diff --git a/src/categorization/categorizer.py b/src/categorization/categorizer.py index 8b9fb20..ea1a7d1 100644 --- a/src/categorization/categorizer.py +++ b/src/categorization/categorizer.py @@ -142,6 +142,121 @@ async def categorize_vulnerability_provider(self, description): ``` {description} ``` + Conform 'NVD CWE List' available for Classification: + id Name: - Description: - Examples: - keywords: + CWE-843 Name: Access of Resource Using Incompatible Type ('Type Confusion') Description: The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. examples: Casting a base class pointer to a derived class pointer of an unrelated type and accessing members, Using a C-style cast on a void pointer to an incorrect data structure, Interpreting raw byte buffer as a complex object of the wrong class. + CWE-824 Name: Access of Uninitialized Pointer Description: The program accesses or uses a pointer that has not been initialized. examples: Dereferencing a pointer immediately after declaration without assignment, Using a pointer returned by a function that might be NULL without checking, Accessing a class member pointer that was not initialized in the constructor. + CWE-770 Name: Allocation of Resources Without Limits or Throttling Description: The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. examples: Allowing users to request an unlimited number of session objects, Processing an XML file that can define an excessive number of entities leading to memory exhaustion, A loop that allocates memory based on user input without a size cap. + CWE-670 Name: Always-Incorrect Control Flow Implementation Description: The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. examples: An 'if' condition that is always true or always false due to a logical error, A loop that always exits after the first iteration or never terminates as intended, Incorrectly ordered conditional checks leading to unreachable code blocks. + CWE-294 Name: Authentication Bypass by Capture-replay Description: A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). examples: Replaying a captured login request containing session cookies, Re-submitting a previously captured financial transaction request, Using nonces or timestamps improperly allowing old messages to be accepted. + CWE-290 Name: Authentication Bypass by Spoofing Description: This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks. examples: Accepting user identity based solely on a user-controlled HTTP header (e.g., X-Forwarded-For), Trusting an IP address for authentication without further checks, An API that allows a user to specify another user's ID in a request to act as them. + CWE-639 Name: Authorization Bypass Through User-Controlled Key Description: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. examples: Accessing '/user_profile?id=123' and changing 'id' to '456' to view another user's profile, An API endpoint like '/api/orders/order_id' where changing order_id gives access to others' orders, Modifying a hidden form field containing a record identifier. + CWE-120 Name: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Description: The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. examples: Using strcpy() to copy user-provided string into a fixed-size buffer, Using sprintf() with user input without validating length, Reading network data into a buffer using recv() without checking the amount of data received against buffer capacity. + CWE-312 Name: Cleartext Storage of Sensitive Information Description: The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. examples: Storing user passwords in a database column as plain text, Writing API keys to a configuration file without encryption, Logging credit card numbers to a local file. + CWE-319 Name: Cleartext Transmission of Sensitive Information Description: The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. examples: Transmitting login credentials over HTTP instead of HTTPS, Sending API keys in URLs over unencrypted channels, Emailing unencrypted sensitive documents. + CWE-362 Name: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Description: The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. examples: Two threads incrementing a shared counter without locks (read-modify-write), Checking if a file exists then writing to it without locking, leading to another process deleting it in between, Modifying a shared data structure from multiple threads without mutexes. + CWE-352 Name: Cross-Site Request Forgery (CSRF) Description: The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. examples: A web application performs a state-changing action (e.g., password change) based on a GET request without tokens, A malicious site causes a user's browser to submit a form to a vulnerable site where the user is authenticated, Lack of anti-CSRF tokens in forms that perform sensitive actions. + CWE-502 Name: Deserialization of Untrusted Data Description: The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. examples: Deserializing a Java object from an HTTP request without validating the object's class or contents, Using Python's pickle.loads() on data received from an untrusted network source, Processing serialized user preferences that can be manipulated to execute arbitrary code. + CWE-425 Name: Direct Request ('Forced Browsing') Description: The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. examples: Accessing an admin page like /admin/dashboard.php by directly typing the URL without being an admin, Discovering unlinked backup files like config.bak by guessing filenames, Navigating to internal API endpoints that are not meant for public access. + CWE-369 Name: Divide By Zero Description: The product divides a value by zero. examples: Calculating an average where the count of items can be zero, A mathematical formula where a denominator is derived from user input that could be zero, An offset calculation x / y where y is not checked for zero. + CWE-415 Name: Double Free Description: The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. examples: Freeing a pointer in a main function and also in a cleanup function for the same pointer, An error handling path frees a resource that is also freed in a standard exit path, Complex data structures where multiple parts might hold and try to free the same pointer. + CWE-494 Name: Download of Code Without Integrity Check Description: The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. examples: An auto-update mechanism that downloads and runs an installer without checking its digital signature, A plugin system that loads remote scripts without validating their source or hash, Executing code fetched via HTTP without HTTPS or signature verification. + CWE-834 Name: Excessive Iteration Description: The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. examples: A while loop whose condition depends on external input that can prevent termination, A for loop processing elements of a list where the list can be excessively large due to user input, Recursive function calls without a proper base case or depth limit based on untrusted data. + CWE-668 Name: Exposure of Resource to Wrong Sphere Description: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. examples: A web server configured to serve files from outside the web root, An internal administrative API endpoint made accessible from the public internet, Sharing an internal database connection string with a client-side application. + CWE-200 Name: Exposure of Sensitive Information to an Unauthorized Actor Description: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. examples: Error messages revealing system paths or database structure, API responses including excessive user data not needed by the client, Directory listings enabled on a web server showing sensitive files. + CWE-610 Name: Externally Controlled Reference to a Resource in Another Sphere Description: The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. examples: A file inclusion vulnerability where user input specifies a path to /etc/passwd, An SSRF flaw where a user-provided URL is fetched by the server, A system call that takes a filename controlled by a low-privilege user. + CWE-552 Name: Files or Directories Accessible to External Parties Description: The product makes files or directories accessible to unauthorized actors, even though they should not be. examples: Web server misconfiguration allowing listing of directories containing sensitive files, Backup files (.bak, .old) left in web-accessible directories, Overly permissive file system ACLs on critical system files. + CWE-209 Name: Generation of Error Message Containing Sensitive Information Description: The software generates an error message that includes sensitive information about its environment, users, or associated data. examples: Displaying full SQL query errors to users, Revealing internal IP addresses or server names in error pages, Exposing stack traces that detail application structure. + CWE-287 Name: Improper Authentication Description: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. examples: Allowing access based on a user-supplied 'isAdmin=true' parameter, Using easily guessable default credentials, Authenticating users solely based on their IP address in a shared network. + CWE-295 Name: Improper Certificate Validation Description: The software does not validate, or incorrectly validates, a certificate. examples: Accepting self-signed SSL/TLS certificates without warning, Not checking certificate expiration or revocation status, Disabling hostname verification in an HTTPS client. + CWE-273 Name: Improper Check for Dropped Privileges Description: The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. examples: Calling setuid() to drop root privileges but not verifying the return code, Continuing execution with elevated privileges after a failed privilege drop attempt, Performing sensitive operations assuming privileges were dropped when they weren't. + CWE-754 Name: Improper Check for Unusual or Exceptional Conditions Description: The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. examples: Ignoring return values from functions that indicate errors, Not handling potential null values before dereferencing, Failing to catch specific exceptions that could lead to application instability. + CWE-913 Name: Improper Control of Dynamically-Managed Code Resources Description: The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. examples: Allowing user input to specify class names for instantiation via reflection without validation, Modifying JavaScript prototypes based on URL parameters, Using eval() on untrusted strings that can alter program logic. + CWE-94 Name: Improper Control of Generation of Code ('Code Injection') Description: The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. examples: Using eval() on concatenated strings including user input, Server-side template injection where user input becomes part of the template code, Generating shell commands by embedding unsanitized user data. + CWE-116 Name: Improper Encoding or Escaping of Output Description: The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. examples: Outputting user-supplied data directly into an HTML page without HTML entity encoding (leading to XSS), Generating JSON with unescaped user input that breaks the JSON structure, Logging user data without sanitizing control characters that could corrupt log parsing. + CWE-924 Name: Improper Enforcement of Message Integrity During Transmission in a Communication Channel Description: The software establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission. examples: Relying on unencrypted HTTP for API communication without message authentication codes (MACs), Downloading software updates over an insecure channel without verifying a digital signature, Not using TLS or using it with weak cipher suites that don't ensure integrity. + CWE-178 Name: Improper Handling of Case Sensitivity Description: The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. examples: Allowing 'admin' and 'Admin' as different usernames but file system is case-insensitive, Checking for 'file.txt' but attacker uploads 'File.TXT' on a case-insensitive OS, Inconsistent case handling in security checks for URLs or parameters. + CWE-755 Name: Improper Handling of Exceptional Conditions Description: The software does not handle or incorrectly handles an exceptional condition. examples: A try block with an empty catch block that silently ignores errors, Catching a generic Exception and not taking appropriate action, Allowing an unhandled exception to propagate and crash the