SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

Weaknesses

Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be...

Asymmetric Resource Consumption (Amplification)

Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.

Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the...

Improper Handling of Windows Device Names

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This t...

Improper Resource Shutdown or Release

The program does not release or incorrectly releases a resource before it is made available for re-use.

Incomplete Cleanup

The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

Incorrect Behavior Order: Validate Before Canonicalize

The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.

Incorrect Control Flow Scoping

The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Incorrect Execution-Assigned Permissions

While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Insecure Temporary File

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Use of Incorrect Byte Ordering

The software receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causin...

Use of Non-Canonical URL Paths for Authorization Decisions

The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass ...

Concepts

Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommen...

See Also

  1. SEI CERT Oracle Coding Standard for Java : Rule 13. Input Output (FIO)

    The Software Engineering Institute

  2. SEI CERT Oracle Coding Standard for Java : Rec 13. Input Output (FIO)

    The Software Engineering Institute


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.