Skip to main content

CWEs that violate the OWASP 2017 standard

This table lists all the CWEs that may cause an application to not pass a policy that includes an OWASP 2017 policy rule.

CWE IDCWE nameStatic supportDynamic supportVeracode severity
5J2EE Misconfiguration: Data Transmission Without Encryption   
9J2EE Misconfiguration: Weak Access Permissions for EJB Methods   
13ASP.NET Misconfiguration: Password in Configuration File   
16Configuration X0 - Informational
22Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)XX3 - Medium
23Relative Path Traversal   
24Path Traversal: '../filedir'   
25Path Traversal: '/../filedir'   
26Path Traversal: '/dir/../filename'   
27Path Traversal: 'dir/../../filename'   
28Path Traversal: '..\filedir'   
29Path Traversal: '\..\filename'   
30Path Traversal: '\dir\..\filename'   
31Path Traversal: 'dir\..\..\filename'   
32Path Traversal: '...' (Triple Dot)   
33Path Traversal: '....' (Multiple Dot)   
34Path Traversal: '....//'   
35Path Traversal: '.../...//'   
36Absolute Path Traversal   
37Path Traversal: '/absolute/pathname/here'   
38Path Traversal: '\absolute\pathname\here'   
39Path Traversal: 'C:dirname'   
40Path Traversal: '\\UNC\share\name\' (Windows UNC Share)   
74Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) X4 - High
75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)   
76Improper Neutralization of Equivalent Special Elements   
77Improper Neutralization of Special Elements used in a Command (Command Injection)X 5 - Very High
78Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)XX5 - Very High
79Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)XX3 - Medium
80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)XX3 - Medium
81Improper Neutralization of Script in an Error Message Web Page   
82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page   
83Improper Neutralization of Script in Attributes in a Web Page X3 - Medium
84Improper Neutralization of Encoded URI Schemes in a Web Page   
85Doubled Character XSS Manipulations   
86Improper Neutralization of Invalid Characters in Identifiers in Web PagesX 3 - Medium
87Improper Neutralization of Alternate XSS Syntax   
88Argument Injection or ModificationX 3 - Medium
89Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)XX4 - High
90Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection)X 3 - Medium
91XML Injection (aka Blind XPath Injection)X 3 - Medium
93Improper Neutralization of CRLF Sequences (CRLF Injection)X 3 - Medium
94Improper Control of Generation of Code (Code Injection)X 3 - Medium
95Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)X 5 - Very High
96Improper Neutralization of Directives in Statically Saved Code (Static Code Injection)   
97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page   
98Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion)XX4 - High
99Improper Control of Resource Identifiers (Resource Injection)X 3 - Medium
102Struts: Duplicate Validation Forms   
113Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)XX3 - Medium
117Improper Output Neutralization for LogsX 3 - Medium
202Exposure of Sensitive Data Through Data Queries   
209Information Exposure Through an Error MessageXX2 - Low
210Information Exposure Through Self-generated Error Message   
211Information Exposure Through Externally-Generated Error Message   
219Sensitive Data Under Web Root   
220Sensitive Data Under FTP Root   
223Omission of Security-relevant InformationX 2 - Low
256Unprotected Storage of CredentialsX 3 - Medium
257Storing Passwords in a Recoverable Format   
258Empty Password in Configuration File   
259Use of Hard-coded PasswordXX3 - Medium
260Password in Configuration File   
261Weak Cryptography for PasswordsX 3 - Medium
262Not Using Password Aging   
263Password Aging with Long Expiration   
266Incorrect Privilege Assignment   
267Privilege Defined With Unsafe Actions   
268Privilege Chaining   
269Improper Privilege Management   
270Privilege Context Switching Error   
271Privilege Dropping / Lowering Errors   
272Least Privilege ViolationX 3 - Medium
276Incorrect Default Permissions   
277Insecure Inherited Permissions   
278Insecure Preserved Inherited Permissions   
279Incorrect Execution-Assigned Permissions   
281Improper Preservation of Permissions   
282Improper Ownership ManagementX 3 - Medium
283Unverified Ownership   
284Improper Access ControlX 3 - Medium
285Improper AuthorizationXX3 - Medium
286Incorrect User Management   
287Improper AuthenticationXX4 - High
288Authentication Bypass Using an Alternate Path or Channel   
289Authentication Bypass by Alternate Name   
290Authentication Bypass by Spoofing   
291Reliance on IP Address for Authentication   
293Using Referer Field for Authentication   
294Authentication Bypass by Capture-replay   
295Improper Certificate ValidationX 3 - Medium
296Improper Following of a Certificate's Chain of Trust X3 - Medium
297Improper Validation of Certificate with Host MismatchXX3 - Medium
298Improper Validation of Certificate Expiration X3 - Medium
299Improper Check for Certificate Revocation X3 - Medium
300Channel Accessible by Non-Endpoint (Man-in-the-Middle)   
301Reflection Attack in an Authentication Protocol   