application. + CWE-665 Name: Improper Initialization Description: The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. examples: Using a variable before it's assigned a value, A class constructor not initializing all member variables, Forgetting to initialize a security-critical flag to a safe default. + CWE-20 Name: Improper Input Validation Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. examples: Accepting a negative number for an item quantity, Allowing special characters in a username field that are used in SQL queries, Not checking the type or range of an input parameter before using it in calculations. + CWE-22 Name: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Description: The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. examples: User input like ../../etc/passwd used in a file open operation, A file download script that takes a filename parameter without sanitizing ../, Using user-provided path components directly in filesystem operations. + CWE-59 Name: Improper Link Resolution Before File Access ('Link Following') Description: The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. examples: A privileged program writes to a log file in a user-writable directory where the user can replace the log with a symlink to /etc/shadow, Checking permissions on a symlink itself instead of the target file, Race conditions where a file is replaced by a symlink between check and use (TOCTOU). + CWE-667 Name: Improper Locking Description: The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. examples: Forgetting to release a mutex after acquiring it, leading to deadlock, Acquiring locks in inconsistent order across different threads causing deadlocks, Using a non-recursive lock in a recursive function. + CWE-88 Name: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Description: The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. examples: Passing unsanitized user input as an argument to system() or exec() calls, User input like -o malicious_file.sh being passed to a command-line utility, Failure to quote arguments containing spaces or special characters when building a command string. + CWE-1236 Name: Improper Neutralization of Formula Elements in a CSV File Description: The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. examples: Exporting user-provided data starting with = (e.g. =SUM(A1:A2)) directly into a CSV, Not prefixing potentially malicious cell values with a single quote, Allowing DDE commands in CSV content. + CWE-79 Name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. examples: Echoing user input from a URL parameter directly into HTML, Displaying user comments without escaping HTML tags, Injecting user-provided data into JavaScript string literals without proper escaping. + CWE-74 Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Description: The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. examples: Generating XML with unescaped user data leading to XML injection, Creating LDAP queries by concatenating unsanitized user input, Building OS commands with user input without proper escaping (leading to OS Command Injection). + CWE-77 Name: Improper Neutralization of Special Elements used in a Command ('Command Injection') Description: The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. examples: A web script that pings a host provided by user input by building a command string like ping + user_host, Using user input directly in subprocess.call('command ' + arg, shell=True) in Python, Concatenating user data into a batch script. + CWE-917 Name: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Description: The software constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. examples: Concatenating user input into a JSF EL expression like #{{bean. + userInput + }}, Allowing user-provided data in Spring Expression Language (SpEL) evaluations without sanitization, Server-side template injection where EL is used and input is not escaped. + CWE-78 Name: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Description: The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. examples: A CGI script taking a filename from a GET request and passing it to grep unsanitized, Using user input in backticks or + CWE-459 Name: Incomplete Cleanup Description: The software does not properly "clean up" and remove temporary or supporting resources after they have been used. examples: Creating temporary files with sensitive data in /tmp but not deleting them on application exit or error, Leaving debug flags or backdoor accounts active in production code, Not clearing sensitive data from memory after processing. + CWE-444 Name: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Description: The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. examples: A front-end proxy uses Content-Length while the back-end server uses Transfer-Encoding: chunked for request delimitation, Exploiting differences in how two HTTP servers parse ambiguous Content-Length headers, Using CL.TE or TE.CL vulnerabilities to desynchronize requests. + CWE-863 Name: Incorrect Authorization Description: The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. examples: Checking user.role == 'admin' but the actual role is stored in user.permissions.isAdmin, Allowing access if any one of multiple cumulative permission checks passes, when all should be required, Incorrectly implementing 'deny by default' logic. + CWE-682 Name: Incorrect Calculation Description: The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. examples: A financial application miscalculates interest due to floating-point precision errors, An off-by-one error in calculating buffer sizes leading to overflow, Incorrectly calculating remaining attempts for login causing premature lockout or no lockout. + CWE-131 Name: Incorrect Calculation of Buffer Size Description: The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. examples: Forgetting to add +1 for null terminator when allocating for a string, Using sizeof(pointer) instead of sizeof(pointee_type) or string length for malloc, Integer overflow in size calculation width * height before allocation. + CWE-697 Name: Incorrect Comparison Description: The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. examples: Comparing signed and unsigned integers where a negative signed value becomes a large unsigned value, Using == to compare floating point numbers for equality, Incorrectly comparing user roles, e.g. if (role != "admin") instead of checking for specific allowed roles. + CWE-681 Name: Incorrect Conversion between Numeric Types Description: When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. examples: Casting a long to int losing significant bits, potentially making a large positive number small or negative, Converting a floating-point number to an integer via truncation where precision is critical, Implicit conversion from signed to unsigned leading to unexpected behavior with negative numbers. + CWE-276 Name: Incorrect Default Permissions Description: During installation, installed file permissions are set to allow anyone to modify those files. examples: Software installer setting configuration files to be world-writable (777), Default umask being too permissive (e.g., 0000), Application data directories created with global read/write access. + CWE-732 Name: Incorrect Permission Assignment for Critical Resource Description: The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. examples: A /etc/shadow file being readable by non-root users, Admin panel accessible by regular users due to misconfigured web server rules, Database granting UPDATE privileges on sensitive tables to low-privilege application accounts. + CWE-669 Name: Incorrect Resource Transfer Between Spheres Description: The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. examples: A privileged process passing a file descriptor to an unprivileged process without proper sanitization of its capabilities, A web application reflecting user input into a system command executed in a more privileged context, Exposing internal object references to a less trusted environment. + CWE-704 Name: Incorrect Type Conversion or Cast Description: The software does not correctly convert an object, resource, or structure from one type to a different type. examples: Casting a void* to an incorrect struct type and accessing its members, Downcasting a base class pointer to a derived class pointer when the object is not actually of the derived type, Implicit type conversion in C/C++ that leads to data loss or misinterpretation. + CWE-335 Name: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) Description: The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. examples: Seeding a PRNG with a constant value (e.g., srand(0)), Seeding with time(NULL) which can be predictable if calls are close together, Re-seeding the PRNG too frequently with low-entropy sources. + CWE-407 Name: Inefficient Algorithmic Complexity Description: An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. examples: Using a nested loop algorithm (O(n^2)) where a linear solution (O(n)) exists for processing user-supplied data, A string matching algorithm that degrades to quadratic complexity on specific inputs, Hash table with poor collision resolution leading to linear search times. + CWE-1333 Name: Inefficient Regular Expression Complexity Description: The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. examples: Regex like (a+)+b which can cause catastrophic backtracking, Using nested quantifiers with overlapping patterns, A regex that performs poorly on strings with many near misses. + CWE-1188 Name: Insecure Default Initialization of Resource Description: The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. examples: Default admin password like 'admin' or 'password', SNMP community string set to 'public' by default, A firewall product having a default 'allow all' rule. + CWE-922 Name: Insecure Storage of Sensitive Information Description: The software stores sensitive information without properly limiting read or write access by unauthorized actors. examples: Storing API keys in a world-readable file, Database backups containing PII stored in an S3 bucket with public access, User session data written to a shared temporary directory with insecure permissions. + CWE-532 Name: Insertion of Sensitive Information into Log File Description: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. examples: Logging full HTTP requests including session cookies or authorization headers, Writing raw exception details that include user passwords or PII, Debug logs that output decrypted sensitive data. + CWE-331 Name: Insufficient Entropy Description: The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. examples: Generating session IDs using a PRNG seeded with only the current time (low resolution), Creating cryptographic keys from a small set of easily guessable inputs, Using rand() for security-critical random numbers without proper seeding from /dev/urandom. + NVD-CWE-noinfo Name: Insufficient Information Description: There is insufficient information about the issue to classify it; details are unkown or unspecified. examples: Vulnerability report states 'a security issue' without technical details, Advisory mentions a flaw but vendor has not disclosed specifics, CVE entry marked with this when details are pending. + NVD-CWE-Other Name: Other Description: NVD is only using a subset of CWE for mapping instead of the entire CWE, and the weakness type is not covered by that subset. examples: A very specific or niche vulnerability not fitting existing CWEs used by NVD, A weakness category that NVD has chosen not to map directly, A complex issue spanning multiple unmapped CWEs. + CWE-613 Name: Insufficient Session Expiration Description: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." examples: Session cookies that never expire or have extremely long lifetimes (e.g., years), Not invalidating a session on the server-side after logout, Re-authenticating a user without issuing a new session ID if the old one is still active. + CWE-345 Name: Insufficient Verification of Data Authenticity Description: The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. examples: Accepting firmware updates without checking digital signatures, Trusting data from a DNS server without DNSSEC, Processing messages from a queue without verifying the sender's identity or message integrity. + CWE-522 Name: Insufficiently Protected Credentials Description: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. examples: Storing passwords using unsalted MD5 hashes, Transmitting passwords in cleartext over HTTP, Hardcoding API keys directly in client-side JavaScript. + CWE-190 Name: Integer Overflow or Wraparound Description: The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. examples: Calculating malloc size with count * item_size where the product overflows to a small number, A loop counter i++ wraps around from max_int to a negative value, A security check if (value + offset < limit) where value + offset overflows. + CWE-191 Name: Integer Underflow (Wrap or Wraparound) Description: The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. examples: Calculating buffer offset ptr - size where size is larger than ptr's numeric value (if ptr is an int), A check if (balance - withdrawal_amount >= 0) where balance - withdrawal_amount underflows to a large positive number, Decrementing an unsigned integer below zero. + CWE-436 Name: Interpretation Conflict Description: Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. examples: A web proxy and backend server parsing HTTP headers (e.g., Content-Length) differently leading to request smuggling, Different interpretation of character encodings between two systems, Inconsistent handling of ambiguous file path separators (/ vs ) by different components. + CWE-835 Name: Loop with Unreachable Exit Condition ('Infinite Loop') Description: The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. examples: A while(true) loop without a break statement or other exit mechanism, A for loop where the increment/decrement operation never allows the condition to be met (e.g., for(i=0; i!