Category: Comprehensive Categorization: Protection Mechanism Failure
Incomplete
Summary
Weaknesses in this category are related to protection mechanism failure.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1039 | Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism | The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept. |
| CWE-1248 | Semiconductor Defects in Hardware Logic with Security-Sensitive Implications | The security-sensitive hardware module contains semiconductor defects. |
| CWE-1253 | Incorrect Selection of Fuse Values | The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse. |
| CWE-1269 | Product Released in Non-Release Configuration | The product released to market is released in pre-production or manufacturing configuration. |
| CWE-1278 | Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques | Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy. |
| CWE-1291 | Public Key Re-Use for Signing both Debug and Production Code | The same public key is used for signing both debug and production code. |
| CWE-1318 | Missing Support for Security Features in On-chip Fabrics or Buses | On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control. |
| CWE-1319 | Improper Protection against Electromagnetic Fault Injection (EM-FI) | The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed. |
| CWE-1326 | Missing Immutable Root of Trust in Hardware | A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code. |
| CWE-1338 | Improper Protections Against Hardware Overheating | A hardware device is missing or has inadequate protection features to prevent overheating. |
| CWE-1429 | Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface | The product has a hardware interface that silently discards operations in situations for which feedback would be security-relevant, such as the timely detection of failures or attacks. |
| CWE-182 | Collapse of Data into Unsafe Value | The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property. |
| CWE-184 | Incomplete List of Disallowed Inputs | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
| CWE-222 | Truncation of Security-relevant Information | The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack. |
| CWE-223 | Omission of Security-relevant Information | The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. |
| CWE-224 | Obscured Security-relevant Information by Alternate Name | The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name. |
| CWE-356 | Product UI does not Warn User of Unsafe Actions | The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system. |
| CWE-357 | Insufficient UI Warning of Dangerous Operations | The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. |
| CWE-450 | Multiple Interpretations of UI Input | The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-693 | Protection Mechanism Failure | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. |
| CWE-778 | Insufficient Logging | When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.