CWE Coverage for Red Hat Customer Portal - Red Hat Customer Portal

Present CWE coverage for Red Hat Customer Portal

Update 18th February 2015: This article has been updated to new revison 2.8_1 of the coverage, which is now used for Red Hat Customer Portal.

Update 4th September 2014: This article has been updated to reflect that CWE list version 2.8 (updated from version 2.5) and a new revision of the coverage is now used for Red Hat Customer Portal.

Update 12th August 2013: This article has been updated to reflect that CWE list version 2.5 (updated from version 2.4) and a new revision of the coverage is now used for Red Hat Customer Portal.

Update 22nd March 2013: This article has been updated to make corrections to two of the entries in the CWE list.

Update 28th February 2013: This article has been updated to reflect that CWE list version 2.4 (updated from version 2.3) is now used for Red Hat Customer Portal.

Update 27th November 2012: This article has been updated to reflect that CWE list version 2.3 (updated from version 2.2) is now used for Red Hat Customer Portal.

For the elements in the CWE coverage for Red Hat Customer Portal, we carefully selected abstractions with enough relevant information for developers to detect and mitigate all its related weaknesses.

CWE identifiers are assigned to Red Hat vulnerabilities using the present CWE coverage at the time of the vulnerability assessment. Thus, references to vulnerabilities are divided into time slices based upon the date the vulnerability was assessed and the present CWE coverage at that time.

The following is the present CWE coverage for Red Hat Customer Portal. It uses the CWE list version 2.8, is available in CSV format, and also in HTML format emphasized in both Development and Research views using the YUI TreeView Control for easier navigation and reference.

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-117: Improper Output Neutralization for Logs

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-121: Stack-based Buffer Overflow

CWE-122: Heap-based Buffer Overflow

CWE-125: Out-of-bounds Read

CWE-129: Improper Validation of Array Index

CWE-130: Improper Handling of Length Parameter Inconsistency

CWE-131: Incorrect Calculation of Buffer Size

CWE-134: Uncontrolled Format String

CWE-135: Incorrect Calculation of Multi-Byte String Length

CWE-138: Improper Neutralization of Special Elements

CWE-14: Compiler Removal of Code to Clear Buffers

CWE-170: Improper Null Termination

CWE-172: Encoding Error

CWE-179: Incorrect Behavior Order: Early Validation

CWE-184: Incomplete Blacklist

CWE-185: Incorrect Regular Expression

CWE-190: Integer Overflow or Wraparound

CWE-193: Off-by-one Error

CWE-194: Unexpected Sign Extension

CWE-20: Improper Input Validation

CWE-200: Information Exposure

CWE-201: Information Exposure Through Sent Data

CWE-203: Information Exposure Through Discrepancy

CWE-209: Information Exposure Through an Error Message

CWE-214: Information Exposure Through Process Environment

CWE-212: Improper Cross-boundary Removal of Sensitive Data

CWE-222: Truncation of Security-relevant Information

CWE-223: Omission of Security-relevant Information

CWE-227: Improper Fulfillment of API Contract ('API Abuse')

CWE-228: Improper Handling of Syntactically Invalid Structure

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')

CWE-248: Uncaught Exception

CWE-250: Execution with Unnecessary Privileges

CWE-252: Unchecked Return Value

CWE-253: Incorrect Check of Function Return Value

CWE-266: Incorrect Privilege Assignment

CWE-267: Privilege Defined With Unsafe Actions

CWE-268: Privilege Chaining

CWE-270: Privilege Context Switching Error

CWE-271: Privilege Dropping / Lowering Errors

CWE-273: Improper Check for Dropped Privileges

CWE-282: Improper Ownership Management

CWE-283: Unverified Ownership

CWE-284: Improper Access Control

CWE-285: Improper Authorization

CWE-287: Improper Authentication

CWE-290: Authentication Bypass by Spoofing

CWE-294: Authentication Bypass by Capture-replay

CWE-295: Improper Certificate Validation

CWE-296: Improper Following of Chain of Trust for Certificate Validation

CWE-297: Improper Validation of Host-specific Certificate Data

CWE-298: Improper Validation of Certificate Expiration

CWE-299: Improper Check for Certificate Revocation

CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

CWE-304: Missing Critical Step in Authentication

CWE-305: Authentication Bypass by Primary Weakness

CWE-306: Missing Authentication for Critical Function

CWE-312: Cleartext Storage of Sensitive Information

CWE-319: Cleartext Transmission of Sensitive Information

CWE-321: Use of Hard-coded Cryptographic Key

CWE-322: Key Exchange without Entity Authentication

CWE-323: Reusing a Nonce, Key Pair in Encryption

CWE-325: Missing Required Cryptographic Step

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CWE-330: Use of Insufficiently Random Values