=10; i+=2) if i starts odd), A loop condition dependent on a variable that is never modified within the loop body. + CWE-306 Name: Missing Authentication for Critical Function Description: The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. examples: An admin panel accessible without login, An API endpoint for deleting user accounts that does not require a session token, A feature to change system configuration available to any network user. + CWE-862 Name: Missing Authorization Description: The software does not perform an authorization check when an actor attempts to access a resource or perform an action. examples: Any authenticated user can access /admin/delete_user?id=xxx regardless of their role, A user can view another user's private messages by guessing the message ID, No check to ensure a user owns a resource before allowing modification. + CWE-311 Name: Missing Encryption of Sensitive Data Description: The software does not encrypt sensitive or critical information before storage or transmission. examples: Storing credit card numbers in a database without encryption, Transmitting user passwords over HTTP, Sending PII via unencrypted email. + CWE-909 Name: Missing Initialization of Resource Description: The software does not initialize a critical resource. examples: A pointer is declared but not assigned before being dereferenced, A security flag (e.g., is_admin) is not set to a default safe value before use, Using a file descriptor that has not been opened. + CWE-401 Name: Missing Release of Memory after Effective Lifetime Description: The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. examples: Calling malloc repeatedly in a loop without corresponding free calls, An object that allocates memory in its constructor but has no destructor or dispose method to release it, Creating data structures (e.g., list nodes) and losing pointers to them before deallocation. + CWE-772 Name: Missing Release of Resource after Effective Lifetime Description: The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. examples: Opening files without closing them (fopen without fclose), Acquiring database connections from a pool and not returning them, Not releasing network sockets after communication ends. + CWE-476 Name: NULL Pointer Dereference Description: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. examples: Accessing ptr->member when ptr is NULL, A function returns NULL on error but the caller uses the return value without checking, Using an object pointer before it's properly constructed and initialized. + CWE-203 Name: Observable Discrepancy Description: The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. examples: Login page responds faster for invalid usernames than for valid usernames with incorrect passwords (timing attack), Different error messages for 'user not found' vs 'incorrect password', API returning more detailed error for one failure type over another. + CWE-193 Name: Off-by-one Error Description: A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. examples: Looping for (i=0; i <= size; i++) when accessing array[i] (should be < size), Allocating strlen(str) bytes for a string copy instead of strlen(str)+1 for the null terminator, Using < instead of <= (or vice-versa) in a boundary condition check. + CWE-672 Name: Operation on a Resource after Expiration or Release Description: The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. examples: Using a file descriptor after the file has been closed (close(fd); write(fd, ...)), Accessing an object after its memory has been free()d (Use-After-Free), Continuing to use a session ID after the session has been invalidated on the server. + CWE-346 Name: Origin Validation Error Description: The software does not properly verify that the source of data or communication is valid. examples: A web application accepting cross-domain requests (CORS) from * without proper checks, A WebSocket server not verifying the Origin header of incoming connections, An IPC mechanism trusting any local process without sender verification. + CWE-125 Name: Out-of-bounds Read Description: The software reads data past the end, or before the beginning, of the intended buffer. examples: Reading buffer[length] when length is the size of the buffer (valid indices are 0 to length-1), Using a negative index to access an array, A memcpy or similar function reading more bytes than available in the source buffer. + CWE-787 Name: Out-of-bounds Write Description: The software writes data past the end, or before the beginning, of the intended buffer. examples: Writing to buffer[length] when length is the size of the buffer, strcpy to a buffer that is too small for the source string, Integer overflow in index calculation leading to writing outside allocated memory. + CWE-617 Name: Reachable Assertion Description: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. examples: An assert(user_input != NULL) that crashes if user_input is NULL, An assertion checking an invariant that can be violated by crafted input, Using assertions for input validation in production builds where assertions are compiled out or cause termination. + CWE-763 Name: Release of Invalid Pointer or Reference Description: The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly. examples: Calling free() on a pointer not obtained from malloc() (e.g., stack variable, global), Calling delete on a pointer allocated with malloc(), or free() on new, Using free() on an already freed pointer if not a double-free (e.g. if it was reallocated by something else). + CWE-565 Name: Reliance on Cookies without Validation and Integrity Checking Description: The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. examples: Storing user role (e.g., isAdmin=true) in a client-side cookie without server-side verification or signing, Using a cookie value directly in an SQL query without sanitization, Trusting a cookie to indicate authentication status without re-validating against a server session. + CWE-918 Name: Server-Side Request Forgery (SSRF) Description: The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. examples: A feature to fetch an image from a user-provided URL which can be pointed to internal services like http://127.0.0.1/admin, A PDF generator that loads content from URLs specified in an XML/HTML input, Cloud metadata service abuse by providing URLs like http://169.254.169.254/. + CWE-384 Name: Session Fixation Description: Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. examples: User logs in, but the application continues to use the pre-login session ID, Attacker tricks victim into using a session ID known to the attacker, then waits for victim to log in, Not regenerating session ID upon successful authentication. + CWE-367 Name: Time-of-check Time-of-use (TOCTOU) Race Condition Description: The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. examples: Checking if a file exists (check_file) then opening it (open_file), but the file is replaced by a symlink in between, Validating user permissions then performing an action, but permissions change before action execution, Checking available balance then debiting an account without an atomic transaction. + CWE-252 Name: Unchecked Return Value Description: The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. examples: Ignoring the return value of malloc() which could be NULL, Not checking if fwrite() successfully wrote all bytes, Calling a function that can fail (e.g., network send) without verifying its success status. + CWE-674 Name: Uncontrolled Recursion Description: The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack. examples: A recursive function to parse a data structure (e.g., JSON) without a depth limit, A factorial function that can be called with a very large number from user input, Mutually recursive functions where the base case is not reached or is controlled by external input. + CWE-400 Name: Uncontrolled Resource Consumption Description: The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. examples: Allowing a user to request an arbitrarily large file for processing, A regex that takes exponential time on certain inputs (ReDoS), Allocating memory based on a user-provided size without limits, leading to DoS. + CWE-427 Name: Uncontrolled Search Path Element Description: The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. examples: An application that loads DLLs from the current working directory first, where an attacker can place a malicious DLL, Using . in the PATH environment variable on Unix, A script that includes files using a path that includes a user-writable directory. keywords: uncontrolled search path, DLL hijacking, path manipulation, library loading, current working directory, environment variable + CWE-428 Name: Unquoted Search Path or Element Description: The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. examples: A Windows service registered with an unquoted path like C:/Program Files/My App/service.exe allowing C:/Program.exe to be executed, A script that calls an executable using an unquoted path with spaces, Configuration files specifying paths without quotes. keywords: unquoted search path, path injection, Windows service, whitespace in path, privilege escalation, command execution + CWE-434 Name: Unrestricted Upload of File with Dangerous Type Description: The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. examples: Allowing users to upload .php or .jsp files to a web server's document root, Uploading an .exe file to a directory from which applications are run, Not validating file extensions or MIME types for uploaded files that could be executable. + CWE-426 Name: Untrusted Search Path Description: The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control. examples: A program using an environment variable like LD_LIBRARY_PATH or PYTHONPATH set by a user to find libraries, An application that loads plugins from a directory specified in a user-modifiable configuration file, Scripts that source other scripts from paths influenced by user input. + CWE-601 Name: URL Redirection to Untrusted Site ('Open Redirect') Description: A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. examples: A login page redirects to $_GET['redirect_url'] without validating the URL is on the same domain, A link shortener that doesn't check if the target URL is malicious, Using user-provided URLs in HTTP Location headers without proper validation. + CWE-416 Name: Use After Free Description: Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. examples: An object is deleted, but a pointer to it is still used later, A data structure element is freed, but iterators or other references to it are not updated, Using a pointer that was passed to free() in an error handling path that doesn't immediately exit. + CWE-327 Name: Use of a Broken or Risky Cryptographic Algorithm Description: The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. examples: Using MD5 or SHA1 for password hashing, Employing DES or RC4 for data encryption, Relying on custom-made 'homegrown' cryptographic