CWEs that violate security standards
This section lists the Common Weakness Enumerations (CWEs) found in your application during Veracode Static Analysis or Veracode DAST that violate security standards, including Veracode's security rating for the CWEs. In your security policies, you can apply the Security Standards rule and select one or more security standards for the applications to which a policy is assigned. To pass policy, applications must not contain the CWEs defined in the selected standards.
Veracode Manual Penetration Testing scans might report any valid CWE, including those not listed here.
Veracode identifies the CWEs in the following ways:
- Reporting CWEs explicitly listed in the official CWE mappings for the security standard.
- Reporting CWEs that are children or parents of a CWE listed in the official CWE mappings. Veracode generally includes these CWEs if it reports a security category under a more specific or more general CWE than what appears in the standard mapping. For example, Veracode usually reports cross-site scripting found in Static Analyses as CWE 80, but a standard mapping lists it as CWE 79.
The OWASP 2021 standard
The following table lists all the CWEs that might cause an application to not pass a policy that includes an Auto-Update OWASP policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity |
|---|---|---|---|---|
| 15 | External Control of System or Configuration Setting | X | 4 - High | |
| 16 | Configuration | X | 0 - Informational | |
| 20 | Improper Input Validation | X | 0 - Informational | |
| 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | X | X | 3 - Medium |
| 35 | Path Traversal: '.../...//' | X | 2- Low | |
| 73 | External Control of File Name or Path | X | 3 - Medium | |
| 74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) | X | 4 - High | |
| 77 | Improper Neutralization of Special Elements used in a Command (Command Injection) | X | 5 - Very High | |
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | X | 5 - Very High |
| 79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | X | X | 3 - Medium |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium |
| 83 | Improper Neutralization of Script in Attributes in a Web Page | X | X | 3 - Medium |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | |
| 88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | X | 3 - Medium | |
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | X | 4 - High |
| 90 | Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) | X | 3 - Medium | |
| 91 | XML Injection (aka Blind XPath Injection) | X | X | 3 - Medium |
| 93 | Improper Neutralization of CRLF Sequences (CRLF Injection) | X | 3 - Medium | |
| 94 | Improper Control of Generation of Code (Code Injection) | X | 3 - Medium | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection) | X | X | 5 - Very High |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) | X | X | 4 - High |
| 99 | Improper Control of Resource Identifiers (Resource Injection) | X | 3 - Medium | |
| 112 | Missing XML Validation | X | 3 - Medium | |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting) | X | X | 3 - Medium |
| 114 | Process Control | X | 5 - Very High | |
| 117 | Improper Output Neutralization for Logs | X | 3 - Medium | |
| 129 | Improper Validation of Array Index | X | 3 - Medium | |
| 134 | Use of Externally-Controlled Format String | X | 5 - Very High | |
| 159 | Improper Handling of Invalid Use of Special Elements | X | 0 - Informational | |
| 183 | Permissive List of Allowed Inputs | X | 3 - Medium | |
| 200 | Exposure of Sensitive Information to an Unauthorized Actor | X | X | 2 - Low |
| 201 | Insertion of Sensitive Information Into Sent Data | X | 2 - Low | |
| 209 | Generation of Error Message Containing Sensitive Information | X | X | 2 - Low |
| 215 | Insertion of Sensitive Information Into Debugging Code | X | X | 2 - Low |
| 223 | Omission of Security-relevant Information | X | 2 - Low | |
| 256 | Plaintext Storage of a Password | X | 3 - Medium | |
