Category: SFP Secondary Cluster: Weak Cryptography
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-261 | Weak Encoding for Password | Obscuring a password with a trivial encoding does not protect the password. |
| CWE-322 | Key Exchange without Entity Authentication | The product performs a key exchange with an actor without verifying the identity of that actor. |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | Nonces should be used for the present occasion and only once. |
| CWE-324 | Use of a Key Past its Expiration Date | The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. |
| CWE-326 | Inadequate Encryption Strength | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-329 | Generation of Predictable IV with CBC Mode | The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. |
| CWE-347 | Improper Verification of Cryptographic Signature | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.