algorithms. + CWE-338 Name: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Description: The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. examples: Using java.util.Random or Python's random module to generate session IDs or encryption keys, Relying on rand() or libc PRNGs for cryptographic purposes, PRNGs with small internal state or predictable output sequences. + CWE-134 Name: Use of Externally-Controlled Format String Description: The software uses a function that accepts a format string as an argument, but the format string originates from an external source. examples: Calling printf(user_input) instead of printf('%s', user_input), Using user-controlled data as the first argument to syslog(), sprintf(), or fprintf(), A logging function that takes a format string directly from a network request. + CWE-470 Name: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Description: The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. examples: Java Class.forName(userInput).newInstance() where userInput comes from an HTTP parameter, Python getattr(module, user_string)() to call functions, Deserializing objects where the class name is controlled by the attacker. + CWE-798 Name: Use of Hard-coded Credentials Description: The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. examples: Default admin password compiled into the application binary, Database connection string with username/password stored in source code, A fixed AES encryption key embedded in a mobile app. + CWE-706 Name: Use of Incorrectly-Resolved Name or Reference Description: The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. examples: DNS rebinding attacks where a malicious site resolves to an internal IP after an initial check, TOCTOU issues with filename resolution where a symlink is introduced, Relying on hostname resolution that can be manipulated by a local attacker (e.g., /etc/hosts). + CWE-330 Name: Use of Insufficiently Random Values Description: The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. examples: Generating password reset tokens that are easily guessable (e.g., sequential or based on timestamp), Using a PRNG with a small seed space for cryptographic keys, Session IDs that follow a predictable pattern. + CWE-916 Name: Use of Password Hash With Insufficient Computational Effort Description: The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. examples: Using unsalted MD5 or SHA1 for password storage, Using bcrypt or scrypt with a very low work factor/iteration count, Custom hashing schemes that are fast to compute. + CWE-908 Name: Use of Uninitialized Resource Description: The software uses or accesses a resource that has not been initialized. examples: Reading from a variable before any value is assigned to it (common in C/C++), Using an object whose constructor was not called or failed, Dereferencing a pointer member of a struct that was malloced but not initialized. + CWE-640 Name: Weak Password Recovery Mechanism for Forgotten Password Description: The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. examples: Password reset based on easily guessable security questions (e.g., 'What is your favorite color?'), Sending new passwords in cleartext via email, Generating predictable password reset tokens. + CWE-521 Name: Weak Password Requirements Description: The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. examples: Allowing passwords like '123456' or 'password', Not enforcing minimum length or complexity (mix of character types), No check against common password lists. + CWE-91 Name: XML Injection (aka Blind XPath Injection) Description: The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. examples: Concatenating user input directly into an XPath query string, Building XML documents by string concatenation with unescaped user data, A SOAP service that parses XML containing malicious external entity references (XXE if parser supports it). + Rules for returning the vendor: - Return only the official/primary vendor name - For open source projects, return the organization maintaining it @@ -161,14 +276,44 @@ async def categorize_vulnerability_provider(self, description): """ if(type == 'api'): + client = AsyncOpenAI(api_key=api_key, base_url=base_url) + + prompt = f"{prompt}\\)" + + def create_hint(prompt): + return f""" + Hint: The cwe_category is near: {prompt} + """ + attemps = 0 try: + max_attempts = 4 completion = await client.chat.completions.create( - model=model, - messages=[{"role": "user", "content": prompt}] - ) - result = _extract_category(completion.choices[0].message.content) - return [result] + model=model, + messages=[{"role": "user", "content": prompt}] + ) + + result_prevously = _extract_category(completion.choices[0].message.content)['cwe_category'] + + while(max_attempts > attemps): + hint = create_hint(result_prevously) + prompt = f"{hint}{prompt}" + + completion = await client.chat.completions.create( + model=model, + messages=[{"role": "user", "content": prompt}] + ) + + new_result_list = _extract_category(completion.choices[0].message.content) + new_result = new_result_list['cwe_category'] + + + if(result_prevously == new_result or max_attempts == attemps): + return [new_result_list] + + result_prevously = new_result + attemps += 1 + return [new_result_list] except Exception as e: print(f"Error calling API: {e}") return [{"cwe_category": "UNKNOWN", "explanation": str(e), "vendor": "Unknown", "cause": "", "impact": ""}] @@ -184,6 +329,119 @@ async def categorize_vulnerability_provider(self, description): ``` {description} ``` + Conform 'NVD CWE List' available for Classification: + CWE-843 Name: Access of Resource Using Incompatible Type ('Type Confusion') Description: The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. examples: Casting a base class pointer to a derived class pointer of an unrelated type and accessing members, Using a C-style cast on a void pointer to an incorrect data structure, Interpreting raw byte buffer as a complex object of the wrong class. keywords: type confusion, incompatible type, resource access, type mismatch, memory corruption, pointer casting, object misinterpretation + CWE-824 Name: Access of Uninitialized Pointer Description: The program accesses or uses a pointer that has not been initialized. examples: Dereferencing a pointer immediately after declaration without assignment, Using a pointer returned by a function that might be NULL without checking, Accessing a class member pointer that was not initialized in the constructor. keywords: uninitialized pointer, null pointer, memory access, crash, segmentation fault, dangling pointer, undefined behavior + CWE-770 Name: Allocation of Resources Without Limits or Throttling Description: The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. examples: Allowing users to request an unlimited number of session objects, Processing an XML file that can define an excessive number of entities leading to memory exhaustion, A loop that allocates memory based on user input without a size cap. keywords: resource allocation, unlimited allocation, denial of service, DoS, resource exhaustion, throttling, rate limiting, memory bloat + CWE-670 Name: Always-Incorrect Control Flow Implementation Description: The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. examples: An 'if' condition that is always true or always false due to a logical error, A loop that always exits after the first iteration or never terminates as intended, Incorrectly ordered conditional checks leading to unreachable code blocks. keywords: control flow, logic error, incorrect path, flawed algorithm, bug, unexpected behavior, dead code, unreachable code + CWE-294 Name: Authentication Bypass by Capture-replay Description: A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). examples: Replaying a captured login request containing session cookies, Re-submitting a previously captured financial transaction request, Using nonces or timestamps improperly allowing old messages to be accepted. keywords: authentication bypass, capture-replay, replay attack, session hijacking, network sniffing, man-in-the-middle, nonces, message freshness + CWE-290 Name: Authentication Bypass by Spoofing Description: This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks. examples: Accepting user identity based solely on a user-controlled HTTP header (e.g., X-Forwarded-For), Trusting an IP address for authentication without further checks, An API that allows a user to specify another user's ID in a request to act as them. keywords: authentication bypass, spoofing, identity theft, impersonation, weak authentication, IP spoofing, request forgery + CWE-639 Name: Authorization Bypass Through User-Controlled Key Description: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. examples: Accessing '/user_profile?id=123' and changing 'id' to '456' to view another user's profile, An API endpoint like '/api/orders/order_id' where changing order_id gives access to others' orders, Modifying a hidden form field containing a record identifier. keywords: authorization bypass, user-controlled key, insecure direct object reference, IDOR, access control, privilege escalation, parameter tampering + CWE-120 Name: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Description: The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. examples: Using strcpy() to copy user-provided string into a fixed-size buffer, Using sprintf() with user input without validating length, Reading network data into a buffer using recv() without checking the amount of data received against buffer capacity. keywords: buffer overflow, classic buffer overflow, memory corruption, input size, bounds checking, strcpy, gets, sprintf, stack overflow + CWE-312 Name: Cleartext Storage of Sensitive Information Description: The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. examples: Storing user passwords in a database column as plain text, Writing API keys to a configuration file without encryption, Logging credit card numbers to a local file. keywords: cleartext storage, sensitive data, unencrypted, plain text, data exposure, password storage, confidentiality, PII + CWE-319 Name: Cleartext Transmission of Sensitive Information Description: The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. examples: Transmitting login credentials over HTTP instead of HTTPS, Sending API keys in URLs over unencrypted channels, Emailing unencrypted sensitive documents. keywords: cleartext transmission, sensitive data, unencrypted, plain text, network sniffing, man-in-the-middle, data exposure, http, insecure transport + CWE-362 Name: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Description: The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. examples: Two threads incrementing a shared counter without locks (read-modify-write), Checking if a file exists then writing to it without locking, leading to another process deleting it in between, Modifying a shared data structure from multiple threads without mutexes. keywords: race condition, concurrency, shared resource, improper synchronization, threading, deadlock, atomicity, mutual exclusion + CWE-352 Name: Cross-Site Request Forgery (CSRF) Description: The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. examples: A web application performs a state-changing action (e.g., password change) based on a GET request without tokens, A malicious site causes a user's browser to submit a form to a vulnerable site where the user is authenticated, Lack of anti-CSRF tokens in forms that perform sensitive actions. keywords: CSRF, cross-site request forgery, session riding, one-click attack, request validation, anti-csrf token, state-changing request + CWE-502 Name: Deserialization of Untrusted Data Description: The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. examples: Deserializing a Java object from an HTTP request without validating the object's class or contents, Using Python's pickle.loads() on data received from an untrusted network source, Processing serialized user preferences that can be manipulated to execute arbitrary code. keywords: deserialization, untrusted data, object injection, remote code execution, insecure deserialization, data validation, code execution, gadget chains + CWE-425 Name: Direct Request ('Forced Browsing') Description: The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. examples: Accessing an admin page like /admin/dashboard.php by directly typing the URL without being an admin, Discovering unlinked backup files like config.bak by guessing filenames, Navigating to internal API endpoints that are not meant for public access. keywords: forced browsing, direct request, authorization bypass, access control, URL manipulation, hidden files, insecure endpoint + CWE-369 Name: Divide By Zero Description: The product divides a value by zero. examples: Calculating an average where the count of items can be zero, A mathematical formula where a denominator is derived from user input that could be zero, An offset calculation x / y where y is not checked for zero. keywords: divide by zero, arithmetic error, exception, crash, denial of service, runtime error + CWE-415 Name: Double Free Description: The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. examples: Freeing a pointer in a main function and also in a cleanup function for the same pointer, An error handling path frees a resource that is also freed in a standard exit path, Complex data structures where multiple parts might hold and try to free the same pointer. keywords: double free, memory corruption, heap corruption, use after free, memory management, pointer management + CWE-494 Name: Download of Code Without Integrity Check Description: The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. examples: An auto-update mechanism that downloads and runs an installer without checking its digital signature, A plugin system that loads remote scripts without validating their source or hash, Executing code fetched via HTTP without HTTPS or signature verification. keywords: code download, integrity check, code signing, supply chain attack, untrusted code, malware, remote code execution, signature verification + CWE-834 Name: Excessive Iteration Description: The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. examples: A while loop whose condition depends on external input that can prevent termination, A for loop processing elements of a list where the list can be excessively large due to user input, Recursive function calls without a proper base case or depth limit based on untrusted data. keywords: excessive iteration, infinite loop, denial of service, DoS, resource exhaustion, loop control, CPU usage, hang + CWE-668 Name: Exposure of Resource to Wrong Sphere Description: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. examples: A web server configured to serve files from outside the web root, An internal administrative API endpoint made accessible from the public internet, Sharing an internal database connection string with a client-side application. keywords: resource exposure, wrong sphere, access control, information disclosure, unintended access, permissions, network misconfiguration + CWE-200 Name: Exposure of Sensitive Information to an Unauthorized Actor Description: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. examples: Error messages revealing system paths or database structure, API responses including excessive user data not needed by the client, Directory listings enabled on a web server showing sensitive files. keywords: sensitive information exposure, data leak, information disclosure, unauthorized access, confidentiality breach, verbose errors, PII + CWE-610 Name: Externally Controlled Reference to a Resource in Another Sphere Description: The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. examples: A file inclusion vulnerability where user input specifies a path to /etc/passwd, An SSRF flaw where a user-provided URL is fetched by the server, A system call that takes a filename controlled by a low-privilege user. keywords: external control, resource reference, path traversal, file inclusion, SSRF, out-of-sphere, LFI, RFI + CWE-552 Name: Files or Directories Accessible to External Parties Description: The product makes files or directories accessible to unauthorized actors, even though they should not be. examples: Web server misconfiguration allowing listing of directories containing sensitive files, Backup files (.bak, .old) left in web-accessible directories, Overly permissive file system ACLs on critical system files. keywords: file access, directory access, insecure permissions, information disclosure, unauthorized access, data exposure, web server misconfiguration + CWE-209 Name: Generation of Error Message Containing Sensitive Information Description: The software generates an error message that includes sensitive information about its environment, users, or associated data. examples: Displaying full SQL query errors to users, Revealing internal IP addresses or server names in error pages, Exposing stack traces that detail application structure. keywords: error message, sensitive information, information disclosure, debugging information, verbose errors, stack trace, configuration details + CWE-287 Name: Improper Authentication Description: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. examples: Allowing access based on a user-supplied 'isAdmin=true' parameter, Using easily guessable default credentials, Authenticating users solely based on their IP address in a shared network. keywords: improper authentication, weak authentication, authentication bypass, no authentication, identity verification, credential management + CWE-295 Name: Improper Certificate Validation Description: The software does not validate, or incorrectly validates, a certificate. examples: Accepting self-signed SSL/TLS certificates without warning, Not checking certificate expiration or revocation status, Disabling hostname verification in an HTTPS client. keywords: certificate validation, SSL/TLS, man-in-the-middle, insecure communication, trust, HTTPS, PKI, hostname verification + CWE-273 Name: Improper Check for Dropped Privileges Description: The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. examples: Calling setuid() to drop root privileges but not verifying the return code, Continuing execution with elevated privileges after a failed privilege drop attempt, Performing sensitive operations assuming privileges were dropped when they weren't. keywords: dropped privileges, privilege escalation, permission check, root access, least privilege, setuid, effective UID + CWE-754 Name: Improper Check for Unusual or Exceptional Conditions Description: The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. examples: Ignoring return values from functions that indicate errors, Not handling potential null values before dereferencing, Failing to catch specific exceptions that could lead to application instability. keywords: exceptional conditions, error handling, unexpected input, robustness, edge cases, return value check, null check + CWE-913 Name: Improper Control of Dynamically-Managed Code Resources Description: The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. examples: Allowing user input to specify class names for instantiation via reflection without validation, Modifying JavaScript prototypes based on URL parameters, Using eval() on untrusted strings that can alter program logic. keywords: dynamic code, code modification, reflection, runtime manipulation, insecure code management, eval, prototype pollution + CWE-94 Name: Improper Control of Generation of Code ('Code Injection') Description: The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. examples: Using eval() on concatenated strings including user input, Server-side template injection where user input becomes part of the template code, Generating shell commands by embedding unsanitized user data. keywords: code injection, eval injection, dynamic code, input sanitization, remote code execution, template injection, command injection + CWE-116 Name: Improper Encoding or Escaping of Output Description: The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. examples: Outputting user-supplied data directly into an HTML page without HTML entity encoding (leading to XSS), Generating JSON with unescaped user input that breaks the JSON structure, Logging user data without sanitizing control characters that could corrupt log parsing. keywords: output encoding, output escaping, XSS, injection, data sanitization, context awareness, HTML injection, log injection + CWE-924 Name: Improper Enforcement of Message Integrity During Transmission in a Communication Channel Description: The software establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission. examples: Relying on unencrypted HTTP for API communication without message authentication codes (MACs), Downloading software updates over an insecure channel without verifying a digital signature, Not using TLS or using it with weak cipher suites that don't ensure integrity. keywords: message integrity, data tampering, man-in-the-middle, checksum, MAC, digital signature, insecure communication, HMAC + CWE-178 Name: Improper Handling of Case Sensitivity Description: The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. examples: Allowing 'admin' and 'Admin' as different usernames but file system is case-insensitive, Checking for 'file.txt' but attacker uploads 'File.TXT' on a case-insensitive OS, Inconsistent case handling in security checks for URLs or parameters. keywords: case sensitivity, normalization, canonicalization, resource access, file system, identifier comparison, username enumeration + CWE-755 Name: Improper Handling of Exceptional Conditions Description: The software does not handle or incorrectly handles an exceptional condition. examples: A try block with an empty catch block that silently ignores errors, Catching a generic Exception and not taking appropriate action, Allowing an unhandled exception to propagate and crash the application. keywords: exception handling, error handling, crash, denial of service, unexpected state, robustness, unhandled exception + CWE-665 Name: Improper Initialization Description: The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. examples: Using a variable before it's assigned a value, A class constructor not initializing all member variables, Forgetting to initialize a security-critical flag to a safe default. keywords: improper initialization, uninitialized variable, default values, resource state, unexpected behavior, null pointer, undefined state + CWE-20 Name: Improper Input Validation Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. examples: Accepting a negative number for an item quantity, Allowing special characters in a username field that are used in SQL queries, Not checking the type or range of an input parameter before using it in calculations. keywords: input validation, data validation, sanitization, untrusted input, security checks, malformed data, type checking, range checking + CWE-22 Name: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Description: The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. examples: User input like ../../etc/passwd used in a file open operation, A file download script that takes a filename parameter without sanitizing ../, Using user-provided path components directly in filesystem operations. keywords: path traversal, directory traversal, dot-dot-slash, file access, input sanitization, LFI, restricted directory bypass + CWE-59 Name: Improper Link Resolution Before File Access ('Link Following') Description: The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. examples: A privileged program writes to a log file in a user-writable directory where the user can replace the log with a symlink to /etc/shadow, Checking permissions on a symlink itself instead of the target file, Race conditions where a file is replaced by a symlink between check and use (TOCTOU). keywords: link following, symbolic link, symlink, TOCTOU, file access, race condition, privilege escalation, file system attack + CWE-667 Name: Improper Locking Description: The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. examples: Forgetting to release a mutex after acquiring it, leading to deadlock, Acquiring locks in inconsistent order across different threads causing deadlocks, Using a non-recursive lock in a recursive function. keywords: improper locking, synchronization, race condition, deadlock, mutex, semaphore, concurrency, resource contention + CWE-88 Name: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Description: The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. examples: Passing unsanitized user input as an argument to system() or exec() calls, User input like -o malicious_file.sh being passed to a command-line utility, Failure to quote arguments containing spaces or special characters when building a command string. keywords: argument injection, command injection, parameter injection, shell injection, input sanitization, system call, command line arguments + CWE-1236 Name: Improper Neutralization of Formula Elements in a CSV File Description: The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. examples: