Veracode references the Common Weakness Enumeration (CWE) standard to map the flaws found in its static and dynamic scans.
Since its founding, Veracode has reported flaws using the industry standard Common Weakness Enumeration as a taxonomy. The CWE provides a mapping of all known types of software weakness or vulnerability, and provides supplemental information to help developers understand the cause of common weaknesses and how to fix them.
Veracode always uses the latest version of the CWE, and updates to new versions within 90 days of release. This page lists the flaws that Veracode may report in automated static and dynamic scans. When a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case. For example, Veracode prefers CWE-80 for cross-site scripting over its child CWEs. Veracode updates this list frequently.
Veracode Manual Penetration Testing scans may report any valid CWE. You can see the full list of CWEs at the Mitre CWE website.
The listed flaws are grouped according to a list of categories that Veracode uses for convenience. The categories generally correspond to common types of attacks.
Supported static and dynamic scans
This table lists all the CWEs that Veracode searches for during static and dynamic scans.
In the Flaw severity column, Veracode defines flaw severities on the following severity scale:
- 0: Informational
- 1: Very Low
- 2: Low
- 3: Medium
- 4: High
- 5: Very High.
For more information, see Veracode flaw severities.
CWEs that violate security standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.
API abuse
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 234 | Failure to Handle Missing Parameter | 3 | X | | |
| 243 | Creation of Chroot Jail Without Changing Working Directory | 4 | X | | |
| 245 | J2EE Bad Practices: Direct Management of Connections | 2 | X | | |
| 560 | Use of Umask() with Chmod-Style Argument | 3 | X | | |
| 628 | Function Call with Incorrectly Specified Arguments | 2 | X | | |
| 675 | Duplicate Operations on Resource | 2 | X | | |
Authentication issues
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 284 | Improper Access Control | 3 | X | X | X |
| 287 | Improper Authentication | 4 | X | X | X |
| 352 | Cross-Site Request Forgery (CSRF) | 3 | X | X | X |
| 693 | Protection Mechanism Failure | 3 | X | X | |
Authorization issues
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 99 | Improper Control of Resource Identifiers | 3 | X | | |
| 272 | Least Privilege Violation | 3 | X | | |
| 273 | Improper Check for Dropped Privileges | 3 | X | | |
| 274 | Improper Handling of Insufficient Privileges | 0 | X | | |
| 282 | Improper Ownership Management | 3 | X | | |
| 285 | Improper Authorization | 3 | X | X | X |
| 346 | Origin Validation Error | 3 | X | | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | 3 | X | | |
| 639 | Authorization Bypass Through User-Controlled Key | 4 | X | | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | 3 | X | | |
| 708 | Incorrect Ownership Assignment | 4 | X | | |
| 732 | Incorrect Permission Assignment for Critical Resource | 3 | X | | |
| 942 | Permissive Cross-domain Policy with Untrusted Domains | 3 | X | X | X |
Buffer management errors
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 118 | Improper Access of Indexable Resource (Range Error) | 3 | X | | |
| 125 | Out-of-Bounds Read | 3 | X | | |
| 129 | Improper Validation of Array Index | 3 | X | | |
| 135 | Incorrect Calculation of Multi-Byte String Length | 5 | X | | |
| 170 | Improper Null Termination | 3 | X | | |
| 193 | Off-by-One Error | 3 | X | | |
| 787 | Out-of-Bounds Write | 3 | X | | |
| 823 | Use of Out-of-Range Pointer Offset | 3 | X | | |
| 824 | Access of Uninitialized Pointer | 3 | X | | |
Buffer overflow
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 121 | Stack-Based Buffer Overflow | 5 | X | | |
Code injection
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) | 4 | | X | X |
| 91 | XML Injection (Blind XPath Injection) | 3 | X | X | |
| 94 | Improper Control of Generation of Code | 3 | X | | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | 5 | X | X | |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion) | 4 | X | X | X |
| 185 | Incorrect Regular Expression | 2 | X | | |
| 830 | Inclusion of Web Functionality from an Untrusted Source | 2 | | X | |
Code quality
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 111 | Direct Use of Unsafe JNI | 4 | X | | |
| 159 | Failure to Sanitize Special Element | 0 | X | | |
| 401 | Improper Release of Memory Before Removing Last Reference (Memory Leak) | 2 | X | | |
| 404 | Improper Resource Shutdown or Release | 0 | X | | |
| 415 | Double Free | 3 | X | | |
