Category: 7PK - Security Features
Incomplete
Summary
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-256 | Plaintext Storage of a Password | The product stores a password in plaintext within resources such as memory or files. |
| CWE-258 | Empty Password in Configuration File | Using an empty string as a password is insecure. |
| CWE-259 | Use of Hard-coded Password | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-260 | Password in Configuration File | The product stores a password in a configuration file that might be accessible to actors who do not know the password. |
| CWE-261 | Weak Encoding for Password | Obscuring a password with a trivial encoding does not protect the password. |
| CWE-272 | Least Privilege Violation | The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. |
| CWE-284 | Improper Access Control | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-285 | Improper Authorization | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-330 | Use of Insufficiently Random Values | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
| CWE-798 | Use of Hard-coded Credentials | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-700 | Seven Pernicious Kingdoms | This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
Consider mapping to weaknesses that are members of this Category.