Exporting user-provided data starting with = (e.g. =SUM(A1:A2)) directly into a CSV, Not prefixing potentially malicious cell values with a single quote, Allowing DDE commands in CSV content. keywords: CSV injection, formula injection, spreadsheet, data export, sanitization, command execution, DDE, data exfiltration + CWE-79 Name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. examples: Echoing user input from a URL parameter directly into HTML, Displaying user comments without escaping HTML tags, Injecting user-provided data into JavaScript string literals without proper escaping. keywords: XSS, cross-site scripting, input sanitization, output encoding, web security, javascript injection, HTML injection, DOM XSS, reflected XSS, stored XSS + CWE-74 Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Description: The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. examples: Generating XML with unescaped user data leading to XML injection, Creating LDAP queries by concatenating unsanitized user input, Building OS commands with user input without proper escaping (leading to OS Command Injection). keywords: injection, generic injection, special elements, sanitization, escaping, output encoding, command injection, SQL injection, LDAP injection, XML injection + CWE-77 Name: Improper Neutralization of Special Elements used in a Command ('Command Injection') Description: The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. examples: A web script that pings a host provided by user input by building a command string like ping + user_host, Using user input directly in subprocess.call('command ' + arg, shell=True) in Python, Concatenating user data into a batch script. keywords: command injection, os command injection, shell injection, input sanitization, arbitrary command execution, system calls, metacharacters + CWE-917 Name: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Description: The software constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. examples: Concatenating user input into a JSF EL expression like #{{bean. + userInput + }}, Allowing user-provided data in Spring Expression Language (SpEL) evaluations without sanitization, Server-side template injection where EL is used and input is not escaped. keywords: expression language injection, EL injection, template injection, server-side injection, input sanitization, OGNL, SpEL, JSF + CWE-78 Name: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Description: The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. examples: A CGI script taking a filename from a GET request and passing it to grep unsanitized, Using user input in backticks or + CWE-459 Name: Incomplete Cleanup Description: The software does not properly "clean up" and remove temporary or supporting resources after they have been used. examples: Creating temporary files with sensitive data in /tmp but not deleting them on application exit or error, Leaving debug flags or backdoor accounts active in production code, Not clearing sensitive data from memory after processing. keywords: incomplete cleanup, temporary files, resource leak, information disclosure, data remanence, leftover debug code + CWE-444 Name: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Description: The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. examples: A front-end proxy uses Content-Length while the back-end server uses Transfer-Encoding: chunked for request delimitation, Exploiting differences in how two HTTP servers parse ambiguous Content-Length headers, Using CL.TE or TE.CL vulnerabilities to desynchronize requests. keywords: HTTP request smuggling, HTTP response smuggling, request desynchronization, proxy, firewall, bypass, CL.TE, TE.CL, HTTP parsing + CWE-863 Name: Incorrect Authorization Description: The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. examples: Checking user.role == 'admin' but the actual role is stored in user.permissions.isAdmin, Allowing access if any one of multiple cumulative permission checks passes, when all should be required, Incorrectly implementing 'deny by default' logic. keywords: incorrect authorization, access control, authorization bypass, privilege escalation, permission flaw, logical error in checks + CWE-682 Name: Incorrect Calculation Description: The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. examples: A financial application miscalculates interest due to floating-point precision errors, An off-by-one error in calculating buffer sizes leading to overflow, Incorrectly calculating remaining attempts for login causing premature lockout or no lockout. keywords: incorrect calculation, logic error, arithmetic error, precision error, financial miscalculation, security decision, off-by-one, rounding error + CWE-131 Name: Incorrect Calculation of Buffer Size Description: The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. examples: Forgetting to add +1 for null terminator when allocating for a string, Using sizeof(pointer) instead of sizeof(pointee_type) or string length for malloc, Integer overflow in size calculation width * height before allocation. keywords: buffer size calculation, buffer overflow, memory allocation, off-by-one, integer overflow, malloc, sizeof error, null terminator + CWE-697 Name: Incorrect Comparison Description: The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. examples: Comparing signed and unsigned integers where a negative signed value becomes a large unsigned value, Using == to compare floating point numbers for equality, Incorrectly comparing user roles, e.g. if (role != "admin") instead of checking for specific allowed roles. keywords: incorrect comparison, logic error, type mismatch, string comparison, equality check, authentication bypass, signed/unsigned comparison + CWE-681 Name: Incorrect Conversion between Numeric Types Description: When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. examples: Casting a long to int losing significant bits, potentially making a large positive number small or negative, Converting a floating-point number to an integer via truncation where precision is critical, Implicit conversion from signed to unsigned leading to unexpected behavior with negative numbers. keywords: numeric type conversion, integer overflow, truncation, data loss, type casting, precision error, sign extension, implicit conversion + CWE-276 Name: Incorrect Default Permissions Description: During installation, installed file permissions are set to allow anyone to modify those files. examples: Software installer setting configuration files to be world-writable (777), Default umask being too permissive (e.g., 0000), Application data directories created with global read/write access. keywords: incorrect default permissions, insecure defaults, file permissions, access control, privilege escalation, umask, world-writable + CWE-732 Name: Incorrect Permission Assignment for Critical Resource Description: The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. examples: A /etc/shadow file being readable by non-root users, Admin panel accessible by regular users due to misconfigured web server rules, Database granting UPDATE privileges on sensitive tables to low-privilege application accounts. keywords: incorrect permissions, critical resource, access control, information disclosure, privilege escalation, ACLs, file system permissions + CWE-669 Name: Incorrect Resource Transfer Between Spheres Description: The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. examples: A privileged process passing a file descriptor to an unprivileged process without proper sanitization of its capabilities, A web application reflecting user input into a system command executed in a more privileged context, Exposing internal object references to a less trusted environment. keywords: resource transfer, sphere boundary, control sphere, cross-domain, privilege escalation, capability passing, context switching + CWE-704 Name: Incorrect Type Conversion or Cast Description: The software does not correctly convert an object, resource, or structure from one type to a different type. examples: Casting a void* to an incorrect struct type and accessing its members, Downcasting a base class pointer to a derived class pointer when the object is not actually of the derived type, Implicit type conversion in C/C++ that leads to data loss or misinterpretation. keywords: type conversion, type casting, data corruption, type confusion, unexpected behavior, downcast, reinterpret_cast + CWE-335 Name: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) Description: The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. examples: Seeding a PRNG with a constant value (e.g., srand(0)), Seeding with time(NULL) which can be predictable if calls are close together, Re-seeding the PRNG too frequently with low-entropy sources. keywords: PRNG seed, random number generator, predictability, weak entropy, static seed, insufficient randomness, srand, time() + CWE-407 Name: Inefficient Algorithmic Complexity Description: An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. examples: Using a nested loop algorithm (O(n^2)) where a linear solution (O(n)) exists for processing user-supplied data, A string matching algorithm that degrades to quadratic complexity on specific inputs, Hash table with poor collision resolution leading to linear search times. keywords: algorithmic complexity, denial of service, DoS, performance, resource exhaustion, inefficient algorithm, O(n^2), worst-case scenario + CWE-1333 Name: Inefficient Regular Expression Complexity Description: The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. examples: Regex like (a+)+b which can cause catastrophic backtracking, Using nested quantifiers with overlapping patterns, A regex that performs poorly on strings with many near misses. keywords: regex DoS, ReDoS, regular expression, catastrophic backtracking, denial of service, CPU exhaustion, inefficient regex, performance + CWE-1188 Name: Insecure Default Initialization of Resource Description: The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. examples: Default admin password like 'admin' or 'password', SNMP community string set to 'public' by default, A firewall product having a default 'allow all' rule. keywords: insecure defaults, default credentials, weak configuration, initialization, security misconfiguration, hardcoded password + CWE-922 Name: Insecure Storage of Sensitive Information Description: The software stores sensitive information without properly limiting read or write access by unauthorized actors. examples: Storing API keys in a world-readable file, Database backups containing PII stored in an S3 bucket with public access, User session data written to a shared temporary directory with insecure permissions. keywords: insecure storage, sensitive data, data exposure, access control, encryption, cleartext storage, permissions, PII + CWE-532 Name: Insertion of Sensitive Information into Log File Description: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. examples: Logging full HTTP requests including session cookies or authorization headers, Writing raw exception details that include user passwords or PII, Debug logs that output decrypted sensitive data. keywords: sensitive data in logs, log injection, information disclosure, passwords in logs, PII, session tokens in logs, credit card numbers in logs + CWE-331 Name: Insufficient Entropy Description: The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. examples: Generating session IDs using a PRNG seeded with only the current time (low resolution), Creating cryptographic keys from a small set of easily guessable inputs, Using rand() for security-critical random numbers without proper seeding from /dev/urandom. keywords: insufficient entropy, weak randomness, PRNG, predictability, cryptographic weakness, random number generation, /dev/random, CSPRNG + NVD-CWE-noinfo Name: Insufficient Information Description: There is insufficient information about the issue to classify it; details are unkown or unspecified. examples: Vulnerability report states 'a security issue' without technical details, Advisory mentions a flaw but vendor has not disclosed specifics, CVE entry marked with this when details are pending. keywords: insufficient information, unclassified, unknown weakness, unspecified, nvd, pending details, undisclosed + NVD-CWE-Other Name: Other Description: NVD is only using a subset of CWE for mapping instead of the entire CWE, and the weakness type is not covered by that subset. examples: A very specific or niche vulnerability not fitting existing