CWE Coverage for Red Hat Customer Portal

Updated -

Present CWE coverage for Red Hat Customer Portal

Update 27th August 2019: This article has been updated with new version of the coverage used for Red Hat Customer portal, based on CWE version 3.3.

Update 18th February 2015: This article has been updated to new revison 2.8_1 of the coverage, which is now used for Red Hat Customer Portal.

Update 4th September 2014: This article has been updated to reflect that CWE list version 2.8 (updated from version 2.5) and a new revision of the coverage is now used for Red Hat Customer Portal.

Update 12th August 2013: This article has been updated to reflect that CWE list version 2.5 (updated from version 2.4) and a new revision of the coverage is now used for Red Hat Customer Portal.

Update 22nd March 2013: This article has been updated to make corrections to two of the entries in the CWE list.

Update 28th February 2013: This article has been updated to reflect that CWE list version 2.4 (updated from version 2.3) is now used for Red Hat Customer Portal.

Update 27th November 2012: This article has been updated to reflect that CWE list version 2.3 (updated from version 2.2) is now used for Red Hat Customer Portal.

For the elements in the CWE coverage for Red Hat Customer Portal, we carefully selected abstractions with enough relevant information for developers to detect and mitigate all its related weaknesses.

CWE identifiers are assigned to Red Hat vulnerabilities using the present CWE coverage at the time of the vulnerability assessment. Thus, references to vulnerabilities are divided into time slices based upon the date the vulnerability was assessed and the present CWE coverage at that time.

The following is the present CWE coverage for Red Hat Customer Portal and is based on CWE version 3.3.

