Category: 2010 Top 25 - Weaknesses On the Cusp
Obsolete
Summary
Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-134 | Use of Externally-Controlled Format String | The product uses a function that accepts a format string as an argument, but the format string originates from an external source. |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
| CWE-330 | Use of Insufficiently Random Values | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-416 | Use After Free | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-426 | Untrusted Search Path | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
| CWE-454 | External Initialization of Trusted Variables or Data Stores | The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. |
| CWE-456 | Missing Initialization of a Variable | The product does not initialize critical variables, which causes the execution environment to use unexpected values. |
| CWE-476 | NULL Pointer Dereference | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-672 | Operation on a Resource after Expiration or Release | The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. |
| CWE-681 | Incorrect Conversion between Numeric Types | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. |
| CWE-749 | Exposed Dangerous Method or Function | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
| CWE-799 | Improper Control of Interaction Frequency | The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. |
| CWE-804 | Guessable CAPTCHA | The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. |
| CWE-800 | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors | CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.