2010 Top 25 - Weaknesses On the Cusp

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Weaknesses

Exposed Dangerous Method or Function

The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous met...

External Initialization of Trusted Variables or Data Stores

The software initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

Guessable CAPTCHA

The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

Improper Control of Interaction Frequency

The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

Improper Link Resolution Before File Access ('Link Following')

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an un...

Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the ...

Improper Restriction of Excessive Authentication Attempts

The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brut...

Incorrect Conversion between Numeric Types

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting va...

Missing Initialization of a Variable

The software does not initialize critical variables, which causes the execution environment to use unexpected values.

Missing Release of Resource after Effective Lifetime

The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

NULL Pointer Dereference

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Operation on a Resource after Expiration or Release

The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Untrusted Search Path

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Use of Externally-Controlled Format String

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Concepts

Deprecated or Obsolete

Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is availa...

See Also

  1. 2010 CWE/SANS Top 25 Most Dangerous Software Errors

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.