Category: SFP Secondary Cluster: Insecure Resource Access
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-285 | Improper Authorization | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-424 | Improper Protection of Alternate Path | The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-650 | Trusting HTTP Permission Methods on the Server Side | The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.