Category: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)
Stable
Summary
Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-116 | Improper Encoding or Escaping of Output | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| CWE-117 | Improper Output Neutralization for Logs | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
| CWE-134 | Use of Externally-Controlled Format String | The product uses a function that accepts a format string as an argument, but the format string originates from an external source. |
| CWE-144 | Improper Neutralization of Line Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component. |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
| CWE-182 | Collapse of Data into Unsafe Value | The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property. |
| CWE-289 | Authentication Bypass by Alternate Name | The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-1133 | Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.