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CWE-117: Improper Output Neutralization for Logs
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-121: Stack-based Buffer Overflow
CWE-122: Heap-based Buffer Overflow
CWE-125: Out-of-bounds Read
CWE-129: Improper Validation of Array Index
CWE-130: Improper Handling of Length Parameter Inconsistency 
CWE-131: Incorrect Calculation of Buffer Size
CWE-134: Use of Externally-Controlled Format String
CWE-135: Incorrect Calculation of Multi-Byte String Length
CWE-138: Improper Neutralization of Special Elements
CWE-170: Improper Null Termination
CWE-172: Encoding Error
CWE-179: Incorrect Behavior Order: Early Validation
CWE-183: Permissive Whitelist
CWE-184: Incomplete Blacklist
CWE-185: Incorrect Regular Expression
CWE-190: Integer Overflow or Wraparound
CWE-193: Off-by-one Error
CWE-194: Unexpected Sign Extension
CWE-20: Improper Input Validation
CWE-200: Information Exposure
CWE-201: Information Exposure Through Sent Data
CWE-203: Information Exposure Through Discrepancy
CWE-209: Information Exposure Through an Error Message
CWE-214: Information Exposure Through Process Environment
CWE-212: Improper Cross-boundary Removal of Sensitive Data
CWE-222: Truncation of Security-relevant Information
CWE-223: Omission of Security-relevant Information
CWE-228: Improper Handling of Syntactically Invalid Structure
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')
CWE-248: Uncaught Exception
CWE-250: Execution with Unnecessary Privileges
CWE-252: Unchecked Return Value
CWE-253: Incorrect Check of Function Return Value
CWE-266: Incorrect Privilege Assignment
CWE-267: Privilege Defined With Unsafe Actions
CWE-268: Privilege Chaining
CWE-270: Privilege Context Switching Error
CWE-271: Privilege Dropping / Lowering Errors
CWE-282: Improper Ownership Management
CWE-283: Unverified Ownership
CWE-284: Improper Access Control
CWE-285: Improper Authorization
CWE-287: Improper Authentication
CWE-290: Authentication Bypass by Spoofing
CWE-294: Authentication Bypass by Capture-replay
CWE-295: Improper Certificate Validation
CWE-296: Improper Following of a Certificate's Chain of Trust
CWE-297: Improper Validation of Certificate with Host Mismatch
CWE-299: Improper Check for Certificate Revocation
CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
CWE-304: Missing Critical Step in Authentication
CWE-305: Authentication Bypass by Primary Weakness
CWE-306: Missing Authentication for Critical Function
CWE-312: Cleartext Storage of Sensitive Information
CWE-319: Cleartext Transmission of Sensitive Information
CWE-321: Use of Hard-coded Cryptographic Key
CWE-322: Key Exchange without Entity Authentication
CWE-323: Reusing a Nonce, Key Pair in Encryption
CWE-325: Missing Required Cryptographic Step
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-330: Use of Insufficiently Random Values
CWE-331: Insufficient Entropy
CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-341: Predictable from Observable State
CWE-345: Insufficient Verification of Data Authenticity
CWE-347: Improper Verification of Cryptographic Signature
CWE-348: Use of Less Trusted Source
CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-354: Improper Validation of Integrity Check Value
CWE-356: Product UI does not Warn User of Unsafe Actions
CWE-358: Improperly Implemented Security Check for Standard
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-364: Signal Handler Race Condition
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-369: Divide By Zero
CWE-377: Insecure Temporary File
CWE-384: Session Fixation
CWE-385: Covert Timing Channel
CWE-390: Detection of Error Condition Without Action
CWE-391: Unchecked Error Condition
CWE-392: Missing Report of Error Condition
CWE-393: Return of Wrong Status Code
CWE-400: Uncontrolled Resource Consumption
CWE-401: Missing Release of Memory after Effective Lifetime
CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
CWE-407: Inefficient Algorithmic Complexity
CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
CWE-41: Improper Resolution of Path Equivalence
CWE-416: Use After Free
CWE-426: Untrusted Search Path
CWE-428: Unquoted Search Path or Element
CWE-440: Expected Behavior Violation
CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CWE-451: User Interface (UI) Misrepresentation of Critical Information
CWE-454: External Initialization of Trusted Variables or Data Stores
CWE-456: Missing Initialization of a Variable
CWE-460: Improper Cleanup on Thrown Exception
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-471: Modification of Assumed-Immutable Data (MAID)
CWE-476: NULL Pointer Dereference
CWE-480: Use of Incorrect Operator
CWE-494: Download of Code Without Integrity Check
CWE-502: Deserialization of Untrusted Data
CWE-522: Insufficiently Protected Credentials
CWE-532: Inclusion of Sensitive Information in Log Files
CWE-547: Use of Hard-coded, Security-relevant Constants
CWE-552: Files or Directories Accessible to External Parties
CWE-561: Dead Code
CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context
CWE-587: Assignment of a Fixed Address to a Pointer
CWE-59: Improper Link Resolution Before File Access ('Link Following')
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CWE-602: Client-Side Enforcement of Server-Side Security
CWE-611: Improper Restriction of XML External Entity Reference
CWE-613: Insufficient Session Expiration
CWE-617: Reachable Assertion
CWE-626: Null Byte Interaction Error (Poison Null Byte)
CWE-628: Function Call with Incorrectly Specified Arguments
CWE-642: External Control of Critical State Data
CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CWE-648: Incorrect Use of Privileged APIs
CWE-662: Improper Synchronization
CWE-665: Improper Initialization
CWE-667: Improper Locking
CWE-672: Operation on a Resource after Expiration or Release
CWE-674: Uncontrolled Recursion
CWE-676: Use of Potentially Dangerous Function
CWE-681: Incorrect Conversion between Numeric Types
CWE-682: Incorrect Calculation
CWE-697: Incorrect Comparison
CWE-704: Incorrect Type Conversion or Cast
CWE-732: Incorrect Permission Assignment for Critical Resource
CWE-73: External Control of File Name or Path
CWE-749: Exposed Dangerous Method or Function
CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-772: Missing Release of Resource after Effective Lifetime
CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-787: Out-of-bounds Write
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-798: Use of Hard-coded Credentials
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-805: Buffer Access with Incorrect Length Value
CWE-807: Reliance on Untrusted Inputs in a Security Decision
CWE-822: Untrusted Pointer Dereference
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-833: Deadlock
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-839: Numeric Range Comparison Without Minimum Check
CWE-841: Improper Enforcement of Behavioral Workflow
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
CWE-88: Argument Injection or Modification
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-918: Server-Side Request Forgery (SSRF)
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')