Category: Comprehensive Categorization: Resource Lifecycle Management
Incomplete
Summary
Weaknesses in this category are related to resource lifecycle management.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1042 | Static Member Data Element outside of a Singleton Class Element | The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action. |
| CWE-1046 | Creation of Immutable Text Using String Concatenation | The product creates an immutable text string using string concatenation operations. |
| CWE-1049 | Excessive Data Query Operations in a Large Data Table | The product performs a data query with a large number of joins and sub-queries on a large data table. |
| CWE-1050 | Excessive Platform Resource Consumption within a Loop | The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors. |
| CWE-1051 | Initialization with Hard-Coded Network Resource Configuration Data | The product initializes data using hard-coded values that act as network resource identifiers. |
| CWE-1052 | Excessive Use of Hard-Coded Literals in Initialization | The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element. |
| CWE-1063 | Creation of Class Instance within a Static Code Block | A static code block creates an instance of a class. |
| CWE-1067 | Excessive Execution of Sequential Searches of Data Resource | The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed. |
| CWE-1072 | Data Resource Access without Use of Connection Pooling | The product accesses a data resource through a database without using a connection pooling capability. |
| CWE-1073 | Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses | The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities. |
| CWE-1084 | Invokable Control Element with Excessive File or Data Access Operations | A function or method contains too many operations that utilize a data manager or file resource. |
| CWE-1089 | Large Data Table with Excessive Number of Indices | The product uses a large data table that contains an excessively large number of indices. |
| CWE-1091 | Use of Object without Invoking Destructor Method | The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method. |
| CWE-1094 | Excessive Index Range Scan for a Data Resource | The product contains an index range scan for a large data table, but the scan can cover a large number of rows. |
| CWE-1176 | Inefficient CPU Computation | The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further. |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') | The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files. |
| CWE-1188 | Initialization of a Resource with an Insecure Default | The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. |
| CWE-1221 | Incorrect Register Defaults or Module Parameters | Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values. |
| CWE-1229 | Creation of Emergent Resource | The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy. |
| CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations | The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations. |
| CWE-1239 | Improper Zeroization of Hardware Register | The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes. |
| CWE-1246 | Improper Write Handling in Limited-write Non-Volatile Memories | The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories. |
| CWE-1250 | Improper Preservation of Consistency Between Independent Representations of Shared State | The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other. |
| CWE-1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information | The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered. |
| CWE-1266 | Improper Scrubbing of Sensitive Data from Decommissioned Device | The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect. |
| CWE-1271 | Uninitialized Value on Reset for Registers Holding Security Settings | Security-critical logic is not set to a known value on reset. |
| CWE-1272 | Sensitive Information Uncleared Before Debug/Power State Transition | The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions. |
| CWE-1279 | Cryptographic Operations are run Before Supporting Units are Ready | Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result. |
| CWE-1301 | Insufficient or Incomplete Data Removal within Hardware Component | The product's data removal process does not completely delete all data and potentially sensitive information within hardware components. |
| CWE-1325 | Improperly Controlled Sequential Memory Allocation | The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. |
| CWE-1330 | Remanent Data Readable after Memory Erase | Confidential information stored in memory circuits is readable or recoverable after being cleared or erased. |
| CWE-1333 | Inefficient Regular Expression Complexity | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-1342 | Information Exposure through Microarchitectural State after Transient Execution | The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution. |
| CWE-1386 | Insecure Operation on Windows Junction / Mount Point | The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere. |
| CWE-1389 | Incorrect Parsing of Numbers with Different Radices | The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix). |
| CWE-1419 | Incorrect Initialization of Resource | The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed. |
| CWE-1420 | Exposure of Sensitive Information during Transient Execution | A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel. |
| CWE-1421 | Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution | A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel. |
| CWE-1422 | Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution | A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel. |
| CWE-1423 | Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution | Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel. |
| CWE-178 | Improper Handling of Case Sensitivity | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
| CWE-192 | Integer Coercion Error | Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. |
| CWE-194 | Unexpected Sign Extension | The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses. |
| CWE-195 | Signed to Unsigned Conversion Error | The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive. |