CWEs used by NVD, A weakness category that NVD has chosen not to map directly, A complex issue spanning multiple unmapped CWEs. keywords: other, non-standard, uncategorized, miscellaneous weakness, nvd, mapping limitation, unique flaw + CWE-613 Name: Insufficient Session Expiration Description: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." examples: Session cookies that never expire or have extremely long lifetimes (e.g., years), Not invalidating a session on the server-side after logout, Re-authenticating a user without issuing a new session ID if the old one is still active. keywords: session expiration, session management, session hijacking, timeout, stale session, persistent session, logout functionality + CWE-345 Name: Insufficient Verification of Data Authenticity Description: The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. examples: Accepting firmware updates without checking digital signatures, Trusting data from a DNS server without DNSSEC, Processing messages from a queue without verifying the sender's identity or message integrity. keywords: data authenticity, data integrity, spoofing, tampering, signature validation, source validation, message origin, non-repudiation + CWE-522 Name: Insufficiently Protected Credentials Description: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. examples: Storing passwords using unsalted MD5 hashes, Transmitting passwords in cleartext over HTTP, Hardcoding API keys directly in client-side JavaScript. keywords: protected credentials, password storage, credential exposure, cleartext passwords, weak hashing, insecure transmission, unsalted hash, hardcoded secrets + CWE-190 Name: Integer Overflow or Wraparound Description: The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. examples: Calculating malloc size with count * item_size where the product overflows to a small number, A loop counter i++ wraps around from max_int to a negative value, A security check if (value + offset < limit) where value + offset overflows. keywords: integer overflow, wraparound, arithmetic overflow, buffer overflow, memory allocation, security checks, numeric calculation, signedness + CWE-191 Name: Integer Underflow (Wrap or Wraparound) Description: The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. examples: Calculating buffer offset ptr - size where size is larger than ptr's numeric value (if ptr is an int), A check if (balance - withdrawal_amount >= 0) where balance - withdrawal_amount underflows to a large positive number, Decrementing an unsigned integer below zero. keywords: integer underflow, wraparound, arithmetic underflow, security checks, negative values, numeric calculation, buffer offset + CWE-436 Name: Interpretation Conflict Description: Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. examples: A web proxy and backend server parsing HTTP headers (e.g., Content-Length) differently leading to request smuggling, Different interpretation of character encodings between two systems, Inconsistent handling of ambiguous file path separators (/ vs ) by different components. keywords: interpretation conflict, protocol mismatch, state inconsistency, system interaction, interoperability, ambiguity, request smuggling, parsing differences + CWE-835 Name: Loop with Unreachable Exit Condition ('Infinite Loop') Description: The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. examples: A while(true) loop without a break statement or other exit mechanism, A for loop where the increment/decrement operation never allows the condition to be met (e.g., for(i=0; i!=10; i+=2) if i starts odd), A loop condition dependent on a variable that is never modified within the loop body. keywords: infinite loop, unreachable exit, denial of service, DoS, resource exhaustion, loop control, hang, non-termination + CWE-306 Name: Missing Authentication for Critical Function Description: The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. examples: An admin panel accessible without login, An API endpoint for deleting user accounts that does not require a session token, A feature to change system configuration available to any network user. keywords: missing authentication, no authentication, critical function, access control, unauthorized access, unauthenticated access, public function + CWE-862 Name: Missing Authorization Description: The software does not perform an authorization check when an actor attempts to access a resource or perform an action. examples: Any authenticated user can access /admin/delete_user?id=xxx regardless of their role, A user can view another user's private messages by guessing the message ID, No check to ensure a user owns a resource before allowing modification. keywords: missing authorization, no authorization, access control, privilege escalation, insecure direct object reference, IDOR, permission check + CWE-311 Name: Missing Encryption of Sensitive Data Description: The software does not encrypt sensitive or critical information before storage or transmission. examples: Storing credit card numbers in a database without encryption, Transmitting user passwords over HTTP, Sending PII via unencrypted email. keywords: missing encryption, unencrypted data, cleartext, sensitive data exposure, confidentiality, PII, data in transit, data at rest + CWE-909 Name: Missing Initialization of Resource Description: The software does not initialize a critical resource. examples: A pointer is declared but not assigned before being dereferenced, A security flag (e.g., is_admin) is not set to a default safe value before use, Using a file descriptor that has not been opened. keywords: missing initialization, uninitialized resource, default values, unexpected state, null pointer, undefined behavior, uninitialized variable + CWE-401 Name: Missing Release of Memory after Effective Lifetime Description: The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. examples: Calling malloc repeatedly in a loop without corresponding free calls, An object that allocates memory in its constructor but has no destructor or dispose method to release it, Creating data structures (e.g., list nodes) and losing pointers to them before deallocation. keywords: memory leak, resource leak, memory management, garbage collection, denial of service, malloc/free, new/delete + CWE-772 Name: Missing Release of Resource after Effective Lifetime Description: The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. examples: Opening files without closing them (fopen without fclose), Acquiring database connections from a pool and not returning them, Not releasing network sockets after communication ends. keywords: resource leak, file handle leak, connection leak, memory leak, resource management, close(), release() + CWE-476 Name: NULL Pointer Dereference Description: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. examples: Accessing ptr->member when ptr is NULL, A function returns NULL on error but the caller uses the return value without checking, Using an object pointer before it's properly constructed and initialized. keywords: null pointer dereference, crash, segmentation fault, null check, pointer access, NPE, invalid memory access + CWE-203 Name: Observable Discrepancy Description: The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. examples: Login page responds faster for invalid usernames than for valid usernames with incorrect passwords (timing attack), Different error messages for 'user not found' vs 'incorrect password', API returning more detailed error for one failure type over another. keywords: observable discrepancy, timing attack, side channel, information disclosure, error messages, user enumeration, behavioral difference + CWE-193 Name: Off-by-one Error Description: A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. examples: Looping for (i=0; i <= size; i++) when accessing array[i] (should be < size), Allocating strlen(str) bytes for a string copy instead of strlen(str)+1 for the null terminator, Using < instead of <= (or vice-versa) in a boundary condition check. keywords: off-by-one, boundary error, buffer overflow, loop termination, array indexing, fencepost error, +/-1 error + CWE-672 Name: Operation on a Resource after Expiration or Release Description: The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. examples: Using a file descriptor after the file has been closed (close(fd); write(fd, ...)), Accessing an object after its memory has been free()d (Use-After-Free), Continuing to use a session ID after the session has been invalidated on the server. keywords: use after free, UAF, operation on released resource, dangling pointer, stale reference, resource lifetime, session invalidation + CWE-346 Name: Origin Validation Error Description: The software does not properly verify that the source of data or communication is valid. examples: A web application accepting cross-domain requests (CORS) from * without proper checks, A WebSocket server not verifying the Origin header of incoming connections, An IPC mechanism trusting any local process without sender verification. keywords: origin validation, CORS misconfiguration, cross-domain, source verification, trust boundary, Origin header, CSRF + CWE-125 Name: Out-of-bounds Read Description: The software reads data past the end, or before the beginning, of the intended buffer. examples: Reading buffer[length] when length is the size of the buffer (valid indices are 0 to length-1), Using a negative index to access an array, A memcpy or similar function reading more bytes than available in the source buffer. keywords: out-of-bounds read, OOB read, buffer over-read, memory disclosure, information leak, bounds checking, Heartbleed + CWE-787 Name: Out-of-bounds Write Description: The software writes data past the end, or before the beginning, of the intended buffer. examples: Writing to buffer[length] when length is the size of the buffer, strcpy to a buffer that is too small for the source string, Integer overflow in index calculation leading to writing outside allocated memory. keywords: out-of-bounds write, OOB write, buffer overflow, memory corruption, code execution, bounds checking, heap overflow, stack overflow + CWE-617 Name: Reachable Assertion Description: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. examples: An assert(user_input != NULL) that crashes if user_input is NULL, An assertion checking an invariant that can be violated by crafted input, Using assertions for input validation in production builds where assertions are compiled out or cause termination. keywords: reachable assertion, assert, denial of service, DoS, crash, input validation, defensive programming, unhandled condition + CWE-763 Name: Release of Invalid Pointer or Reference Description: The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly. examples: Calling free() on a pointer not obtained from malloc() (e.g., stack variable, global), Calling delete on a pointer allocated with malloc(), or free() on new, Using free() on an already freed pointer if not a double-free (e.g. if it was reallocated by something else). keywords: invalid free, release invalid pointer, memory corruption, crash, free(), delete, memory management, heap corruption + CWE-565 Name: Reliance on Cookies without Validation and Integrity Checking Description: The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. examples: Storing user role (e.g., isAdmin=true) in a client-side cookie without server-side verification or signing, Using a cookie value directly in an SQL query without sanitization, Trusting a cookie to indicate authentication status without re-validating against a server session. keywords: cookie manipulation, insecure cookie, session management, authentication bypass, authorization bypass, client-side trust, signed cookies, HttpOnly + CWE-918 Name: Server-Side Request Forgery (SSRF) Description: The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. examples: A feature to fetch an image from a user-provided URL which can be pointed to internal services like http://127.0.0.1/admin, A PDF generator that loads content from URLs specified in an XML/HTML input, Cloud metadata service abuse by providing URLs like http://169.254.169.254/. keywords: SSRF, server-side request forgery, URL fetching, internal network access, port scanning, cloud metadata abuse, input validation, allowlist/denylist + CWE-384 Name: Session Fixation Description: Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. examples: User logs in, but the application continues to use the pre-login session ID, Attacker tricks victim into using a session ID known to the attacker, then waits for victim to