Category: Comprehensive Categorization: Resource Control
Incomplete
Summary
Weaknesses in this category are related to resource control.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1104 | Use of Unmaintained Third Party Components | The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer. |
| CWE-1249 | Application-Level Admin Tool with Inconsistent View of Underlying Operating System | The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state. |
| CWE-1251 | Mirrored Regions with Different Values | The product's architecture mirrors regions without ensuring that their contents always stay in sync. |
| CWE-1277 | Firmware Not Updateable | The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present. |
| CWE-1310 | Missing Ability to Patch ROM Code | Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state. |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
| CWE-1329 | Reliance on Component That is Not Updateable | The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs. |
| CWE-385 | Covert Timing Channel | Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
| CWE-473 | PHP External Variable Modification | A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise. |
| CWE-502 | Deserialization of Untrusted Data | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-514 | Covert Channel | A covert channel is a path that can be used to transfer information in a way not intended by the system's designers. |
| CWE-515 | Covert Storage Channel | A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information. |
| CWE-672 | Operation on a Resource after Expiration or Release | The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. |
| CWE-826 | Premature Release of Resource During Expected Lifetime | The product releases a resource that is still intended to be used by itself or another actor. |
| CWE-910 | Use of Expired File Descriptor | The product uses or accesses a file descriptor after it has been closed. |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.