| 259 | Use of Hard-coded Password | X | X | 3 - Medium |
| 261 | Weak Encoding for Password | X | 3 - Medium | |
| 272 | Least Privilege Violation | X | 3 - Medium | |
| 282 | Improper Ownership Management | X | 3 - Medium | |
| 285 | Improper Authorization | X | X | 3 - Medium |
| 287 | Improper Authentication | X | X | 4 - High |
| 295 | Improper Certificate Validation | X | 3 - Medium | |
| 296 | Improper Following of a Certificate's Chain of Trust | X | 3 - Medium | |
| 297 | Improper Validation of Certificate with Host Mismatch | X | X | 3 - Medium |
| 298 | Improper Validation of Certificate Expiration | X | 3 - Medium | |
| 299 | Improper Check for Certificate Revocation | X | 3 - Medium | |
| 311 | Missing Encryption of Sensitive Data | X | 3 - Medium | |
| 312 | Cleartext Storage of Sensitive Information | X | 3 - Medium | |
| 313 | Cleartext Storage in a File or on Disk | X | 3 - Medium | |
| 316 | Cleartext Storage of Sensitive Information in Memory | X | 3 - Medium | |
| 319 | Cleartext Transmission of Sensitive Information | X | 3 - Medium | |
| 321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium |
| 326 | Inadequate Encryption Strength | X | X | 3 - Medium |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | X | 3 - Medium |
| 328 | Use of Weak Hash | X | 3 - Medium | |
| 329 | Generation of Predictable IV with CBC Mode | X | 2 - Low | |
| 330 | Use of Insufficiently Random Values | X | 3 - Medium | |
| 331 | Insufficient Entropy | X | 3 - Medium | |
| 338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | X | 3 - Medium | |
| 345 | Insufficient Verification of Data Authenticity | X | 4 - High | |
| 346 | Origin Validation Error | X | 3 - Medium | |
| 347 | Improper Verification of Cryptographic Signature | X | 2 - Low | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X | 3 - Medium |
| 354 | Improper Validation of Integrity Check Value | X | 3 - Medium | |
| 359 | Exposure of Private Personal Information to an Unauthorized Actor | X | 2 - Low | |
| 377 | Insecure Temporary File | X | 3 - Medium | |
| 384 | Session Fixation | X | X | 3 - Medium |
| 402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | X | 3 - Medium | |
| 421 | Race Condition During Access to Alternate Channel | X | 3 - Medium | |
| 426 | Untrusted Search Path | X | 3 - Medium | |
| 427 | Uncontrolled Search Path Element | X | 3 - Medium | |
| 434 | Unrestricted Upload of File with Dangerous Type | X | 4 - High | |
| 441 | Unintended Proxy or Intermediary ('Confused Deputy') | X | 3 - Medium | |
| 470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | X | 3 - Medium | |
| 472 | External Control of Assumed-Immutable Web Parameter | X | 3 - Medium | |
| 494 | Download of Code Without Integrity Check | X | 5 - Very High | |
| 497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | X | 2 - Low | |
| 501 | Trust Boundary Violation | X | 3 - Medium | |
| 502 | Deserialization of Untrusted Data | X | 3 - Medium | |
| 522 | Insufficiently Protected Credentials | X | X | 3 - Medium |
| 526 | Exposure of Sensitive Information Through Environmental Variables | X | 2 - Low | |
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | X | 2 - Low | |
| 532 | Insertion of Sensitive Information into Log File | X | 2 - Low | |
| 538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | X | 2 - Low | |
| 547 | Use of Hard-coded, Security-relevant Constants | X | 3 - Medium | |
| 548 | Information Exposure Through Directory Listing | X | 2 - Low | |
| 564 | SQL Injection: Hibernate | X | 4 - High | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | X | 3 - Medium |
| 611 | Improper Restriction of XML External Entity Reference (XXE) | X | X | 3 - Medium |
| 614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | X | X | 2 - Low |
| 615 | Inclusion of Sensitive Information in Source Code Comments | X | X | 0 - Informational |
| 639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | |
| 642 | External Control of Critical State Data | X | 2 - Low | |
