Skip to main content

CWEs that violate the CERT standard

This table lists all the CWEs that may cause an application to not pass a policy that includes a CERT policy rule.

CWE IDCWE nameStatic supportDynamic supportVeracode severity
14Compiler Removal of Code to Clear Buffers   
20Improper Input ValidationX 0 - Informational
22Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)XX3 - Medium
37Path Traversal: '/absolute/pathname/here'   
38Path Traversal: '\absolute\pathname\here'   
39Path Traversal: 'C:dirname'   
41Improper Resolution of Path Equivalence   
59Improper Link Resolution Before File Access (Link Following)   
62UNIX Hard Link   
64Windows Shortcut Following (.LNK)   
65Windows Hard Link   
67Improper Handling of Windows Device Names   
78Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)XX5 - Very High
88Argument Injection or ModificationX 3 - Medium
111Direct Use of Unsafe JNIX 4 - High
116Improper Encoding or Escaping of Output   
117Improper Output Neutralization for LogsX 3 - Medium
119Improper Restriction of Operations within the Bounds of a Memory Buffer   
120Buffer Copy without Checking Size of Input (Classic Buffer Overflow)   
121Stack-based Buffer OverflowX 5 - Very High
122Heap-based Buffer Overflow   
123Write-what-where Condition   
125Out-of-bounds ReadX 3 - Medium
128Wrap-around Error   
129Improper Validation of Array IndexX 3 - Medium
131Incorrect Calculation of Buffer Size   
134Use of Externally-Controlled Format StringX 5 - Very High
135Incorrect Calculation of Multi-Byte String LengthX 5 - Very High
144Improper Neutralization of Line Delimiters   
150Improper Neutralization of Escape, Meta, or Control Sequences   
170Improper Null TerminationX 3 - Medium
171Cleansing, Canonicalization, and Comparison Errors   
176Improper Handling of Unicode Encoding   
180Incorrect Behavior Order: Validate Before Canonicalize   
182Collapse of Data into Unsafe Value   
190Integer Overflow or WraparoundX 5 - Very High
191Integer Underflow (Wrap or Wraparound)X 3 - Medium
192Integer Coercion ErrorX 3 - Medium
193Off-by-one ErrorX 3 - Medium
194Unexpected Sign Extension   
195Signed to Unsigned Conversion ErrorX 3 - Medium
197Numeric Truncation ErrorX 3 - Medium
198Use of Incorrect Byte Ordering   
209Information Exposure Through an Error MessageXX2 - Low
226Sensitive Information Uncleared Before Release   
2277PK - API Abuse   
230Improper Handling of Missing Values   
232Improper Handling of Undefined Values   
241Improper Handling of Unexpected Data Type   
242Use of Inherently Dangerous FunctionX 5 - Very High
244Improper Clearing of Heap Memory Before Release (Heap Inspection)   
248Uncaught ExceptionX 2 - Low
250Execution with Unnecessary Privileges   
252Unchecked Return ValueX 2 - Low
253Incorrect Check of Function Return Value   
259Use of Hard-coded PasswordXX3 - Medium
266Incorrect Privilege Assignment   
272Least Privilege ViolationX 3 - Medium
273Improper Check for Dropped PrivilegesX 3 - Medium
276Incorrect Default Permissions   
279Incorrect Execution-Assigned Permissions   
289Authentication Bypass by Alternate Name   
300Channel Accessible by Non-Endpoint (Man-in-the-Middle)   
302Authentication Bypass by Assumed-Immutable Data   
311Missing Encryption of Sensitive DataX 3 - Medium
319Cleartext Transmission of Sensitive InformationX 3 - Medium
327Use of a Broken or Risky Cryptographic AlgorithmXX3 - Medium
330Use of Insufficiently Random ValuesX 3 - Medium
331Insufficient EntropyX 3 - Medium
332Insufficient Entropy in PRNG   
333Improper Handling of Insufficient Entropy in TRNG   
336Same Seed in Pseudo-Random Number Generator (PRNG)   
337Predictable Seed in Pseudo-Random Number Generator (PRNG)   
338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)X 3 - Medium
347Improper Verification of Cryptographic SignatureX 2 - Low
349Acceptance of Extraneous Untrusted Data With Trusted Data   
359Exposure of Private Information (Privacy Violation)X 2 - Low
362Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)   
363Race Condition Enabling Link Following   
366Race Condition within a ThreadX 3 - Medium
367Time-of-check Time-of-use (TOCTOU) Race ConditionX 3 - Medium
369Divide By Zero   
374Passing Mutable Objects to an Untrusted Method   
375Returning a Mutable Object to an Untrusted Caller   
377Insecure Temporary FileX 3 - Medium
379Creation of Temporary File in Directory with Incorrect Permissions   
382J2EE Bad Practices: Use of System.exit()X 2 - Low
390Detection of Error Condition Without Action   
392Missing Report of Error Condition   
395Use of NullPointerException Catch to Detect NULL Pointer Dereference   
397Declaration of Throws for Generic Exception   
400Uncontrolled Resource Consumption   
401Improper Release of Memory Before Removing Last ReferenceX 2 - Low
403Exposure of File Descriptor to Unintended Control Sphere (File Descriptor Leak)   
404Improper Resource Shutdown or ReleaseX 0 - Informational
405Asymmetric Resource Consumption (Amplification)   
409Improper Handling of Highly Compressed Data (Data Amplification)   
