Category: Comprehensive Categorization: Improper Neutralization
Incomplete
Summary
Weaknesses in this category are related to improper neutralization.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-116 | Improper Encoding or Escaping of Output | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| CWE-117 | Improper Output Neutralization for Logs | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
| CWE-130 | Improper Handling of Length Parameter Inconsistency | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
| CWE-138 | Improper Neutralization of Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. |
| CWE-140 | Improper Neutralization of Delimiters | The product does not neutralize or incorrectly neutralizes delimiters. |
| CWE-141 | Improper Neutralization of Parameter/Argument Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component. |
| CWE-142 | Improper Neutralization of Value Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component. |
| CWE-143 | Improper Neutralization of Record Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component. |
| CWE-144 | Improper Neutralization of Line Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component. |
| CWE-145 | Improper Neutralization of Section Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component. |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component. |
| CWE-147 | Improper Neutralization of Input Terminators | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component. |
| CWE-148 | Improper Neutralization of Input Leaders | The product does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be allowed. |
| CWE-149 | Improper Neutralization of Quoting Syntax | Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions. |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
| CWE-151 | Improper Neutralization of Comment Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component. |
| CWE-152 | Improper Neutralization of Macro Symbols | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component. |
| CWE-153 | Improper Neutralization of Substitution Characters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component. |
| CWE-154 | Improper Neutralization of Variable Name Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component. |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component. |
| CWE-156 | Improper Neutralization of Whitespace | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component. |
| CWE-157 | Failure to Sanitize Paired Delimiters | The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces. |
| CWE-158 | Improper Neutralization of Null Byte or NUL Character | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. |
| CWE-159 | Improper Handling of Invalid Use of Special Elements | The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity. |
| CWE-160 | Improper Neutralization of Leading Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component. |
| CWE-161 | Improper Neutralization of Multiple Leading Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component. |
| CWE-162 | Improper Neutralization of Trailing Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component. |
| CWE-163 | Improper Neutralization of Multiple Trailing Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component. |
| CWE-164 | Improper Neutralization of Internal Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component. |
| CWE-165 | Improper Neutralization of Multiple Internal Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component. |
| CWE-166 | Improper Handling of Missing Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing. |
| CWE-167 | Improper Handling of Additional Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided. |
| CWE-168 | Improper Handling of Inconsistent Special Elements | The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words. |
| CWE-170 | Improper Null Termination | The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. |
| CWE-172 | Encoding Error | The product does not properly encode or decode the data, resulting in unexpected values. |
| CWE-173 | Improper Handling of Alternate Encoding | The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent. |
| CWE-174 | Double Decoding of the Same Data | The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations. |
| CWE-175 | Improper Handling of Mixed Encoding | The product does not properly handle when the same input uses several different (mixed) encodings. |
| CWE-176 | Improper Handling of Unicode Encoding | The product does not properly handle when an input contains Unicode encoding. |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) | The product does not properly handle when all or part of an input has been URL encoded. |
| CWE-228 | Improper Handling of Syntactically Invalid Structure | The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. |
| CWE-229 | Improper Handling of Values | The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined. |
| CWE-230 | Improper Handling of Missing Values | The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null. |
| CWE-231 | Improper Handling of Extra Values | The product does not handle or incorrectly handles when more values are provided than expected. |
| CWE-232 | Improper Handling of Undefined Values | The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name. |
| CWE-233 | Improper Handling of Parameters | The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined. |
| CWE-234 | Failure to Handle Missing Parameter | If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well. |
| CWE-235 | Improper Handling of Extra Parameters | The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. |
| CWE-236 | Improper Handling of Undefined Parameters | The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product. |
| CWE-237 | Improper Handling of Structural Elements | The product does not handle or incorrectly handles inputs that are related to complex structures. |
| CWE-238 | Improper Handling of Incomplete Structural Elements | The product does not handle or incorrectly handles when a particular structural element is not completely specified. |
| CWE-239 | Failure to Handle Incomplete Element | The product does not properly handle when a particular element is not completely specified. |
| CWE-240 | Improper Handling of Inconsistent Structural Elements | The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not. |
| CWE-241 | Improper Handling of Unexpected Data Type | The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). |
| CWE-463 | Deletion of Data Structure Sentinel | The accidental deletion of a data-structure sentinel can cause serious programming logic problems. |
| CWE-464 | Addition of Data Structure Sentinel | The accidental addition of a data-structure sentinel can cause serious programming logic problems. |
| CWE-626 | Null Byte Interaction Error (Poison Null Byte) | The product does not properly handle null bytes or NUL characters when passing data between different representations or components. |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax | The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
| CWE-707 | Improper Neutralization | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| CWE-790 | Improper Filtering of Special Elements | The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component. |
| CWE-791 | Incomplete Filtering of Special Elements | The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. |
| CWE-792 | Incomplete Filtering of One or More Instances of Special Elements | The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component. |
| CWE-793 | Only Filtering One Instance of a Special Element | The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component. |
| CWE-794 | Incomplete Filtering of Multiple Instances of Special Elements | The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component. |
| CWE-795 | Only Filtering Special Elements at a Specified Location | The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component. |
| CWE-796 | Only Filtering Special Elements Relative to a Marker | The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a string; the second argument"), thereby missing remaining special elements that may exist before sending it to a downstream component. |
| CWE-797 | Only Filtering Special Elements at an Absolute Position | The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing remaining special elements that may exist before sending it to a downstream component. |
| CWE-838 | Inappropriate Encoding for Output Context | The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.