| 656 | Reliance on Security Through Obscurity | X | 0 - Informational | |
| 668 | Exposure of Resource to Wrong Sphere | X | X | 3 - Medium |
| 708 | Incorrect Ownership Assignment | X | 4 - High | |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | |
| 757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | X | X | 3 - Medium |
| 760 | Use of a One-Way Hash with a Predictable Salt | X | 3 - Medium | |
| 780 | Use of RSA Algorithm without OAEP | X | 3 - Medium | |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium | |
| 829 | Inclusion of Functionality from Untrusted Control Sphere | X | X | 3 - Medium |
| 830 | Inclusion of Web Functionality from an Untrusted Source | X | 2 - Low | |
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | X | 3 - Medium | |
| 916 | Use of Password Hash With Insufficient Computational Effort | X | 3 - Medium | |
| 918 | Server-Side Request Forgery (SSRF) | X | X | 3 - Medium |
| 926 | Improper Export of Android Application Components | X | 3 - Medium | |
| 942 | Permissive Cross-domain Policy with Untrusted Domains | X | X | 3 - Medium |
| 943 | Improper Neutralization of Special Elements in Data Query Logic | X | 4 - High | |
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | X | 2 - Low | |
| 1236 | Improper Neutralization of Formula Elements in a CSV File | X | 3 - Medium |
The OWASP 2017 standard
The following table lists all the CWEs that might cause an application to not pass a policy that includes an OWASP 2017 policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity |
|---|---|---|---|---|
| 5 | J2EE Misconfiguration: Data Transmission Without Encryption | |||
| 9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | |||
| 13 | ASP.NET Misconfiguration: Password in Configuration File | |||
| 16 | Configuration | X | 0 - Informational | |
| 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | X | X | 3 - Medium |
| 23 | Relative Path Traversal | |||
| 24 | Path Traversal: '../filedir' | |||
| 25 | Path Traversal: '/../filedir' | |||
| 26 | Path Traversal: '/dir/../filename' | |||
| 27 | Path Traversal: 'dir/../../filename' | |||
| 28 | Path Traversal: '..\filedir' | |||
| 29 | Path Traversal: '\..\filename' | |||
| 30 | Path Traversal: '\dir\..\filename' | |||
| 31 | Path Traversal: 'dir\..\..\filename' | |||
| 32 | Path Traversal: '...' (Triple Dot) | |||
| 33 | Path Traversal: '....' (Multiple Dot) | |||
| 34 | Path Traversal: '....//' | |||
| 35 | Path Traversal: '.../...//' | |||
| 36 | Absolute Path Traversal | |||
| 37 | Path Traversal: '/absolute/pathname/here' | |||
| 38 | Path Traversal: '\absolute\pathname\here' | |||
| 39 | Path Traversal: 'C:dirname' | |||
| 40 | Path Traversal: '\\UNC\share\name\' (Windows UNC Share) | |||
| 74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) | X | 4 - High | |
| 75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | |||
| 76 | Improper Neutralization of Equivalent Special Elements | |||
| 77 | Improper Neutralization of Special Elements used in a Command (Command Injection) | X | 5 - Very High | |
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | X | 5 - Very High |
| 79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | X | X | 3 - Medium |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium |
| 81 | Improper Neutralization of Script in an Error Message Web Page | |||
| 82 | Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | |||
| 83 | Improper Neutralization of Script in Attributes in a Web Page | X | 3 - Medium | |
| 84 | Improper Neutralization of Encoded URI Schemes in a Web Page | |||
| 85 | Doubled Character XSS Manipulations | |||
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | |
| 87 | Improper Neutralization of Alternate XSS Syntax | |||
| 88 | Argument Injection or Modification | X | 3 - Medium | |
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | X | 4 - High |
| 90 | Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) | X | 3 - Medium | |
