Category: Comprehensive Categorization: Encryption
Incomplete
Summary
Weaknesses in this category are related to encryption.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation. |
| CWE-1428 | Reliance on HTTP instead of HTTPS | The product provides or relies on use of HTTP communications when HTTPS is available. |
| CWE-311 | Missing Encryption of Sensitive Data | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-312 | Cleartext Storage of Sensitive Information | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-313 | Cleartext Storage in a File or on Disk | The product stores sensitive information in cleartext in a file, or on disk. |
| CWE-314 | Cleartext Storage in the Registry | The product stores sensitive information in cleartext in the registry. |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | The product stores sensitive information in cleartext in a cookie. |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | The product stores sensitive information in cleartext in memory. |
| CWE-317 | Cleartext Storage of Sensitive Information in GUI | The product stores sensitive information in cleartext within the GUI. |
| CWE-318 | Cleartext Storage of Sensitive Information in Executable | The product stores sensitive information in cleartext in an executable. |
| CWE-319 | Cleartext Transmission of Sensitive Information | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| CWE-324 | Use of a Key Past its Expiration Date | The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. |
| CWE-325 | Missing Cryptographic Step | The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. |
| CWE-326 | Inadequate Encryption Strength | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The product uses a broken or risky cryptographic algorithm or protocol. |
| CWE-328 | Use of Weak Hash | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
| CWE-347 | Improper Verification of Cryptographic Signature | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption | Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | The Secure attribute for sensitive cookies in HTTPS sessions is not set. |
| CWE-759 | Use of a One-Way Hash without a Salt | The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input. |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input. |
| CWE-780 | Use of RSA Algorithm without OAEP | The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.