Category: Comprehensive Categorization: Insufficient Control Flow Management
Incomplete
Summary
Weaknesses in this category are related to insufficient control flow management.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1190 | DMA Device Enabled Too Early in Boot Phase | The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product. |
| CWE-1193 | Power-On of Untrusted Execution Core Before Enabling Fabric Access Control | The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled. |
| CWE-1265 | Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls | During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code. |
| CWE-1280 | Access Control Check Implemented After Asset is Accessed | A product's hardware-based access control check occurs after the asset has been accessed. |
| CWE-1281 | Sequence of Processor Instructions Leads to Unexpected Behavior | Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed. |
| CWE-1322 | Use of Blocking Code in Single-threaded, Non-blocking Context | The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked. |
| CWE-179 | Incorrect Behavior Order: Early Validation | The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification. |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter | The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step. |
| CWE-248 | Uncaught Exception | An exception is thrown from a function, but it is not caught. |
| CWE-382 | J2EE Bad Practices: Use of System.exit() | A J2EE application uses System.exit(), which also shuts down its container. |
| CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference | Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer. |
| CWE-396 | Declaration of Catch for Generic Exception | Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. |
| CWE-397 | Declaration of Throws for Generic Exception | The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions. |
| CWE-408 | Incorrect Behavior Order: Early Amplification | The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place. |
| CWE-430 | Deployment of Wrong Handler | The wrong "handler" is assigned to process an object. |
| CWE-431 | Missing Handler | A handler is not available or implemented. |
| CWE-455 | Non-exit on Failed Initialization | The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator. |
| CWE-480 | Use of Incorrect Operator | The product accidentally uses the wrong operator, which changes the logic in security-relevant ways. |
| CWE-481 | Assigning instead of Comparing | The code uses an operator for assignment when the intention was to perform a comparison. |
| CWE-482 | Comparing instead of Assigning | The code uses an operator for comparison when the intention was to perform an assignment. |
| CWE-483 | Incorrect Block Delimitation | The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. |
| CWE-584 | Return Inside Finally Block | The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. |
| CWE-600 | Uncaught Exception in Servlet | The Servlet does not catch all exceptions, which may reveal sensitive debugging information. |
| CWE-617 | Reachable Assertion | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
| CWE-670 | Always-Incorrect Control Flow Implementation | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
| CWE-674 | Uncontrolled Recursion | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
| CWE-691 | Insufficient Control Flow Management | The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. |
| CWE-696 | Incorrect Behavior Order | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses. |
| CWE-698 | Execution After Redirect (EAR) | The web application sends a redirect to another location, but instead of exiting, it executes additional code. |
| CWE-705 | Incorrect Control Flow Scoping | The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. |
| CWE-768 | Incorrect Short Circuit Evaluation | The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring. |
| CWE-783 | Operator Precedence Logic Error | The product uses an expression in which operator precedence causes incorrect logic to be used. |
| CWE-799 | Improper Control of Interaction Frequency | The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. |
| CWE-834 | Excessive Iteration | The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. |
| CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| CWE-837 | Improper Enforcement of a Single, Unique Action | The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction. |
| CWE-841 | Improper Enforcement of Behavioral Workflow | The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.