| 91 | XML Injection (aka Blind XPath Injection) | X | 3 - Medium | |
| 93 | Improper Neutralization of CRLF Sequences (CRLF Injection) | X | 3 - Medium | |
| 94 | Improper Control of Generation of Code (Code Injection) | X | 3 - Medium | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection) | X | 5 - Very High | |
| 96 | Improper Neutralization of Directives in Statically Saved Code (Static Code Injection) | |||
| 97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | |||
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) | X | X | 4 - High |
| 99 | Improper Control of Resource Identifiers (Resource Injection) | X | 3 - Medium | |
| 102 | Struts: Duplicate Validation Forms | |||
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting) | X | X | 3 - Medium |
| 117 | Improper Output Neutralization for Logs | X | 3 - Medium | |
| 202 | Exposure of Sensitive Data Through Data Queries | |||
| 209 | Information Exposure Through an Error Message | X | X | 2 - Low |
| 210 | Information Exposure Through Self-generated Error Message | |||
| 211 | Information Exposure Through Externally-Generated Error Message | |||
| 219 | Sensitive Data Under Web Root | |||
| 220 | Sensitive Data Under FTP Root | |||
| 223 | Omission of Security-relevant Information | X | 2 - Low | |
| 256 | Unprotected Storage of Credentials | X | 3 - Medium | |
| 257 | Storing Passwords in a Recoverable Format | |||
| 258 | Empty Password in Configuration File | |||
| 259 | Use of Hard-coded Password | X | X | 3 - Medium |
| 260 | Password in Configuration File | |||
| 261 | Weak Cryptography for Passwords | X | 3 - Medium | |
| 262 | Not Using Password Aging | |||
| 263 | Password Aging with Long Expiration | |||
| 266 | Incorrect Privilege Assignment | |||
| 267 | Privilege Defined With Unsafe Actions | |||
| 268 | Privilege Chaining | |||
| 269 | Improper Privilege Management | |||
| 270 | Privilege Context Switching Error | |||
| 271 | Privilege Dropping / Lowering Errors | |||
| 272 | Least Privilege Violation | X | 3 - Medium | |
| 276 | Incorrect Default Permissions | |||
| 277 | Insecure Inherited Permissions | |||
| 278 | Insecure Preserved Inherited Permissions | |||
| 279 | Incorrect Execution-Assigned Permissions | |||
| 281 | Improper Preservation of Permissions | |||
| 282 | Improper Ownership Management | X | 3 - Medium | |
| 283 | Unverified Ownership | |||
| 284 | Improper Access Control | X | 3 - Medium | |
| 285 | Improper Authorization | X | X | 3 - Medium |
| 286 | Incorrect User Management | |||
| 287 | Improper Authentication | X | X | 4 - High |
| 288 | Authentication Bypass Using an Alternate Path or Channel | |||
| 289 | Authentication Bypass by Alternate Name | |||
| 290 | Authentication Bypass by Spoofing | |||
| 291 | Reliance on IP Address for Authentication | |||
| 293 | Using Referer Field for Authentication | |||
| 294 | Authentication Bypass by Capture-replay | |||
| 295 | Improper Certificate Validation | X | 3 - Medium | |
| 296 | Improper Following of a Certificate's Chain of Trust | X | 3 - Medium | |
| 297 | Improper Validation of Certificate with Host Mismatch | X | X | 3 - Medium |
| 298 | Improper Validation of Certificate Expiration | X | 3 - Medium | |
| 299 | Improper Check for Certificate Revocation | X | 3 - Medium | |
| 300 | Channel Accessible by Non-Endpoint (Man-in-the-Middle) | |||
| 301 | Reflection Attack in an Authentication Protocol | |||
| 302 | Authentication Bypass by Assumed-Immutable Data | |||
| 303 | Incorrect Implementation of Authentication Algorithm | |||
| 305 | Authentication Bypass by Primary Weakness | |||
| 306 | Missing Authentication for Critical Function | |||
| 307 | Improper Restriction of Excessive Authentication Attempts | |||
| 308 | Use of Single-factor Authentication | |||
| 309 | Use of Password System for Primary Authentication | |||
| 311 | Missing Encryption of Sensitive Data | X | 3 - Medium | |
| 312 | Cleartext Storage of Sensitive Information | X | 3 - Medium | |
