Category: Data Processing Errors
Draft
Summary
Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1024 | Comparison of Incompatible Types | The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared. |
| CWE-130 | Improper Handling of Length Parameter Inconsistency | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
| CWE-166 | Improper Handling of Missing Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing. |
| CWE-167 | Improper Handling of Additional Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided. |
| CWE-168 | Improper Handling of Inconsistent Special Elements | The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words. |
| CWE-178 | Improper Handling of Case Sensitivity | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
| CWE-182 | Collapse of Data into Unsafe Value | The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property. |
| CWE-186 | Overly Restrictive Regular Expression | A regular expression is overly restrictive, which prevents dangerous values from being detected. |
| CWE-229 | Improper Handling of Values | The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined. |
| CWE-233 | Improper Handling of Parameters | The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined. |
| CWE-237 | Improper Handling of Structural Elements | The product does not handle or incorrectly handles inputs that are related to complex structures. |
| CWE-241 | Improper Handling of Unexpected Data Type | The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
| CWE-611 | Improper Restriction of XML External Entity Reference | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
| CWE-624 | Executable Regular Expression Error | The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers. |
| CWE-625 | Permissive Regular Expression | The product uses a regular expression that does not sufficiently restrict the set of allowed values. |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.