Present CWE coverage for Red Hat Customer Portal
Update 27th August 2019: This article has been updated with new version of the coverage used for Red Hat Customer portal, based on CWE version 3.3.
Update 18th February 2015: This article has been updated to new revison 2.8_1 of the coverage, which is now used for Red Hat Customer Portal.
Update 4th September 2014: This article has been updated to reflect that CWE list version 2.8 (updated from version 2.5) and a new revision of the coverage is now used for Red Hat Customer Portal.
Update 12th August 2013: This article has been updated to reflect that CWE list version 2.5 (updated from version 2.4) and a new revision of the coverage is now used for Red Hat Customer Portal.
Update 22nd March 2013: This article has been updated to make corrections to two of the entries in the CWE list.
Update 28th February 2013: This article has been updated to reflect that CWE list version 2.4 (updated from version 2.3) is now used for Red Hat Customer Portal.
Update 27th November 2012: This article has been updated to reflect that CWE list version 2.3 (updated from version 2.2) is now used for Red Hat Customer Portal.
For the elements in the CWE coverage for Red Hat Customer Portal, we carefully selected abstractions with enough relevant information for developers to detect and mitigate all its related weaknesses.
CWE identifiers are assigned to Red Hat vulnerabilities using the present CWE coverage at the time of the vulnerability assessment. Thus, references to vulnerabilities are divided into time slices based upon the date the vulnerability was assessed and the present CWE coverage at that time.
The following is the present CWE coverage for Red Hat Customer Portal and is based on CWE version 3.3.
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') CWE-117: Improper Output Neutralization for Logs CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow CWE-122: Heap-based Buffer Overflow CWE-125: Out-of-bounds Read CWE-129: Improper Validation of Array Index CWE-130: Improper Handling of Length Parameter Inconsistency CWE-131: Incorrect Calculation of Buffer Size CWE-134: Use of Externally-Controlled Format String CWE-135: Incorrect Calculation of Multi-Byte String Length CWE-138: Improper Neutralization of Special Elements CWE-170: Improper Null Termination CWE-172: Encoding Error CWE-179: Incorrect Behavior Order: Early Validation CWE-183: Permissive Whitelist CWE-184: Incomplete Blacklist CWE-185: Incorrect Regular Expression CWE-190: Integer Overflow or Wraparound CWE-193: Off-by-one Error CWE-194: Unexpected Sign Extension CWE-20: Improper Input Validation CWE-200: Information Exposure CWE-201: Information Exposure Through Sent Data CWE-203: Information Exposure Through Discrepancy CWE-209: Information Exposure Through an Error Message CWE-214: Information Exposure Through Process Environment CWE-212: Improper Cross-boundary Removal of Sensitive Data CWE-222: Truncation of Security-relevant Information CWE-223: Omission of Security-relevant Information CWE-228: Improper Handling of Syntactically Invalid Structure CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection') CWE-248: Uncaught Exception CWE-250: Execution with Unnecessary Privileges CWE-252: Unchecked Return Value CWE-253: Incorrect Check of Function Return Value CWE-266: Incorrect Privilege Assignment CWE-267: Privilege Defined With Unsafe Actions CWE-268: Privilege Chaining CWE-270: Privilege Context Switching Error CWE-271: Privilege Dropping / Lowering Errors CWE-282: Improper Ownership Management CWE-283: Unverified Ownership CWE-284: Improper Access Control CWE-285: Improper Authorization CWE-287: Improper Authentication CWE-290: Authentication Bypass by Spoofing CWE-294: Authentication Bypass by Capture-replay CWE-295: Improper Certificate Validation CWE-296: Improper Following of a Certificate's Chain of Trust CWE-297: Improper Validation of Certificate with Host Mismatch CWE-299: Improper Check for Certificate Revocation CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') CWE-304: Missing Critical Step in Authentication CWE-305: Authentication Bypass by Primary Weakness CWE-306: Missing Authentication for Critical Function CWE-312: Cleartext Storage of Sensitive Information CWE-319: Cleartext Transmission of Sensitive Information CWE-321: Use of Hard-coded Cryptographic Key CWE-322: Key Exchange without Entity Authentication CWE-323: Reusing a Nonce, Key