| 416 | Use After Free | 2 | X | | |
| 477 | Use of Obsolete Functions | 0 | X | X | |
| 479 | Signal Handler Use of a Non-Reentrant Function | 3 | X | | |
| 489 | Leftover Debug Code | 3 | X | | |
| 597 | Use of Wrong Operator in String Comparison | 2 | X | | |
Command or argument injection
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 77 | Improper Neutralization of Special Elements used in a Command (Command Injection) | 5 | X | | X |
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | 5 | X | X | X |
| 88 | Argument Injection or Modification | 3 | X | | |
Credentials management
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 256 | Plaintext Storage of a Password | 3 | X | | |
| 259 | Use of Hard-coded Password | 3 | X | X | |
| 522 | Insufficiently Protected Credentials | 3 | X | X | X |
| 798 | Use of Hard-code Credentials | 3 | X | | |
CRLF injection
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 93 | Improper Neutralization of CRLF Sequences (CRLF Injection) | 3 | X | | |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting) | 3 | X | X | |
| 117 | Improper Output Neutralization for Logs | 3 | X | | |
Cross-site scripting (XSS)
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | 3 | X | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 3 | X | X | X |
| 83 | Improper Neutralization of Script in Attributes in a Web Page | 3 | X | X | X |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | 3 | X | | |
Cryptographic issues
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 261 | Weak Cryptography for Passwords | 3 | X | | |
| 295 | Improper Certificate Validation | 3 | X | | X |
| 296 | Improper Following of Chain of Trust for Certificate Validation | 3 | | X | X |
| 297 | Improper Validation of Host-specific Certificate Data | 3 | X | X | X |
| 298 | Improper Validation of Certificate Expiration | 3 | | X | X |
| 299 | Improper Check for Certificate Revocation | 3 | | X | X |
| 311 | Missing Encryption of Sensitive Data | 3 | X | | |
| 312 | Cleartext Storage of Sensitive Information | 3 | X | | |
| 313 | Plaintext Storage in a File or on Disk | 3 | X | | |
| 316 | Plaintext Storage in Memory | 3 | X | | |
| 319 | Cleartext Transmission of Sensitive Information | 3 | X | | |
| 321 | Use of Hard-coded Cryptographic Key | 3 | X | X | |
| 326 | Inadequate Encryption Strength | 3 | X | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | 3 | X | X | X |
| 328 | Reversible One-Way Hash | 3 | X | | |
| 329 | Not Using a Random IV with CBC Mode | 2 | X | | X |
| 330 | Use of Insufficiently Random Values | 3 | X | | |
| 331 | Insufficient Entropy | 3 | X | | |
| 338 | Use of Cryptographically Weak Pseudo-Random Number Generator | 3 | X | | |
| 347 | Improper Verification of Cryptographic Signature | 2 | X | | |
| 354 | Improper Validation of Integrity Check Value | 3 | X | | |
| 547 | Use of Hard-coded, Security-relevant Constants | 3 | X | | |
| 614 | Sensitive Cookie in HTTPS Session Without Secure Attribute | 2 | X | X | X |
| 760 | Use of a One-Way Hash with a Predictable Salt | 3 | X | | |
| 780 | Use of RSA without Optimal Asymmetric Encryption Padding | 3 | X | | |
| 916 | Use of Password Hash With Insufficient Computational Effort | 3 | X | | |
Dangerous functions
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 242 | Use of Inherently Dangerous Function | 5 | X | | |
| 676 | Use of Potentially Dangerous Function | 3 | X | | |
Deployment configuration
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 402 | Transmission of Private Resources into a New Sphere (Resource Leak) | 3 | | X | |
| 498 | Cloneable Class Containing Sensitive Information | 2 | X | | |
| 668 | Exposure of Resource to Wrong Sphere | 3 | X | X | X |
| 926 | Improper Export of Android Application Components | 3 | X | | |
Directory traversal
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | 3 | X | X | X |
| 35 | Path Traversal | 2 | X | | X |
| 73 | External Control of File Name or Path | 3 | X | | X |
Encapsulation
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 494 | Download of Code Without Integrity Check | 5 | X | | |
| 501 | Trust Boundary Violation | 3 | X | | |
| 502 | Deserialization of Untrusted Data | 3 | X | | X |
| 749 | Exposed Dangerous Method or Function | 4 | X | | |
Error handling
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 248 | Uncaught Exception | 2 | X | | |
| 252 | Unchecked Return Value | 2 | X | | |
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 134 | Use of Externally-Controlled Format String | 5 | X | | |
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 200 | Information Exposure | 2 | X | X | X |
| 201 | Insertion of Sensitive Information Into Sent Data | 2 | X | | |