log in, Not regenerating session ID upon successful authentication. keywords: session fixation, session hijacking, session management, authentication, session ID regeneration, pre-login session + CWE-367 Name: Time-of-check Time-of-use (TOCTOU) Race Condition Description: The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. examples: Checking if a file exists (check_file) then opening it (open_file), but the file is replaced by a symlink in between, Validating user permissions then performing an action, but permissions change before action execution, Checking available balance then debiting an account without an atomic transaction. keywords: TOCTOU, time-of-check time-of-use, race condition, concurrency, file system race, atomicity, locking + CWE-252 Name: Unchecked Return Value Description: The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. examples: Ignoring the return value of malloc() which could be NULL, Not checking if fwrite() successfully wrote all bytes, Calling a function that can fail (e.g., network send) without verifying its success status. keywords: unchecked return value, error handling, ignored error, robustness, unexpected state, function result, status code + CWE-674 Name: Uncontrolled Recursion Description: The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack. examples: A recursive function to parse a data structure (e.g., JSON) without a depth limit, A factorial function that can be called with a very large number from user input, Mutually recursive functions where the base case is not reached or is controlled by external input. keywords: uncontrolled recursion, stack overflow, denial of service, DoS, recursion depth, base case, resource exhaustion + CWE-400 Name: Uncontrolled Resource Consumption Description: The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. examples: Allowing a user to request an arbitrarily large file for processing, A regex that takes exponential time on certain inputs (ReDoS), Allocating memory based on a user-provided size without limits, leading to DoS. keywords: uncontrolled resource consumption, denial of service, DoS, resource exhaustion, memory allocation, CPU usage, rate limiting, input validation + CWE-427 Name: Uncontrolled Search Path Element Description: The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. examples: An application that loads DLLs from the current working directory first, where an attacker can place a malicious DLL, Using . in the PATH environment variable on Unix, A script that includes files using a path that includes a user-writable directory. keywords: uncontrolled search path, DLL hijacking, path manipulation, library loading, current working directory, environment variable + CWE-428 Name: Unquoted Search Path or Element Description: The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. examples: A Windows service registered with an unquoted path like C:/Program Files/My App/service.exe allowing C:/Program.exe to be executed, A script that calls an executable using an unquoted path with spaces, Configuration files specifying paths without quotes. keywords: unquoted search path, path injection, Windows service, whitespace in path, privilege escalation, command execution + CWE-434 Name: Unrestricted Upload of File with Dangerous Type Description: The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. examples: Allowing users to upload .php or .jsp files to a web server's document root, Uploading an .exe file to a directory from which applications are run, Not validating file extensions or MIME types for uploaded files that could be executable. keywords: unrestricted file upload, dangerous file type, code execution, web shell, file validation, MIME type, extension check + CWE-426 Name: Untrusted Search Path Description: The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control. examples: A program using an environment variable like LD_LIBRARY_PATH or PYTHONPATH set by a user to find libraries, An application that loads plugins from a directory specified in a user-modifiable configuration file, Scripts that source other scripts from paths influenced by user input. keywords: untrusted search path, DLL hijacking, library loading, environment variable, path manipulation, code execution, RPATH + CWE-601 Name: URL Redirection to Untrusted Site ('Open Redirect') Description: A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. examples: A login page redirects to $_GET['redirect_url'] without validating the URL is on the same domain, A link shortener that doesn't check if the target URL is malicious, Using user-provided URLs in HTTP Location headers without proper validation. keywords: open redirect, URL redirection, phishing, untrusted site, input validation, allowlist, Location header + CWE-416 Name: Use After Free Description: Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. examples: An object is deleted, but a pointer to it is still used later, A data structure element is freed, but iterators or other references to it are not updated, Using a pointer that was passed to free() in an error handling path that doesn't immediately exit. keywords: use after free, UAF, dangling pointer, memory corruption, crash, remote code execution, heap exploitation + CWE-327 Name: Use of a Broken or Risky Cryptographic Algorithm Description: The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. examples: Using MD5 or SHA1 for password hashing, Employing DES or RC4 for data encryption, Relying on custom-made 'homegrown' cryptographic algorithms. keywords: broken crypto, risky crypto, weak algorithm, MD5, SHA1, DES, RC4, outdated cryptography, insecure algorithm + CWE-338 Name: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Description: The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. examples: Using java.util.Random or Python's random module to generate session IDs or encryption keys, Relying on rand() or libc PRNGs for cryptographic purposes, PRNGs with small internal state or predictable output sequences. keywords: weak PRNG, cryptographically weak PRNG, CSPRNG, rand(), java.util.Random, predictability, insufficient randomness, security context + CWE-134 Name: Use of Externally-Controlled Format String Description: The software uses a function that accepts a format string as an argument, but the format string originates from an external source. examples: Calling printf(user_input) instead of printf('%s', user_input), Using user-controlled data as the first argument to syslog(), sprintf(), or fprintf(), A logging function that takes a format string directly from a network request. keywords: format string vulnerability, format string bug, printf, sprintf, memory corruption, information disclosure, code execution, %n + CWE-470 Name: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Description: The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. examples: Java Class.forName(userInput).newInstance() where userInput comes from an HTTP parameter, Python getattr(module, user_string)() to call functions, Deserializing objects where the class name is controlled by the attacker. keywords: unsafe reflection, code execution, class loading, dynamic invocation, input validation, Class.forName, getattr, deserialization + CWE-798 Name: Use of Hard-coded Credentials Description: The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. examples: Default admin password compiled into the application binary, Database connection string with username/password stored in source code, A fixed AES encryption key embedded in a mobile app. keywords: hard-coded credentials, hardcoded password, embedded key, secret in code, backdoor, insecure default + CWE-706 Name: Use of Incorrectly-Resolved Name or Reference Description: The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. examples: DNS rebinding attacks where a malicious site resolves to an internal IP after an initial check, TOCTOU issues with filename resolution where a symlink is introduced, Relying on hostname resolution that can be manipulated by a local attacker (e.g., /etc/hosts). keywords: incorrect name resolution, DNS rebinding, TOCTOU, symlink attack, reference misresolution, control sphere bypass + CWE-330 Name: Use of Insufficiently Random Values Description: The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. examples: Generating password reset tokens that are easily guessable (e.g., sequential or based on timestamp), Using a PRNG with a small seed space for cryptographic keys, Session IDs that follow a predictable pattern. keywords: insufficient randomness, predictability, weak PRNG, entropy, guessable tokens, cryptographic weakness, session ID generation + CWE-916 Name: Use of Password Hash With Insufficient Computational Effort Description: The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. examples: Using unsalted MD5 or SHA1 for password storage, Using bcrypt or scrypt with a very low work factor/iteration count, Custom hashing schemes that are fast to compute. keywords: weak password hashing, insufficient effort, bcrypt, scrypt, PBKDF2, Argon2, password cracking, salt, work factor, iteration count, MD5, SHA1 + CWE-908 Name: Use of Uninitialized Resource Description: The software uses or accesses a resource that has not been initialized. examples: Reading from a variable before any value is assigned to it (common in C/C++), Using an object whose constructor was not called or failed, Dereferencing a pointer member of a struct that was malloced but not initialized. keywords: uninitialized resource, uninitialized variable, use before initialization, undefined behavior, garbage value, null pointer, default state + CWE-640 Name: Weak Password Recovery Mechanism for Forgotten Password Description: The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. examples: Password reset based on easily guessable security questions (e.g., 'What is your favorite color?'), Sending new passwords in cleartext via email, Generating predictable password reset tokens. keywords: weak password recovery, forgotten password, security questions, reset token, account takeover, insecure mechanism, predictable token + CWE-521 Name: Weak Password Requirements Description: The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. examples: Allowing passwords like '123456' or 'password', Not enforcing minimum length or complexity (mix of character types), No check against common password lists. keywords: weak password requirements, password policy, password strength, brute force, dictionary attack, password complexity, minimum length + CWE-91 Name: XML Injection (aka Blind XPath Injection) Description: The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. examples: Concatenating user input directly into an XPath query string, Building XML documents by string concatenation with unescaped user data, A SOAP service that parses XML containing malicious external entity references (XXE if parser supports it). keywords: XML injection, XPath injection, XML parsing, data manipulation, XXE, SOAP injection, input sanitization, special characters Rules for returning the vendor: - Return only the official/primary vendor name - For open source projects, return the organization maintaining it @@ -199,7 +457,7 @@ async def categorize_vulnerability_provider(self, description): Cause: Impact: """ - + local_prompt = f"{local_prompt}\\)" try: tokenizer = AutoTokenizer.from_pretrained(model) diff --git a/src/data_sources/nvd_extractor.py b/src/data_sources/nvd_extractor.py index 3914949..bde7b1f 100644 --- a/src/data_sources/nvd_extractor.py +++ b/src/data_sources/nvd_extractor.py @@ -50,6 +50,21 @@ def normalize_data(self, vulnerability): description = desc.get('value', '') break + # Extrair CWE(s) do campo weaknesses + # Extrair CWE(s) do campo weaknesses + cwes = set() + weaknesses = cve.get('weaknesses', []) if isinstance(cve, dict) else [] + if isinstance(weaknesses, list) and weaknesses: + for weakness in weaknesses: + descs = weakness.get('description', []) + if isinstance(descs, list): + for desc in descs: + if isinstance(desc, dict) and desc.get('lang') == 'en': + value = desc.get('value', '') + if value: + cwes.add(value) + cwe = ','.join(sorted(cwes)) if cwes else '' + # CVSS v3.1 (pega o mais relevante, geralmente o Ășltimo ou o de source 'nvd@nist.gov') metrics = cve.get('metrics', {}) if isinstance(cve, dict) else {} cvss_score = '' @@ -68,7 +83,7 @@ def normalize_data(self, vulnerability): if isinstance(cvss_data, dict): cvss_score = cvss_data.get('baseScore', '') severity = cvss_data.get('baseSeverity', '') - + return { 'id': cve.get('id', '') if isinstance(cve, dict) else '', 'description': description,