Category: SFP Secondary Cluster: Architecture
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-348 | Use of Less Trusted Source | The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-637 | Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') | The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used. |
| CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking | The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified. |
| CWE-654 | Reliance on a Single Factor in a Security Decision | A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. |
| CWE-656 | Reliance on Security Through Obscurity | The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. |
| CWE-657 | Violation of Secure Design Principles | The product violates well-established principles for secure design. |
| CWE-671 | Lack of Administrator Control over Security | The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. |
| CWE-693 | Protection Mechanism Failure | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-749 | Exposed Dangerous Method or Function | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.