| 209 | Information Exposure Through an Error Message | 2 | X | X | |
| 215 | Information Exposure Through Debug Information | 2 | X | X | |
| 359 | Exposure of Private Information (Privacy Violation) | 2 | X | | |
| 497 | Exposure of System Data to an Unauthorized Control Sphere | 2 | X | | |
| 526 | Information Exposure Through Environmental Variables | 2 | | X | |
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | 2 | | X | X |
| 532 | Insertion of Sensitive Information into Log File | 2 | X | | |
| 538 | File and Directory Information Exposure | 0 | | X | X |
| 548 | Information Exposure Through Directory Listing | 2 | | X | X |
| 611 | Information Exposure Through XML External Entity Reference | 3 | X | X | X |
| 615 | Information Exposure Through Comments | 0 | X | X | |
| 665 | Improper Initialization | 2 | X | | |
| 918 | Server-side Request Forgery | 3 | X | X | |
Insecure Dependencies
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 829 | Inclusion of Functionality from Untrusted Control Sphere | 3 | X | X | X |
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 20 | Improper Input Validation | 0 | X | | |
| 90 | Improper Neutralization of Special Elements Used in an LDAP Query (LDAP Injection) | 3 | X | | |
| 103 | Struts: Incomplete validate() Method Definition | 3 | X | | |
| 104 | Struts: Form Bean Does Not Extend Validation Class | 3 | X | | |
| 112 | Missing XML Validation | 3 | X | | X |
| 115 | Misinterpretation of Input | 4 | | X | |
| 183 | Permissive List of Allowed Inputs | 3 | X | | |
| 345 | Insufficient Verification of Data Authenticity | 4 | X | X | |
| 434 | Unrestricted Upload of File with Dangerous Type | 4 | | X | |
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | 3 | X | | |
| 472 | External Control of Assumed-Immutable Web Parameter | 3 | X | | |
| 601 | URL Redirection to Untrusted Site (Open Redirect) | 3 | X | X | |
| 618 | Exposed Unsafe ActiveX Method | 5 | X | | |
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | 3 | X | | |
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | 2 | X | | |
| 1236 | Improper Neutralization of Formula Elements in a CSV File | 3 | X | | |
Insufficient logging and monitoring
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 223 | Omission of Security-relevant Information | 2 | X | | |
Numeric errors
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 190 | Integer Overflow or Wraparound | 5 | X | | |
| 191 | Integer Underflow (Wrap or Wraparound) | 3 | X | | |
| 192 | Integer Coercion Error | 3 | X | | |
| 195 | Signed to Unsigned Conversion Error | 3 | X | | |
| 196 | Unsigned to Signed Conversion Error | 3 | X | | |
| 197 | Numeric Truncation Error | 3 | X | | |
Potential backdoor
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 398 | Indicator of Poor Code Quality | 0 | X | | |
| 506 | Embedded Malicious Code | 4 | X | | |
| 511 | Logic/Time Bomb | 5 | X | | |
| 514 | Covert Channel | 2 | X | | |
| 656 | Reliance on Security Through Obscurity | 0 | X | | |
Race conditions
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 366 | Race Condition within a Thread | 3 | X | | |
| 367 | Time-of-check Time-of-use (TOCTOU) Race Condition | 3 | X | | |
| 421 | Race Condition During Access to Alternate Channel | 3 | X | | |
Server configuration
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 16 | Configuration | 0 | | X | X |
| 441 | Unintended Proxy or Intermediary (Confused Deputy) | 3 | X | | |
| 642 | External Control of Critical State Data | 2 | | X | |
| 757 | Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade) | 3 | X | X | X |
Sessions fixation
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 384 | Session Fixation | 3 | X | X | |
SQL injection
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | 4 | X | X | X |
| 564 | SQL Injection: Hibernate | 4 | X | | |
| 943 | Improper Neutralization of Special Elements in Data Query Logic | 4 | X | | |
Time and state
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 377 | Insecure Temporary File | 3 | X | | |
| 382 | J2EE Bad Practices: Use of System.exit() | 2 | X | | |
| 557 | Concurrency Issues | 2 | X | | |
| 691 | Insufficient Control Flow Management | 0 | X | | |
Untrusted initialization
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 15 | External Control of System or Configuration Setting | 4 | X | | |
| 454 | External Initialization of Trusted Variables or Data Stores | 0 | X | | |
Untrusted search path
| CWE ID | CWE name | Flaw severity | Static | Dynamic | DAST Essentials |
|---|
| 114 | Process Control | 5 | X | | |
| 426 | Untrusted Search Path | 3 | X | | |
| 427 | Uncontrolled Search Path Element | 3 | X | | |