Category: SFP Secondary Cluster: Use of an Improper API
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-111 | Direct Use of Unsafe JNI | When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java. |
| CWE-242 | Use of Inherently Dangerous Function | The product calls a function that can never be guaranteed to work safely. |
| CWE-245 | J2EE Bad Practices: Direct Management of Connections | The J2EE application directly manages connections, instead of using the container's connection management facilities. |
| CWE-246 | J2EE Bad Practices: Direct Use of Sockets | The J2EE application directly uses sockets instead of using framework method calls. |
| CWE-382 | J2EE Bad Practices: Use of System.exit() | A J2EE application uses System.exit(), which also shuts down its container. |
| CWE-383 | J2EE Bad Practices: Direct Use of Threads | Thread management in a Web application is forbidden in some circumstances and is always highly error prone. |
| CWE-432 | Dangerous Signal Handler not Disabled During Sensitive Operations | The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running. |
| CWE-439 | Behavioral Change in New Version or Environment | A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B. |
| CWE-440 | Expected Behavior Violation | A feature, API, or function does not perform according to its specification. |
| CWE-474 | Use of Function with Inconsistent Implementations | The code uses a function that has inconsistent implementations across operating systems and versions. |
| CWE-477 | Use of Obsolete Function | The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. |
| CWE-479 | Signal Handler Use of a Non-reentrant Function | The product defines a signal handler that calls a non-reentrant function. |
| CWE-558 | Use of getlogin() in Multithreaded Application | The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. |
| CWE-572 | Call to Thread run() instead of start() | The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. |
| CWE-573 | Improper Following of Specification by Caller | The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. |
| CWE-574 | EJB Bad Practices: Use of Synchronization Primitives | The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives. |
| CWE-575 | EJB Bad Practices: Use of AWT Swing | The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. |
| CWE-576 | EJB Bad Practices: Use of Java I/O | The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package. |
| CWE-577 | EJB Bad Practices: Use of Sockets | The product violates the Enterprise JavaBeans (EJB) specification by using sockets. |
| CWE-578 | EJB Bad Practices: Use of Class Loader | The product violates the Enterprise JavaBeans (EJB) specification by using the class loader. |
| CWE-586 | Explicit Call to Finalize() | The product makes an explicit call to the finalize() method from outside the finalizer. |
| CWE-589 | Call to Non-ubiquitous API | The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences. |
| CWE-617 | Reachable Assertion | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
| CWE-676 | Use of Potentially Dangerous Function | The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. |
| CWE-684 | Incorrect Provision of Specified Functionality | The code does not function according to its published specifications, potentially leading to incorrect usage. |
| CWE-695 | Use of Low-Level Functionality | The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate. |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
| CWE-227 | 7PK - API Abuse | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated." |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.