410Insufficient Resource Pool   
412Unrestricted Externally Accessible Lock   
413Improper Resource Locking   
415Double FreeX 3 - Medium
416Use After FreeX 2 - Low
426Untrusted Search PathX 3 - Medium
456Missing Initialization of a Variable   
459Incomplete Cleanup   
460Improper Cleanup on Thrown Exception   
462Duplicate Key in Associative List (Alist)   
464Addition of Data Structure Sentinel   
466Return of Pointer Value Outside of Expected Range   
467Use of sizeof() on a Pointer Type   
468Incorrect Pointer Scaling   
469Use of Pointer Subtraction to Determine Size   
470Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)X 3 - Medium
476NULL Pointer Dereference   
479Signal Handler Use of a Non-reentrant FunctionX 3 - Medium
480Use of Incorrect Operator   
481Assigning instead of Comparing   
482Comparing instead of Assigning   
486Comparison of Classes by Name   
487Reliance on Package-level Scope   
491Public cloneable() Method Without Final (Object Hijack)   
492Use of Inner Class Containing Sensitive Data   
493Critical Public Variable Without Final Modifier   
494Download of Code Without Integrity Check   
497Exposure of System Data to an Unauthorized Control SphereX 2 - Low
498Cloneable Class Containing Sensitive Information   
499Serializable Class Containing Sensitive Data   
500Public Static Field Not Marked Final   
502Deserialization of Untrusted DataX 3 - Medium
528Exposure of Core Dump File to an Unauthorized Control Sphere   
532Insertion of Sensitive Information into Log FileX 2 - Low
543Use of Singleton Pattern Without Synchronization in a Multithreaded Context   
544Missing Standardized Error Handling Mechanism   
547Use of Hard-coded, Security-relevant ConstantsX 3 - Medium
552Files or Directories Accessible to External Parties   
561Dead Code   
562Return of Stack Variable Address   
563Assignment to Variable without Use   
567Unsynchronized Access to Shared Data in a Multithreaded Context   
568finalize() Method Without super.finalize()   
570Expression is Always False   
571Expression is Always True   
572Call to Thread run() instead of start()   
573Improper Following of Specification by Caller   
581Object Model Violation: Just One of Equals and Hashcode Defined   
582Array Declared Public, Final, and Static   
583finalize() Method Declared Public   
584Return Inside Finally Block   
586Explicit Call to Finalize()   
587Assignment of a Fixed Address to a Pointer   
589Call to Non-ubiquitous API   
590Free of Memory not on the Heap   
591Sensitive Data Storage in Improperly Locked Memory   
595Comparison of Object References Instead of Object Contents   
597Use of Wrong Operator in String ComparisonX 2 - Low
600Uncaught Exception in Servlet   
606Unchecked Input for Loop Condition   
609Double-Checked Locking   
617Reachable Assertion   
625Permissive Regular Expression   
628Function Call with Incorrectly Specified ArgumentsX 2 - Low
647Use of Non-Canonical URL Paths for Authorization Decisions   
662Improper Synchronization   
664Improper Control of a Resource Through its Lifetime   
665Improper InitializationX 2 - Low
666Operation on Resource in Wrong Phase of Lifetime   
667Improper Locking   
672Operation on a Resource after Expiration or Release   
675Duplicate Operations on ResourceX 2 - Low
676Use of Potentially Dangerous FunctionX 3 - Medium
680Integer Overflow to Buffer Overflow   
681Incorrect Conversion between Numeric Types   
682Incorrect Calculation   
684Incorrect Provision of Specified Functionality   
685Function Call With Incorrect Number of Arguments   
686Function Call With Incorrect Argument Type   
687Function Call With Incorrectly Specified Argument Value   
690Unchecked Return Value to NULL Pointer Dereference   
696Incorrect Behavior Order   
697Incorrect Comparison   
703Improper Check or Handling of Exceptional Conditions   
704Incorrect Type Conversion or Cast   
705Incorrect Control Flow Scoping   
732Incorrect Permission Assignment for Critical ResourceX 3 - Medium
754Improper Check for Unusual or Exceptional Conditions   
758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior   
762Mismatched Memory Management Routines   
766Critical Data Element Declared Public   
770Allocation of Resources Without Limits or Throttling   
771Missing Reference to Active Allocated Resource   
772Missing Release of Resource after Effective Lifetime   
773Missing Reference to Active File Descriptor or Handle   
775Missing Release of File Descriptor or Handle after Effective Lifetime   
783Operator Precedence Logic Error   
786Access of Memory Location Before Start of Buffer   
789Uncontrolled Memory Allocation   
798Use of Hard-coded CredentialsX 3 - Medium
805Buffer Access with Incorrect Length Value   
807Reliance on Untrusted Inputs in a Security Decision   
820Missing Synchronization   
838Inappropriate Encoding for Output Context   
843Access of Resource Using Incompatible Type (Type Confusion)   
908Use of Uninitialized Resource   
910Use of Expired File Descriptor