Pair in Encryption CWE-325: Missing Required Cryptographic Step CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-330: Use of Insufficiently Random Values CWE-331: Insufficient Entropy CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-341: Predictable from Observable State CWE-345: Insufficient Verification of Data Authenticity CWE-347: Improper Verification of Cryptographic Signature CWE-348: Use of Less Trusted Source CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data CWE-352: Cross-Site Request Forgery (CSRF) CWE-354: Improper Validation of Integrity Check Value CWE-356: Product UI does not Warn User of Unsafe Actions CWE-358: Improperly Implemented Security Check for Standard CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-369: Divide By Zero CWE-377: Insecure Temporary File CWE-384: Session Fixation CWE-385: Covert Timing Channel CWE-390: Detection of Error Condition Without Action CWE-391: Unchecked Error Condition CWE-392: Missing Report of Error Condition CWE-393: Return of Wrong Status Code CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime CWE-406: Insufficient Control of Network Message Volume (Network Amplification) CWE-407: Inefficient Algorithmic Complexity CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) CWE-41: Improper Resolution of Path Equivalence CWE-416: Use After Free CWE-426: Untrusted Search Path CWE-428: Unquoted Search Path or Element CWE-440: Expected Behavior Violation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE-454: External Initialization of Trusted Variables or Data Stores CWE-456: Missing Initialization of a Variable CWE-460: Improper Cleanup on Thrown Exception CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-471: Modification of Assumed-Immutable Data (MAID) CWE-476: NULL Pointer Dereference CWE-480: Use of Incorrect Operator CWE-494: Download of Code Without Integrity Check CWE-502: Deserialization of Untrusted Data CWE-522: Insufficiently Protected Credentials CWE-532: Inclusion of Sensitive Information in Log Files CWE-547: Use of Hard-coded, Security-relevant Constants CWE-552: Files or Directories Accessible to External Parties CWE-561: Dead Code CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context CWE-587: Assignment of a Fixed Address to a Pointer CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-602: Client-Side Enforcement of Server-Side Security CWE-611: Improper Restriction of XML External Entity Reference CWE-613: Insufficient Session Expiration CWE-617: Reachable Assertion CWE-626: Null Byte Interaction Error (Poison Null Byte) CWE-628: Function Call with Incorrectly Specified Arguments CWE-642: External Control of Critical State Data CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') CWE-648: Incorrect Use of Privileged APIs CWE-662: Improper Synchronization CWE-665: Improper Initialization CWE-667: Improper Locking CWE-672: Operation on a Resource after Expiration or Release CWE-674: Uncontrolled Recursion CWE-676: Use of Potentially Dangerous Function CWE-681: Incorrect Conversion between Numeric Types CWE-682: Incorrect Calculation CWE-697: Incorrect Comparison CWE-704: Incorrect Type Conversion or Cast CWE-732: Incorrect Permission Assignment for Critical Resource CWE-73: External Control of File Name or Path CWE-749: Exposed Dangerous Method or Function CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') CWE-770: Allocation of Resources Without Limits or Throttling CWE-772: Missing Release of Resource after Effective Lifetime CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-787: Out-of-bounds Write CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-798: Use of Hard-coded Credentials CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-805: Buffer Access with Incorrect Length Value CWE-807: Reliance on Untrusted Inputs in a Security Decision CWE-822: Untrusted Pointer Dereference CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-833: Deadlock CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') CWE-839: Numeric Range Comparison Without Minimum Check CWE-841: Improper Enforcement of Behavioral Workflow CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-862: Missing Authorization CWE-863: Incorrect Authorization CWE-88: Argument Injection or Modification CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') CWE-918: Server-Side Request Forgery (SSRF) CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
- Article Type