Data Processing Errors

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Weaknesses

Collapse of Data into Unsafe Value

The software filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.

Comparison of Incompatible Types

The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results whe...

Executable Regular Expression Error

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserti...

External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

Improper Handling of Additional Special Element

The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.

Improper Handling of Case Sensitivity

The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Improper Handling of Highly Compressed Data (Data Amplification)

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Improper Handling of Inconsistent Special Elements

The software does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.

Improper Handling of Length Parameter Inconsistency

The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the a...

Improper Handling of Missing Special Element

The software receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.

Improper Handling of Parameters

The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

Improper Handling of Structural Elements

The software does not handle or incorrectly handles inputs that are related to complex structures.

Improper Handling of Unexpected Data Type

The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

Improper Handling of Values

The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursiv...

Improper Restriction of XML External Entity Reference

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product...

Modification of Assumed-Immutable Data (MAID)

The software does not properly protect an assumed-immutable element from being modified by an attacker.

Overly Restrictive Regular Expression

A regular expression is overly restrictive, which prevents dangerous values from being detected.

Permissive Regular Expression

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Concepts

Software Development

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.