Category: Data Neutralization Issues
Draft
Summary
Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-117 | Improper Output Neutralization for Logs | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
| CWE-1236 | Improper Neutralization of Formula Elements in a CSV File | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
| CWE-140 | Improper Neutralization of Delimiters | The product does not neutralize or incorrectly neutralizes delimiters. |
| CWE-170 | Improper Null Termination | The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. |
| CWE-463 | Deletion of Data Structure Sentinel | The accidental deletion of a data-structure sentinel can cause serious programming logic problems. |
| CWE-464 | Addition of Data Structure Sentinel | The accidental addition of a data-structure sentinel can cause serious programming logic problems. |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name. |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier | The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-791 | Incomplete Filtering of Special Elements | The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. |
| CWE-838 | Inappropriate Encoding for Output Context | The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component. |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
| CWE-91 | XML Injection (aka Blind XPath Injection) | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.