Category: Resource Management Errors
Draft
Summary
Weaknesses in this category are related to improper management of system resources.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1188 | Initialization of a Resource with an Insecure Default | The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. |
| CWE-1341 | Multiple Releases of Same Resource or Handle | The product attempts to close or release a resource or handle more than once, without any successful open between the close operations. |
| CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. |
| CWE-410 | Insufficient Resource Pool | The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
| CWE-502 | Deserialization of Untrusted Data | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-619 | Dangling Database Cursor ('Cursor Injection') | If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling." |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name. |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier | The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. |
| CWE-73 | External Control of File Name or Path | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-763 | Release of Invalid Pointer or Reference | The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-771 | Missing Reference to Active Allocated Resource | The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
| CWE-826 | Premature Release of Resource During Expected Lifetime | The product releases a resource that is still intended to be used by itself or another actor. |
| CWE-908 | Use of Uninitialized Resource | The product uses or accesses a resource that has not been initialized. |
| CWE-909 | Missing Initialization of Resource | The product does not initialize a critical resource. |
| CWE-910 | Use of Expired File Descriptor | The product uses or accesses a file descriptor after it has been closed. |
| CWE-911 | Improper Update of Reference Count | The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. |
| CWE-914 | Improper Control of Dynamically-Identified Variables | The product does not properly restrict reading from or writing to dynamically-identified variables. |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-920 | Improper Restriction of Power Consumption | The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE ID may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016).
Comment:
Some weakness-oriented alternatives might be found as descendants under Uncontrolled Resource Consumption (CWE-400).