切な実装(CWE-303)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "774": { - CweID: "774", - Name: "制限またはスロットリング無しのファイル記述子またはハンドルの割り当て(CWE-774)", + "304": { + CweID: "304", + Name: "認証の重要なステップの欠如(CWE-304)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "427": { - CweID: "427", - Name: "制御されていない検索パスの要素(CWE-427)", + "305": { + CweID: "305", + Name: "根本の脆弱性による認証回避(CWE-305)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "617": { - CweID: "617", - Name: "到達可能なアサーション(CWE-617)", + "306": { + CweID: "306", + Name: "重要な機能に対する認証の欠如(CWE-306)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "610": { - CweID: "610", - Name: "別領域リソースに対する外部からの制御可能な参照(CWE-610)", + "307": { + CweID: "307", + Name: "過度な認証試行の不適切な制限(CWE-307)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "908": { - CweID: "908", - Name: "初期化されていないリソースの使用(CWE-908)", + "310": { + CweID: "310", + Name: "暗号の問題(CWE-310)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "1187": { - CweID: "1187", - Name: "初期化されていないリソースの使用(CWE-1187)", + "311": { + CweID: "311", + Name: "重要なデータの暗号化の欠如(CWE-311)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "824": { - CweID: "824", - Name: "初期化されていないポインタのアクセス(CWE-824)", + "312": { + CweID: "312", + Name: "重要な情報の平文保存(CWE-312)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "838": { - CweID: "838", - Name: "出力コンテキストの不適切なエンコード(CWE-838)", + "315": { + CweID: "315", + Name: "Cookie における重要な情報の平文保存(CWE-315)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "115": { - CweID: "115", - Name: "入力の誤った解釈(CWE-115)", + "316": { + CweID: "316", + Name: "メモリにおける平文での重要な情報の保存(CWE-316)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "1286": { - CweID: "1286", - Name: "入力の構文的正当性の不適切な検証(CWE-1286)", + "319": { + CweID: "319", + Name: "重要な情報の平文での送信(CWE-319)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "349": { - CweID: "349", - Name: "信頼できるデータ受け入れ時の信頼できない無関係なデータの受け入れ(CWE-349)", + "320": { + CweID: "320", + Name: "鍵管理のエラー(CWE-320)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "426": { - CweID: "426", - Name: "信頼できない検索パス(CWE-426)", + "321": { + CweID: "321", + Name: "ハードコードされた暗号鍵の使用(CWE-321)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "829": { - CweID: "829", - Name: "信頼できない制御領域からの機能の組み込み(CWE-829)", + "322": { + CweID: "322", + Name: "エンティティ認証のない鍵交換(CWE-322)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "822": { - CweID: "822", - Name: "信頼できないポインタデリファレンス(CWE-822)", + "325": { + CweID: "325", + Name: "暗号化処理の不備(CWE-325)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "502": { - CweID: "502", - Name: "信頼できないデータのデシリアライゼーション(CWE-502)", + "326": { + CweID: "326", + Name: "不適切な暗号強度(CWE-326)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "693": { - CweID: "693", - Name: "保護メカニズムの不具合(CWE-693)", + "327": { + CweID: "327", + Name: "不完全、または危険な暗号アルゴリズムの使用(CWE-327)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "212": { - CweID: "212", - Name: "保存または転送前の重要な情報の不適切な削除(CWE-212)", + "328": { + CweID: "328", + Name: "脆弱なハッシュの使用(CWE-328)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "703": { - CweID: "703", - Name: "例外的な状況に対する不適切なチェックまたは処理(CWE-703)", + "329": { + CweID: "329", + Name: "CBC モードにおけるランダムな初期化ベクトルの不使用(CWE-329)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "755": { - CweID: "755", - Name: "例外的な状態における不適切な処理(CWE-755)", + "330": { + CweID: "330", + Name: "不十分なランダム値の使用(CWE-330)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "754": { - CweID: "754", - Name: "例外的な状態における不適切なチェック(CWE-754)", + "331": { + CweID: "331", + Name: "エントロピー不足(CWE-331)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "123": { - CweID: "123", - Name: "任意の場所に任意の値を書き込み可能な状態(CWE-123)", + "332": { + CweID: "332", + Name: "PRNG における不十分なエントロピー(CWE-332)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "288": { - CweID: "288", - Name: "代替パスまたはチャネルを使用した認証回避(CWE-288)", + "334": { + CweID: "334", + Name: "不十分なランダム値(CWE-334)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "87": { - CweID: "87", - Name: "代替 XSS 構文の不適切な無効化(CWE-87)", + "335": { + CweID: "335", + Name: "PRNG におけるシードの不正な使用(CWE-335)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "415": { - CweID: "415", - Name: "二重解放(CWE-415)", + "338": { + CweID: "338", + Name: "暗号における脆弱な PRNG の使用(CWE-338)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "760": { - CweID: "760", - Name: "予測可能な Salt の一方向ハッシュの使用(CWE-760)", + "345": { + CweID: "345", + Name: "データの信頼性についての不十分な検証(CWE-345)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "300": { - CweID: "300", - Name: "中間者の問題(CWE-300)", + "346": { + CweID: "346", + Name: "同一生成元ポリシー違反(CWE-346)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "358": { - CweID: "358", - Name: "不適切に実装されたセキュリティチェック(CWE-358)", + "347": { + CweID: "347", + Name: "デジタル署名の不適切な検証(CWE-347)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "805": { - CweID: "805", - Name: "不適切な長さの値によるバッファへのアクセス(CWE-805)", + "349": { + CweID: "349", + Name: "信頼できるデータ受け入れ時の信頼できない無関係なデータの受け入れ(CWE-349)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "287": { - CweID: "287", - Name: "不適切な認証(CWE-287)", + "35": { + CweID: "35", + Name: "パストラバーサル(CWE-35)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "285": { - CweID: "285", - Name: "不適切な認可(CWE-285)", + "350": { + CweID: "350", + Name: "セキュリティ上重要なアクションのための逆引き DNS への依存(CWE-350)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "707": { - CweID: "707", - Name: "不適切な無害化(CWE-707)", + "352": { + CweID: "352", + Name: "クロスサイトリクエストフォージェリ(CWE-352)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "697": { - CweID: "697", - Name: "不適切な比較(CWE-697)", + "353": { + CweID: "353", + Name: "完全性チェックの欠如(CWE-353)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "266": { - CweID: "266", - Name: "不適切な権限設定(CWE-266)", + "354": { + CweID: "354", + Name: "データの整合性検証不備(CWE-354)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "269": { - CweID: "269", - Name: "不適切な権限管理(CWE-269)", + "357": { + CweID: "357", + Name: "危険な操作に対する不十分な警告(CWE-357)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "79": { - CweID: "79", - Name: "クロスサイトスクリプティング(CWE-79)", + "358": { + CweID: "358", + Name: "不適切に実装されたセキュリティチェック(CWE-358)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "80": { - CweID: "80", - Name: "クロスサイトスクリプティング (Basic XSS)(CWE-80)", + "359": { + CweID: "359", + Name: "認可されていない行為者への個人情報の漏えい(CWE-359)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "171": { - CweID: "171", - Name: "クレンジング、正規化、および比較エラー(CWE-171)", + "36": { + CweID: "36", + Name: "絶対パストラバーサル(CWE-36)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "470": { - CweID: "470", - Name: "クラスまたはコードを選択する外部から制御された入力の使用(CWE-470)", + "361": { + CweID: "361", + Name: "時間とステータス(CWE-361)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "603": { - CweID: "603", - Name: "クライアント側認証の使用(CWE-603)", + "362": { + CweID: "362", + Name: "競合状態(CWE-362)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "248": { - CweID: "248", - Name: "キャッチされない例外(CWE-248)", + "364": { + CweID: "364", + Name: "シグナルハンドラの競合状態(CWE-364)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "601": { - CweID: "601", - Name: "オープンリダイレクト(CWE-601)", + "367": { + CweID: "367", + Name: "Time-of-check Time-of-use (TOCTOU) 競合状態(CWE-367)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "331": { - CweID: "331", - Name: "エントロピー不足(CWE-331)", + "369": { + CweID: "369", + Name: "ゼロ除算(CWE-369)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "322": { - CweID: "322", - Name: "エンティティ認証のない鍵交換(CWE-322)", + "371": { + CweID: "371", + Name: "状態の問題(CWE-371)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "172": { - CweID: "172", - Name: "エンコーディングエラー(CWE-172)", + "377": { + CweID: "377", + Name: "安全でない一時ファイル(CWE-377)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "388": { - CweID: "388", - Name: "エラー処理(CWE-388)", + "378": { + CweID: "378", + Name: "不適切なアクセスパーミションでの一時ファイル作成(CWE-378)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "209": { - CweID: "209", - Name: "エラーメッセージによる情報漏えい(CWE-209)", + "379": { + CweID: "379", + Name: "不適切なアクセスパーミションのディレクトリに一時ファイル作成(CWE-379)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "150": { - CweID: "150", - Name: "エスケープ、メタ、またはコントロールシーケンスの不適切な無効化(CWE-150)", + "384": { + CweID: "384", + Name: "セッションの固定化(CWE-384)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "118": { - CweID: "118", - Name: "インデックス化が可能なリソースの不適切なアクセス (範囲エラー)(CWE-118)", + "385": { + CweID: "385", + Name: "秘密のタイミングチャネル(CWE-385)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "74": { - CweID: "74", - Name: "インジェクション(CWE-74)", + "388": { + CweID: "388", + Name: "エラー処理(CWE-388)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "407": { - CweID: "407", - Name: "アルゴリズムの複雑性(CWE-407)", + "398": { + CweID: "398", + Name: "コードの品質(CWE-398)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "757": { - CweID: "757", - Name: "アルゴリズムのダウングレード(CWE-757)", + "399": { + CweID: "399", + Name: "リソース管理の問題(CWE-399)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "489": { - CweID: "489", - Name: "アクティブ状態のデバッグコード(CWE-489)", + "400": { + CweID: "400", + Name: "リソースの枯渇(CWE-400)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "921": { - CweID: "921", - Name: "アクセス制御のないメカニズムでの重要データの保存(CWE-921)", + "401": { + CweID: "401", + Name: "有効期限後のメモリの解放の欠如(CWE-401)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "Other": { - CweID: "Other", - Name: "その他(CWE-Other)", + "404": { + CweID: "404", + Name: "リソースの不適切なシャットダウンおよびリリース(CWE-404)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "643": { - CweID: "643", - Name: "Xpath インジェクション(CWE-643)", + "405": { + CweID: "405", + Name: "非対称のリソース消費に関する脆弱性(CWE-405)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "112": { - CweID: "112", - Name: "XML 検証の欠如(CWE-112)", + "406": { + CweID: "406", + Name: "ネットワークメッセージ量の不十分な制御 (ネットワーク増幅)(CWE-406)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "611": { - CweID: "611", - Name: "XML 外部エンティティ参照の不適切な制限(CWE-611)", + "407": { + CweID: "407", + Name: "アルゴリズムの複雑性(CWE-407)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "61": { - CweID: "61", - Name: "UNIX Symbolic Link のフォロー(CWE-61)", + "410": { + CweID: "410", + Name: "不十分なリソースプール(CWE-410)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "367": { - CweID: "367", - Name: "Time-of-check Time-of-use (TOCTOU) 競合状態(CWE-367)", + "412": { + CweID: "412", + Name: "外部からの操作の制限不備(CWE-412)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "759": { - CweID: "759", - Name: "Salt を使用しない一方向ハッシュの使用(CWE-759)", + "413": { + CweID: "413", + Name: "不適切なリソースロック(CWE-413)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "89": { - CweID: "89", - Name: "SQLインジェクション(CWE-89)", + "415": { + CweID: "415", + Name: "二重解放(CWE-415)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "332": { - CweID: "332", - Name: "PRNG における不十分なエントロピー(CWE-332)", + "416": { + CweID: "416", + Name: "解放済みメモリの使用(CWE-416)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "335": { - CweID: "335", - Name: "PRNG におけるシードの不正な使用(CWE-335)", + "417": { + CweID: "417", + Name: "チャネルおよびパスのエラー(CWE-417)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "98": { - CweID: "98", - Name: "PHP リモートファイルインクルージョン(CWE-98)", + "425": { + CweID: "425", + Name: "リクエストの直接送信(CWE-425)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "78": { - CweID: "78", - Name: "OSコマンドインジェクション(CWE-78)", + "426": { + CweID: "426", + Name: "信頼できない検索パス(CWE-426)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "476": { - CweID: "476", - Name: "NULL ポインタデリファレンス(CWE-476)", + "427": { + CweID: "427", + Name: "制御されていない検索パスの要素(CWE-427)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "158": { - CweID: "158", - Name: "NULL バイトまたは NULL キャラクタの不適切な無害化(CWE-158)", + "428": { + CweID: "428", + Name: "引用されない検索パスまたは要素(CWE-428)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "90": { - CweID: "90", - Name: "LDAP インジェクション(CWE-90)", + "434": { + CweID: "434", + Name: "危険なタイプのファイルの無制限アップロード(CWE-434)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "113": { - CweID: "113", - Name: "HTTP レスポンスの分割(CWE-113)", + "435": { + CweID: "435", + Name: "複数の正しく動作するエンティティ間における不適切な相互作用(CWE-435)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "436": { + CweID: "436", + Name: "解釈の競合(CWE-436)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "441": { + CweID: "441", + Name: "フィルタリング回避(CWE-441)", Description: "", ExtendedDescription: "", Lang: "ja", @@ -1206,9 +1213,219 @@ var CweDictJa = map[string]Cwe{ ExtendedDescription: "", Lang: "ja", }, - "644": { - CweID: "644", - Name: "HTTP ヘッダのスクリプト構文の不適切な無効化(CWE-644)", + "451": { + CweID: "451", + Name: "ユーザインターフェースにおける重要情報の誤った表示(CWE-451)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "453": { + CweID: "453", + Name: "変数の安全ではないデフォルト値への初期化(CWE-453)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "457": { + CweID: "457", + Name: "初期化されていない変数の使用(CWE-457)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "459": { + CweID: "459", + Name: "不完全なクリーンアップ(CWE-459)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "470": { + CweID: "470", + Name: "クラスまたはコードを選択する外部から制御された入力の使用(CWE-470)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "471": { + CweID: "471", + Name: "不変と仮定されるデータの変更(CWE-471)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "472": { + CweID: "472", + Name: "不変と仮定される Web パラメータの外部制御(CWE-472)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "476": { + CweID: "476", + Name: "NULL ポインタデリファレンス(CWE-476)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "485": { + CweID: "485", + Name: "不十分なカプセル化(CWE-485)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "489": { + CweID: "489", + Name: "アクティブ状態のデバッグコード(CWE-489)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "494": { + CweID: "494", + Name: "ダウンロードしたコードの完全性検証不備(CWE-494)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "497": { + CweID: "497", + Name: "認可されていない制御領域への重要情報の漏えい(CWE-497)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "502": { + CweID: "502", + Name: "信頼できないデータのデシリアライゼーション(CWE-502)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "506": { + CweID: "506", + Name: "埋め込まれた悪意のあるコード(CWE-506)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "507": { + CweID: "507", + Name: "トロイの木馬(CWE-507)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "521": { + CweID: "521", + Name: "脆弱なパスワードの要求(CWE-521)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "522": { + CweID: "522", + Name: "認証情報の不十分な保護(CWE-522)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "523": { + CweID: "523", + Name: "認証情報の保護しない転送(CWE-523)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "527": { + CweID: "527", + Name: "認可されていない制御領域へのバージョン管理リポジトリの漏えい(CWE-527)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "532": { + CweID: "532", + Name: "ログファイルからの情報漏えい(CWE-532)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "534": { + CweID: "534", + Name: "デバッグログファイルからの情報漏えい(CWE-534)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "538": { + CweID: "538", + Name: "ファイルおよびディレクトリ情報の漏えい(CWE-538)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "539": { + CweID: "539", + Name: "重要情報を含む永続 Cookie の使用(CWE-539)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "540": { + CweID: "540", + Name: "重要な情報を含むソースコード(CWE-540)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "548": { + CweID: "548", + Name: "ディレクトリリスティングによる情報漏えい(CWE-548)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "552": { + CweID: "552", + Name: "外部からアクセス可能なファイルまたはディレクトリ(CWE-552)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "565": { + CweID: "565", + Name: "検証および完全性チェックを行っていない Cookie への依存(CWE-565)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "567": { + CweID: "567", + Name: "マルチスレッドコンテキスト内の共有データへの非同期アクセス(CWE-567)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "573": { + CweID: "573", + Name: "呼び出し元による仕様の不適切な準拠(CWE-573)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "59": { + CweID: "59", + Name: "リンク解釈の問題(CWE-59)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "590": { + CweID: "590", + Name: "ヒープ領域の不適切な解放(CWE-590)", Description: "", ExtendedDescription: "", Lang: "ja", @@ -1220,44 +1437,765 @@ var CweDictJa = map[string]Cwe{ ExtendedDescription: "", Lang: "ja", }, - "776": { - CweID: "776", - Name: "DTD の再帰的なエンティティ参照の不適切な制限(CWE-776)", + "601": { + CweID: "601", + Name: "オープンリダイレクト(CWE-601)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "294": { - CweID: "294", - Name: "Capture-replay による認証回避(CWE-294)", + "602": { + CweID: "602", + Name: "サーバ側のセキュリティのクライアント側での実施(CWE-602)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "nocwe": { - CweID: "nocwe", - Name: "CWE以外(CWE-nocwe)", + "603": { + CweID: "603", + Name: "クライアント側認証の使用(CWE-603)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "1236": { - CweID: "1236", - Name: "CSV ファイル内の数式要素の不適切な中和(CWE-1236)", + "605": { + CweID: "605", + Name: "同一ポートに複数のソケットをバインドする問題(CWE-605)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "93": { - CweID: "93", - Name: "CRLF インジェクション(CWE-93)", + "61": { + CweID: "61", + Name: "UNIX Symbolic Link のフォロー(CWE-61)", Description: "", ExtendedDescription: "", Lang: "ja", }, - "329": { - CweID: "329", - Name: "CBC モードにおけるランダムな初期化ベクトルの不使用(CWE-329)", + "610": { + CweID: "610", + Name: "別領域リソースに対する外部からの制御可能な参照(CWE-610)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "611": { + CweID: "611", + Name: "XML 外部エンティティ参照の不適切な制限(CWE-611)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "613": { + CweID: "613", + Name: "不適切なセッション期限(CWE-613)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "617": { + CweID: "617", + Name: "到達可能なアサーション(CWE-617)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "620": { + CweID: "620", + Name: "未検証のパスワード変更(CWE-620)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "639": { + CweID: "639", + Name: "ユーザ制御の鍵による認証回避(CWE-639)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "64": { + CweID: "64", + Name: "Windows ショートカットのフォロー(CWE-64)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "640": { + CweID: "640", + Name: "パスワードを忘れた場合の脆弱なパスワードリカバリの仕組み(CWE-640)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "641": { + CweID: "641", + Name: "ファイルおよびその他のリソース名の不適切な制限(CWE-641)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "642": { + CweID: "642", + Name: "重要な状態データの外部制御(CWE-642)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "643": { + CweID: "643", + Name: "Xpath インジェクション(CWE-643)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "644": { + CweID: "644", + Name: "HTTP ヘッダのスクリプト構文の不適切な無効化(CWE-644)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "645": { + CweID: "645", + Name: "過度に制限されたアカウントロックアウトメカニズム(CWE-645)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "649": { + CweID: "649", + Name: "完全性チェックなしのセキュリティ関連の入力の難読化または暗号化への依存(CWE-649)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "657": { + CweID: "657", + Name: "セキュリティ設計の原則に反した設計(CWE-657)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "662": { + CweID: "662", + Name: "不適切な同期(CWE-662)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "664": { + CweID: "664", + Name: "ライフタイムを通してのリソースの不適切な制御(CWE-664)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "665": { + CweID: "665", + Name: "不適切な初期化(CWE-665)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "667": { + CweID: "667", + Name: "不適切なロック(CWE-667)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "668": { + CweID: "668", + Name: "誤った領域へのリソースの漏えい(CWE-668)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "669": { + CweID: "669", + Name: "領域間での誤ったリソース移動(CWE-669)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "670": { + CweID: "670", + Name: "常に不適切な制御フローの実装(CWE-670)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "672": { + CweID: "672", + Name: "有効期限後または解放後のリソースの操作(CWE-672)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "674": { + CweID: "674", + Name: "不適切な再帰制御(CWE-674)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "676": { + CweID: "676", + Name: "潜在的に危険な関数の使用(CWE-676)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "681": { + CweID: "681", + Name: "数値型間の変換の誤り(CWE-681)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "682": { + CweID: "682", + Name: "計算の誤り(CWE-682)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "688": { + CweID: "688", + Name: "引数として誤った変数または参照を使用した関数呼び出し(CWE-688)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "693": { + CweID: "693", + Name: "保護メカニズムの不具合(CWE-693)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "694": { + CweID: "694", + Name: "競合する識別子を使用した複数のリソースの使用(CWE-694)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "697": { + CweID: "697", + Name: "不適切な比較(CWE-697)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "703": { + CweID: "703", + Name: "例外的な状況に対する不適切なチェックまたは処理(CWE-703)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "704": { + CweID: "704", + Name: "不正な型変換またはキャスト(CWE-704)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "706": { + CweID: "706", + Name: "誤って解決された名前や参照の使用(CWE-706)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "707": { + CweID: "707", + Name: "不適切な無害化(CWE-707)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "710": { + CweID: "710", + Name: "コーディング標準の不適切な順守(CWE-710)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "73": { + CweID: "73", + Name: "ファイル名やパス名の外部制御(CWE-73)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "732": { + CweID: "732", + Name: "重要なリソースに対する不適切なパーミッションの割り当て(CWE-732)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "74": { + CweID: "74", + Name: "インジェクション(CWE-74)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "749": { + CweID: "749", + Name: "危険なメソッドや機能の公開(CWE-749)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "75": { + CweID: "75", + Name: "特殊要素の不適切なサニタイジング(CWE-75)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "754": { + CweID: "754", + Name: "例外的な状態における不適切なチェック(CWE-754)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "755": { + CweID: "755", + Name: "例外的な状態における不適切な処理(CWE-755)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "757": { + CweID: "757", + Name: "アルゴリズムのダウングレード(CWE-757)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "759": { + CweID: "759", + Name: "Salt を使用しない一方向ハッシュの使用(CWE-759)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "760": { + CweID: "760", + Name: "予測可能な Salt の一方向ハッシュの使用(CWE-760)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "763": { + CweID: "763", + Name: "無効なポインタや参照の解放(CWE-763)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "769": { + CweID: "769", + Name: "ファイル記述子の枯渇(CWE-769)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "77": { + CweID: "77", + Name: "コマンドインジェクション(CWE-77)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "770": { + CweID: "770", + Name: "制限またはスロットリング無しのリソースの割り当て(CWE-770)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "772": { + CweID: "772", + Name: "有効なライフタイム後のリソースの解放の欠如(CWE-772)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "774": { + CweID: "774", + Name: "制限またはスロットリング無しのファイル記述子またはハンドルの割り当て(CWE-774)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "775": { + CweID: "775", + Name: "有効期限後のファイル記述子またはハンドルの解放の欠如(CWE-775)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "776": { + CweID: "776", + Name: "DTD の再帰的なエンティティ参照の不適切な制限(CWE-776)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "78": { + CweID: "78", + Name: "OSコマンドインジェクション(CWE-78)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "787": { + CweID: "787", + Name: "境界外書き込み(CWE-787)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "788": { + CweID: "788", + Name: "バッファの終端後のメモリ領域に対するアクセス(CWE-788)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "789": { + CweID: "789", + Name: "過剰なサイズ値のメモリ割り当て(CWE-789)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "79": { + CweID: "79", + Name: "クロスサイトスクリプティング(CWE-79)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "798": { + CweID: "798", + Name: "ハードコードされた認証情報の使用(CWE-798)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "799": { + CweID: "799", + Name: "インタラクション頻度の不適切な制御(CWE-799)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "80": { + CweID: "80", + Name: "クロスサイトスクリプティング (Basic XSS)(CWE-80)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "805": { + CweID: "805", + Name: "不適切な長さの値によるバッファへのアクセス(CWE-805)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "807": { + CweID: "807", + Name: "セキュリティ決定の信頼できない入力への依存(CWE-807)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "820": { + CweID: "820", + Name: "同期の欠如(CWE-820)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "821": { + CweID: "821", + Name: "不正な同期(CWE-821)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "822": { + CweID: "822", + Name: "信頼できないポインタデリファレンス(CWE-822)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "823": { + CweID: "823", + Name: "範囲外のポインタオフセットの使用(CWE-823)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "824": { + CweID: "824", + Name: "初期化されていないポインタのアクセス(CWE-824)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "829": { + CweID: "829", + Name: "信頼できない制御領域からの機能の組み込み(CWE-829)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "834": { + CweID: "834", + Name: "過度なイテレーション(CWE-834)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "835": { + CweID: "835", + Name: "無限ループ(CWE-835)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "836": { + CweID: "836", + Name: "パスワードの代わりにパスワードハッシュを使用する認証(CWE-836)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "838": { + CweID: "838", + Name: "出力コンテキストの不適切なエンコード(CWE-838)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "843": { + CweID: "843", + Name: "型の取り違え(CWE-843)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "862": { + CweID: "862", + Name: "認証の欠如(CWE-862)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "863": { + CweID: "863", + Name: "不正な認証(CWE-863)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "87": { + CweID: "87", + Name: "代替 XSS 構文の不適切な無効化(CWE-87)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "88": { + CweID: "88", + Name: "引数の挿入または変更(CWE-88)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "89": { + CweID: "89", + Name: "SQLインジェクション(CWE-89)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "90": { + CweID: "90", + Name: "LDAP インジェクション(CWE-90)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "908": { + CweID: "908", + Name: "初期化されていないリソースの使用(CWE-908)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "909": { + CweID: "909", + Name: "リソースの初期化の不備(CWE-909)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "91": { + CweID: "91", + Name: "ブラインド XPath インジェクション(CWE-91)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "912": { + CweID: "912", + Name: "非公開の機能(CWE-912)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "913": { + CweID: "913", + Name: "動的に操作されるコードリソースの不適切な制御(CWE-913)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "915": { + CweID: "915", + Name: "動的に決定されたオブジェクト属性の不適切に制御された変更(CWE-915)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "916": { + CweID: "916", + Name: "強度が不十分なパスワードハッシュの使用(CWE-916)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "917": { + CweID: "917", + Name: "言語構文の表現に使用される特殊な要素の不適切な無効化(CWE-917)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "918": { + CweID: "918", + Name: "サーバサイドのリクエストフォージェリ(CWE-918)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "920": { + CweID: "920", + Name: "消費電力の不適切な制限(CWE-920)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "921": { + CweID: "921", + Name: "アクセス制御のないメカニズムでの重要データの保存(CWE-921)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "922": { + CweID: "922", + Name: "重要な情報のセキュアでない格納(CWE-922)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "924": { + CweID: "924", + Name: "通信チャネルで送信中のメッセージの整合性への不適切な強制(CWE-924)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "93": { + CweID: "93", + Name: "CRLF インジェクション(CWE-93)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "94": { + CweID: "94", + Name: "コード・インジェクション(CWE-94)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "943": { + CweID: "943", + Name: "データクエリロジックの特殊要素の不適切な中立化(CWE-943)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "96": { + CweID: "96", + Name: "静的に保存されたコード内のディレクティブの不適切な無効化(CWE-96)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "98": { + CweID: "98", + Name: "PHP リモートファイルインクルージョン(CWE-98)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "99": { + CweID: "99", + Name: "リソースの挿入(CWE-99)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "DesignError": { + CweID: "DesignError", + Name: "設計上の問題(CWE-DesignError)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "Other": { + CweID: "Other", + Name: "その他(CWE-Other)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "nocwe": { + CweID: "nocwe", + Name: "CWE以外(CWE-nocwe)", + Description: "", + ExtendedDescription: "", + Lang: "ja", + }, + "noinfo": { + CweID: "noinfo", + Name: "情報不足(CWE-noinfo)", Description: "", ExtendedDescription: "", Lang: "ja",