Comprehensive Categorization: Exposed Resource

The product defines a public method that reads or modifies a private variable.

The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed o...

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.

The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.

A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web se...

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving ...

The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descript...

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized...

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

The product allows user input to control or influence paths or file names that are used in filesystem operations.

One or more system settings or configuration elements can be externally controlled by a user.

The product makes files or directories accessible to unauthorized actors, even though they should not be.

The product violates secure coding principles for mobile code by declaring a finalize() method public.

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to re...

The product sends non-cloned mutable data as an argument to a method or function.

Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) o...

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in a...

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for th...

The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated...

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another ...

The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.

The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access re...

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

The web application uses persistent cookies, but the cookies contain sensitive information.

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...