| CWE-196 | Unsigned to Signed Conversion Error | The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive. |
| CWE-197 | Numeric Truncation Error | Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
| CWE-221 | Information Loss or Omission | The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
| CWE-243 | Creation of chroot Jail Without Changing Working Directory | The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail. |
| CWE-372 | Incomplete Internal State Distinction | The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner. |
| CWE-386 | Symbolic Name not Mapping to Correct Object | A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time. |
| CWE-400 | Uncontrolled Resource Consumption | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-404 | Improper Resource Shutdown or Release | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-405 | Asymmetric Resource Consumption (Amplification) | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) | The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor. |
| CWE-407 | Inefficient Algorithmic Complexity | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| CWE-410 | Insufficient Resource Pool | The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-453 | Insecure Default Variable Initialization | The product, by default, initializes an internal variable with an insecure or less secure value than is possible. |
| CWE-454 | External Initialization of Trusted Variables or Data Stores | The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. |
| CWE-456 | Missing Initialization of a Variable | The product does not initialize critical variables, which causes the execution environment to use unexpected values. |
| CWE-457 | Use of Uninitialized Variable | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. |
| CWE-459 | Incomplete Cleanup | The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
| CWE-460 | Improper Cleanup on Thrown Exception | The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) | The product does not properly protect an assumed-immutable element from being modified by an attacker. |
| CWE-487 | Reliance on Package-level Scope | Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. |
| CWE-495 | Private Data Structure Returned From A Public Method | The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. |
| CWE-496 | Public Data Assigned to Private Array-Typed Field | Assigning public data to a private array is equivalent to giving public access to the array. |
| CWE-501 | Trust Boundary Violation | The product mixes trusted and untrusted data in the same data structure or structured message. |
| CWE-568 | finalize() Method Without super.finalize() | The product contains a finalize() method that does not call super.finalize(). |
| CWE-580 | clone() Method Without super.clone() | The product contains a clone() method that does not call super.clone() to obtain the new object. |
| CWE-588 | Attempt to Access Child of a Non-structure Pointer | Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption. |
| CWE-607 | Public Static Final Field References Mutable Object | A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package. |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| CWE-618 | Exposed Unsafe ActiveX Method | An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain). |
| CWE-662 | Improper Synchronization | The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. |
| CWE-664 | Improper Control of a Resource Through its Lifetime | The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. |
| CWE-665 | Improper Initialization | The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. |
| CWE-666 | Operation on Resource in Wrong Phase of Lifetime | The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors. |
| CWE-669 | Incorrect Resource Transfer Between Spheres | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
| CWE-673 | External Influence of Sphere Definition | The product does not prevent the definition of control spheres from external actors. |
| CWE-681 | Incorrect Conversion between Numeric Types | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. |
| CWE-704 | Incorrect Type Conversion or Cast | The product does not correctly convert an object, resource, or structure from one type to a different type. |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
| CWE-749 | Exposed Dangerous Method or Function | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-771 | Missing Reference to Active Allocated Resource | The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
| CWE-773 | Missing Reference to Active File Descriptor or Handle | The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed. |
| CWE-774 | Allocation of File Descriptors or Handles Without Limits or Throttling | The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor. |
| CWE-775 | Missing Release of File Descriptor or Handle after Effective Lifetime | The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
| CWE-779 | Logging of Excessive Data | The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. |
| CWE-782 | Exposed IOCTL with Insufficient Access Control | The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL. |
| CWE-827 | Improper Control of Document Type Definition | The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker. |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
| CWE-830 | Inclusion of Web Functionality from an Untrusted Source | The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source. |
| CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
| CWE-908 | Use of Uninitialized Resource | The product uses or accesses a resource that has not been initialized. |
| CWE-909 | Missing Initialization of Resource | The product does not initialize a critical resource. |
| CWE-911 | Improper Update of Reference Count | The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
| CWE-920 | Improper Restriction of Power Consumption | The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes. |
| CWE-922 | Insecure Storage of Sensitive Information | The product stores sensitive information without properly limiting read or write access by unauthorized actors. |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.