302Authentication Bypass by Assumed-Immutable Data   
303Incorrect Implementation of Authentication Algorithm   
305Authentication Bypass by Primary Weakness   
306Missing Authentication for Critical Function   
307Improper Restriction of Excessive Authentication Attempts   
308Use of Single-factor Authentication   
309Use of Password System for Primary Authentication   
311Missing Encryption of Sensitive DataX 3 - Medium
312Cleartext Storage of Sensitive InformationX 3 - Medium
313Cleartext Storage in a File or on DiskX 3 - Medium
314Cleartext Storage in the Registry   
315Cleartext Storage of Sensitive Information in a Cookie   
316Cleartext Storage of Sensitive Information in MemoryX 3 - Medium
317Cleartext Storage of Sensitive Information in GUI   
318Cleartext Storage of Sensitive Information in Executable   
319Cleartext Transmission of Sensitive InformationX 3 - Medium
320Key Management Errors   
321Use of Hard-coded Cryptographic KeyXX3 - Medium
322Key Exchange without Entity Authentication   
325Missing Required Cryptographic Step   
326Inadequate Encryption StrengthXX3 - Medium
327Use of a Broken or Risky Cryptographic AlgorithmXX3 - Medium
328Reversible One-Way HashX 3 - Medium
350Reliance on Reverse DNS Resolution for a Security-Critical ActionX 3 - Medium
359Exposure of Private Information (Privacy Violation)X 2 - Low
370Missing Check for Certificate Revocation after Initial Check   
384Session FixationXX3 - Medium
419Unprotected Primary Channel   
420Unprotected Alternate Channel   
421Race Condition During Access to Alternate ChannelX 3 - Medium
422Unprotected Windows Messaging Channel (Shatter)   
425Direct Request (Forced Browsing)   
433Unparsed Raw Web Content Delivery   
462Duplicate Key in Associative List (Alist)   
477Use of Obsolete FunctionsXX0 - Informational
502Deserialization of Untrusted DataX 3 - Medium
520.NET Misconfiguration: Use of Impersonation   
521Weak Password Requirements   
522Insufficiently Protected CredentialsXX3 - Medium
523Unprotected Transport of Credentials   
535Information Exposure Through Shell Error Message   
536Information Exposure Through Servlet Runtime Error Message   
537Information Exposure Through Java Runtime Error Message   
548Information Exposure Through Directory Listing X2 - Low
549Missing Password Field Masking   
550Information Exposure Through Server Error Message   
551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization   
555J2EE Misconfiguration: Plaintext Password in Configuration File   
556ASP.NET Misconfiguration: Use of Identity Impersonation   
564SQL Injection: HibernateX 4 - High
566Authorization Bypass Through User-Controlled SQL Primary KeyX 3 - Medium
599Missing Validation of OpenSSL Certificate   
611Improper Restriction of XML External Entity Reference (XXE)XX3 - Medium
613Insufficient Session Expiration   
614Sensitive Cookie in HTTPS Session Without 'Secure' AttributeXX2 - Low
620Unverified Password Change   
621Variable Extraction Error   
623Unsafe ActiveX Control Marked Safe For Scripting   
624Executable Regular Expression Error   
627Dynamic Variable Evaluation   
639Authorization Bypass Through User-Controlled KeyX 4 - High
640Weak Password Recovery Mechanism for Forgotten Password   
641Improper Restriction of Names for Files and Other Resources   
643Improper Neutralization of Data within XPath Expressions (XPath Injection)   
645Overly Restrictive Account Lockout Mechanism   
647Use of Non-Canonical URL Paths for Authorization Decisions   
648Incorrect Use of Privileged APIs   
652Improper Neutralization of Data within XQuery Expressions (XQuery Injection)   
689Permission Race Condition During Resource Copy   
692Incomplete Denylist to Cross-Site Scripting   
694Use of Multiple Resources with Duplicate Identifier   
708Incorrect Ownership AssignmentX 4 - High
732Incorrect Permission Assignment for Critical ResourceX 3 - Medium
759Use of a One-Way Hash without a Salt   
760Use of a One-Way Hash with a Predictable SaltX 3 - Medium
776Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)   
778Insufficient Logging   
780Use of RSA Algorithm without OAEPX 3 - Medium
798Use of Hard-coded CredentialsX 3 - Medium
804Guessable CAPTCHA   
836Use of Password Hash Instead of Password for Authentication   
842Placement of User into Incorrect Group   
862Missing Authorization   
863Incorrect Authorization   
914Improper Control of Dynamically-Identified Variables   
916Use of Password Hash With Insufficient Computational EffortX 3 - Medium
917Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)   
923Improper Restriction of Communication Channel to Intended Endpoints   
925Improper Verification of Intent by Broadcast Receiver   
926Improper Export of Android Application Components   
927Use of Implicit Intent for Sensitive Communication   
939Improper Authorization in Handler for Custom URL Scheme   
940Improper Verification of Source of a Communication Channel   
941Incorrectly Specified Destination in a Communication Channel   
942Permissive Cross-domain Policy with Untrusted DomainsXX3 - Medium
943Improper Neutralization of Special Elements in Data Query LogicX 4 - High
1004Sensitive Cookie Without HttpOnly Flag   
1022Use of Web Link to Untrusted Target with window.opener Access