Skip to main content

CWEs that violate the OWASP 2021 standard

This table lists all the CWEs that may cause an application to not pass a policy that includes an Auto-Update OWASP policy rule.

CWE IDCWE nameStatic supportDynamic supportVeracode severity
15External Control of System or Configuration SettingX 4 - High
16Configuration X0 - Informational
20Improper Input ValidationX 0 - Informational
22Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)XX3 - Medium
35Path Traversal: '.../...//'X 2- Low
73External Control of File Name or PathX 3 - Medium
74Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) X4 - High
77Improper Neutralization of Special Elements used in a Command (Command Injection)X 5 - Very High
78Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)XX5 - Very High
79Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)XX3 - Medium
80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)XX3 - Medium
83Improper Neutralization of Script in Attributes in a Web PageXX3 - Medium
86Improper Neutralization of Invalid Characters in Identifiers in Web PagesX 3 - Medium
88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')X 3 - Medium
89Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)XX4 - High
90Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection)X 3 - Medium
91XML Injection (aka Blind XPath Injection)XX3 - Medium
93Improper Neutralization of CRLF Sequences (CRLF Injection)X 3 - Medium
94Improper Control of Generation of Code (Code Injection)X 3 - Medium
95Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)XX5 - Very High
98Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion)XX4 - High
99Improper Control of Resource Identifiers (Resource Injection)X 3 - Medium
112Missing XML ValidationX 3 - Medium
113Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)XX3 - Medium
114Process ControlX 5 - Very High
117Improper Output Neutralization for LogsX 3 - Medium
129Improper Validation of Array IndexX 3 - Medium
134Use of Externally-Controlled Format StringX 5 - Very High
159Improper Handling of Invalid Use of Special ElementsX 0 - Informational
183Permissive List of Allowed InputsX 3 - Medium
200Exposure of Sensitive Information to an Unauthorized ActorXX2 - Low
201Insertion of Sensitive Information Into Sent DataX 2 - Low
209Generation of Error Message Containing Sensitive InformationXX2 - Low
215Insertion of Sensitive Information Into Debugging CodeXX2 - Low
223Omission of Security-relevant InformationX 2 - Low
256Plaintext Storage of a PasswordX 3 - Medium
259Use of Hard-coded PasswordXX3 - Medium
261Weak Encoding for PasswordX 3 - Medium
272Least Privilege ViolationX 3 - Medium
282Improper Ownership ManagementX 3 - Medium
285Improper AuthorizationXX3 - Medium
287Improper AuthenticationXX4 - High
295Improper Certificate ValidationX 3 - Medium
296Improper Following of a Certificate's Chain of Trust X3 - Medium
297Improper Validation of Certificate with Host MismatchXX3 - Medium
298Improper Validation of Certificate Expiration X3 - Medium
299Improper Check for Certificate Revocation X3 - Medium
311Missing Encryption of Sensitive DataX 3 - Medium
312Cleartext Storage of Sensitive InformationX 3 - Medium
313Cleartext Storage in a File or on DiskX 3 - Medium
316Cleartext Storage of Sensitive Information in MemoryX 3 - Medium
319Cleartext Transmission of Sensitive InformationX 3 - Medium
321Use of Hard-coded Cryptographic KeyXX3 - Medium
326Inadequate Encryption StrengthXX3 - Medium
327Use of a Broken or Risky Cryptographic AlgorithmXX3 - Medium
328Use of Weak HashX 3 - Medium
329Generation of Predictable IV with CBC ModeX 2 - Low
330Use of Insufficiently Random ValuesX 3 - Medium
331Insufficient EntropyX 3 - Medium
338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)X 3 - Medium
345Insufficient Verification of Data AuthenticityX 4 - High
346Origin Validation ErrorX 3 - Medium
347Improper Verification of Cryptographic SignatureX 2 - Low
350Reliance on Reverse DNS Resolution for a Security-Critical ActionX 3 - Medium
352Cross-Site Request Forgery (CSRF)XX3 - Medium
354Improper Validation of Integrity Check ValueX 3 - Medium
359Exposure of Private Personal Information to an Unauthorized ActorX 2 - Low
377Insecure Temporary FileX 3 - Medium
384Session FixationXX3 - Medium
402Transmission of Private Resources into a New Sphere ('Resource Leak') X3 - Medium
421Race Condition During Access to Alternate ChannelX 3 - Medium
426Untrusted Search PathX 3 - Medium
427Uncontrolled Search Path ElementX 3 - Medium
434Unrestricted Upload of File with Dangerous Type X4 - High
441Unintended Proxy or Intermediary ('Confused Deputy')X 3 - Medium
470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')X 3 - Medium
472External Control of Assumed-Immutable Web ParameterX 3 - Medium
494Download of Code Without Integrity CheckX 5 - Very High
497Exposure of Sensitive System Information to an Unauthorized Control SphereX 2 - Low
501Trust Boundary ViolationX 3 - Medium
502Deserialization of Untrusted DataX 3 - Medium
522Insufficiently Protected CredentialsXX3 - Medium
526Exposure of Sensitive Information Through Environmental Variables X2 - Low
530Exposure of Backup File to an Unauthorized Control Sphere X2 - Low
532Insertion of Sensitive Information into Log FileX 2 - Low
538Insertion of Sensitive Information into Externally-Accessible File or Directory X2 - Low
547Use of Hard-coded, Security-relevant ConstantsX 3 - Medium
548Information Exposure Through Directory Listing X2 - Low
564SQL Injection: HibernateX 4 - High
566Authorization Bypass Through User-Controlled SQL Primary KeyX 3 - Medium
601URL Redirection to Untrusted Site ('Open Redirect')XX3 - Medium
611Improper Restriction of XML External Entity Reference (XXE)XX3 - Medium
614Sensitive Cookie in HTTPS Session Without 'Secure' AttributeXX2 - Low
615Inclusion of Sensitive Information in Source Code CommentsXX0 - Informational
639Authorization Bypass Through User-Controlled KeyX 4 - High
642External Control of Critical State Data X2 - Low
656Reliance on Security Through ObscurityX 0 - Informational
668Exposure of Resource to Wrong SphereXX3 - Medium
708Incorrect Ownership AssignmentX 4 - High
732Incorrect Permission Assignment for Critical ResourceX 3 - Medium
757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')XX3 - Medium
760Use of a One-Way Hash with a Predictable SaltX 3 - Medium
780Use of RSA Algorithm without OAEPX 3 - Medium
798Use of Hard-coded CredentialsX 3 - Medium
829Inclusion of Functionality from Untrusted Control SphereXX3 - Medium
830Inclusion of Web Functionality from an Untrusted Source X2 - Low
915Improperly Controlled Modification of Dynamically-Determined Object AttributesX 3 - Medium
916Use of Password Hash With Insufficient Computational EffortX 3 - Medium
918Server-Side Request Forgery (SSRF)XX3 - Medium
926Improper Export of Android Application ComponentsX 3 - Medium
942Permissive Cross-domain Policy with Untrusted DomainsXX3 - Medium
943Improper Neutralization of Special Elements in Data Query LogicX 4 - High
1174ASP.NET Misconfiguration: Improper Model ValidationX 2 - Low
1236Improper Neutralization of Formula Elements in a CSV FileX 3 - Medium