CWE-331: Insufficient Entropy

CWE-334: Small Space of Random Values

CWE-335: PRNG Seed Error

CWE-338: Use of Cryptographically Weak PRNG

CWE-341: Predictable from Observable State

CWE-345: Insufficient Verification of Data Authenticity

CWE-347: Improper Verification of Cryptographic Signature

CWE-348: Use of Less Trusted Source

CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

CWE-352: Cross-Site Request Forgery (CSRF)

CWE-354: Improper Validation of Integrity Check Value

CWE-356: Product UI does not Warn User of Unsafe Actions

CWE-358: Improperly Implemented Security Check for Standard

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-364: Signal Handler Race Condition

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-369: Divide By Zero

CWE-377: Insecure Temporary File

CWE-384: Session Fixation

CWE-385: Covert Timing Channel

CWE-390: Detection of Error Condition Without Action

CWE-391: Unchecked Error Condition

CWE-392: Missing Report of Error Condition

CWE-393: Return of Wrong Status Code

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-406: Insufficient Control of Network Message Volume (Network Amplification)

CWE-407: Algorithmic Complexity

CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)

CWE-41: Improper Resolution of Path Equivalence

CWE-416: Use After Free

CWE-426: Untrusted Search Path

CWE-428: Unquoted Search Path or Element

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-451: UI Misrepresentation of Critical Information

CWE-454: External Initialization of Trusted Variables or Data Stores

CWE-456: Missing Initialization

CWE-460: Improper Cleanup on Thrown Exception

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CWE-471: Modification of Assumed-Immutable Data (MAID)

CWE-476: NULL Pointer Dereference

CWE-480: Use of Incorrect Operator

CWE-486: Comparison of Classes by Name

CWE-494: Download of Code Without Integrity Check

CWE-495: Private Array-Typed Field Returned From A Public Method

CWE-496: Public Data Assigned to Private Array-Typed Field

CWE-502: Deserialization of Untrusted Data

CWE-522: Insufficiently Protected Credentials

CWE-532: Information Exposure Through Log Files

CWE-545: Use of Dynamic Class Loading

CWE-547: Use of Hard-coded, Security-relevant Constants

CWE-552: Files or Directories Accessible to External Parties

CWE-561: Dead Code

CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context

CWE-587: Assignment of a Fixed Address to a Pointer

CWE-592: Authentication Bypass Issues

CWE-595: Comparison of Object References Instead of Object Contents

CWE-59: Improper Link Resolution Before File Access ('Link Following')

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CWE-602: Client-Side Enforcement of Server-Side Security

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

CWE-613: Insufficient Session Expiration

CWE-617: Reachable Assertion

CWE-626: Null Byte Interaction Error (Poison Null Byte)

CWE-627: Dynamic Variable Evaluation

CWE-628: Function Call with Incorrectly Specified Arguments

CWE-642: External Control of Critical State Data

CWE-648: Incorrect Use of Privileged APIs

CWE-662: Improper Synchronization

CWE-665: Improper Initialization

CWE-667: Improper Locking

CWE-672: Operation on a Resource after Expiration or Release

CWE-674: Uncontrolled Recursion

CWE-676: Use of Potentially Dangerous Function

CWE-681: Incorrect Conversion between Numeric Types

CWE-682: Incorrect Calculation

CWE-697: Insufficient Comparison

CWE-704: Incorrect Type Conversion or Cast

CWE-732: Incorrect Permission Assignment for Critical Resource

CWE-73: External Control of File Name or Path

CWE-749: Exposed Dangerous Method or Function

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-772: Missing Release of Resource after Effective Lifetime

CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-783: Operator Precedence Logic Error

CWE-787: Out-of-bounds Write

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-798: Use of Hard-coded Credentials

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-805: Buffer Access with Incorrect Length Value

CWE-807: Reliance on Untrusted Inputs in a Security Decision

CWE-822: Untrusted Pointer Dereference

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-838: Inappropriate Encoding for Output Context

CWE-839: Numeric Range Comparison Without Minimum Check

CWE-841: Improper Enforcement of Behavioral Workflow

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

CWE-862: Missing Authorization

CWE-863: Incorrect Authorization

CWE-88: Argument Injection or Modification

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

CWE-99: Improper Control of Resource Identifiers ('Resource Injection')

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Here are the common uses of Markdown.

Code blocks

~~~
Code surrounded in tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)