Category: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Obsolete
Summary
Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | Debugging messages help attackers learn about the system and plan a form of attack. |
| CWE-12 | ASP.NET Misconfiguration: Missing Custom Error Page | An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses. |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File | Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. |
| CWE-219 | Storage of File with Sensitive Data Under Web Root | The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. |
| CWE-295 | Improper Certificate Validation | The product does not validate, or incorrectly validates, a certificate. |
| CWE-459 | Incomplete Cleanup | The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
| CWE-489 | Active Debug Code | The product is released with debugging code still enabled or active. |
| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption | Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. |
| CWE-520 | .NET Misconfiguration: Use of Impersonation | Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | The product uses an environment variable to store unencrypted sensitive information. |
| CWE-527 | Exposure of Version-Control Repository to an Unauthorized Control Sphere | The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. |
| CWE-528 | Exposure of Core Dump File to an Unauthorized Control Sphere | The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. |
| CWE-529 | Exposure of Access Control List Files to an Unauthorized Control Sphere | The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere. |
| CWE-530 | Exposure of Backup File to an Unauthorized Control Sphere | A backup file is stored in a directory or archive that is made accessible to unauthorized actors. |
| CWE-531 | Inclusion of Sensitive Information in Test Code | Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions. |
| CWE-532 | Insertion of Sensitive Information into Log File | The product writes sensitive information to a log file. |
| CWE-540 | Inclusion of Sensitive Information in Source Code | Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. |
| CWE-541 | Inclusion of Sensitive Information in an Include File | If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. |
| CWE-548 | Exposure of Information Through Directory Listing | The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory. |
| CWE-552 | Files or Directories Accessible to External Parties | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | The ASP.NET application does not use an input validation framework. |
| CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File | The J2EE application stores a plaintext password in a configuration file. |
| CWE-556 | ASP.NET Misconfiguration: Use of Identity Impersonation | Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges. |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length | The J2EE application is configured to use an insufficient session ID length. |
| CWE-7 | J2EE Misconfiguration: Missing Custom Error Page | The default error page of a web application should not display sensitive information about the product. |
| CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote | When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities. |
| CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product. |
| CWE-711 | Weaknesses in OWASP Top Ten (2004) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| CWE-275 | Permission Issues | Weaknesses in this category are related to improper assignment or handling of permissions. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.