SFP Secondary Cluster: Use of an Improper API

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

Weaknesses

Behavioral Change in New Version or Environment

A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.

Call to Non-ubiquitous API

The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denia...

Call to Thread run() instead of start()

The program calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

Dangerous Signal Handler not Disabled During Sensitive Operations

The application uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked w...

Direct Use of Unsafe JNI

When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that ...

EJB Bad Practices: Use of AWT Swing

The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.

EJB Bad Practices: Use of Class Loader

The program violates the Enterprise JavaBeans (EJB) specification by using the class loader.

EJB Bad Practices: Use of Java I/O

The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

EJB Bad Practices: Use of Sockets

The program violates the Enterprise JavaBeans (EJB) specification by using sockets.

EJB Bad Practices: Use of Synchronization Primitives

The program violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.

Expected Behavior Violation

A feature, API, or function does not perform according to its specification.

Explicit Call to Finalize()

The software makes an explicit call to the finalize() method from outside the finalizer.

Improper Following of Specification by Caller

The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

Incorrect Provision of Specified Functionality

The code does not function according to its published specifications, potentially leading to incorrect usage.

J2EE Bad Practices: Direct Management of Connections

The J2EE application directly manages connections, instead of using the container's connection management facilities.

J2EE Bad Practices: Direct Use of Sockets

The J2EE application directly uses sockets instead of using framework method calls.

J2EE Bad Practices: Direct Use of Threads

Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

J2EE Bad Practices: Use of System.exit()

A J2EE application uses System.exit(), which also shuts down its container.

Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe th...

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

The software uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.

Signal Handler Use of a Non-reentrant Function

The program defines a signal handler that calls a non-reentrant function.

Use of Function with Inconsistent Implementations

The code uses a function that has inconsistent implementations across operating systems and versions.

Use of getlogin() in Multithreaded Application

The application uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

Use of Inherently Dangerous Function

The program calls a function that can never be guaranteed to work safely.

Use of Low-Level Functionality

The software uses low-level functionality that is explicitly prohibited by the framework or specification under which the software is supposed to operate.

Use of Obsolete Function

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

Use of Potentially Dangerous Function

The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

Categories

7PK - API Abuse

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API ...

Concepts

Software Fault Pattern (SFP) Clusters

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.