| 313 | Cleartext Storage in a File or on Disk | X | 3 - Medium | |
| 314 | Cleartext Storage in the Registry | |||
| 315 | Cleartext Storage of Sensitive Information in a Cookie | |||
| 316 | Cleartext Storage of Sensitive Information in Memory | X | 3 - Medium | |
| 317 | Cleartext Storage of Sensitive Information in GUI | |||
| 318 | Cleartext Storage of Sensitive Information in Executable | |||
| 319 | Cleartext Transmission of Sensitive Information | X | 3 - Medium | |
| 320 | Key Management Errors | |||
| 321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium |
| 322 | Key Exchange without Entity Authentication | |||
| 325 | Missing Required Cryptographic Step | |||
| 326 | Inadequate Encryption Strength | X | X | 3 - Medium |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | X | 3 - Medium |
| 328 | Reversible One-Way Hash | X | 3 - Medium | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | |
| 359 | Exposure of Private Information (Privacy Violation) | X | 2 - Low | |
| 370 | Missing Check for Certificate Revocation after Initial Check | |||
| 384 | Session Fixation | X | X | 3 - Medium |
| 419 | Unprotected Primary Channel | |||
| 420 | Unprotected Alternate Channel | |||
| 421 | Race Condition During Access to Alternate Channel | X | 3 - Medium | |
| 422 | Unprotected Windows Messaging Channel (Shatter) | |||
| 425 | Direct Request (Forced Browsing) | |||
| 433 | Unparsed Raw Web Content Delivery | |||
| 462 | Duplicate Key in Associative List (Alist) | |||
| 477 | Use of Obsolete Functions | X | X | 0 - Informational |
| 502 | Deserialization of Untrusted Data | X | 3 - Medium | |
| 520 | .NET Misconfiguration: Use of Impersonation | |||
| 521 | Weak Password Requirements | |||
| 522 | Insufficiently Protected Credentials | X | X | 3 - Medium |
| 523 | Unprotected Transport of Credentials | |||
| 535 | Information Exposure Through Shell Error Message | |||
| 536 | Information Exposure Through Servlet Runtime Error Message | |||
| 537 | Information Exposure Through Java Runtime Error Message | |||
| 548 | Information Exposure Through Directory Listing | X | 2 - Low | |
| 549 | Missing Password Field Masking | |||
| 550 | Information Exposure Through Server Error Message | |||
| 551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | |||
| 555 | J2EE Misconfiguration: Plaintext Password in Configuration File | |||
| 556 | ASP.NET Misconfiguration: Use of Identity Impersonation | |||
| 564 | SQL Injection: Hibernate | X | 4 - High | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | |
| 599 | Missing Validation of OpenSSL Certificate | |||
| 611 | Improper Restriction of XML External Entity Reference (XXE) | X | X | 3 - Medium |
| 613 | Insufficient Session Expiration | |||
| 614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | X | X | 2 - Low |
| 620 | Unverified Password Change | |||
| 621 | Variable Extraction Error | |||
| 623 | Unsafe ActiveX Control Marked Safe For Scripting | |||
| 624 | Executable Regular Expression Error | |||
| 627 | Dynamic Variable Evaluation | |||
| 639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | |
| 640 | Weak Password Recovery Mechanism for Forgotten Password | |||
| 641 | Improper Restriction of Names for Files and Other Resources | |||
| 643 | Improper Neutralization of Data within XPath Expressions (XPath Injection) | |||
| 645 | Overly Restrictive Account Lockout Mechanism | |||
| 647 | Use of Non-Canonical URL Paths for Authorization Decisions | |||
| 648 | Incorrect Use of Privileged APIs | |||
| 652 | Improper Neutralization of Data within XQuery Expressions (XQuery Injection) | |||
| 689 | Permission Race Condition During Resource Copy | |||
| 692 | Incomplete Denylist to Cross-Site Scripting | |||
| 694 | Use of Multiple Resources with Duplicate Identifier | |||
| 708 | Incorrect Ownership Assignment | X | 4 - High | |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | |
| 759 | Use of a One-Way Hash without a Salt | |||
| 760 | Use of a One-Way Hash with a Predictable Salt | X | 3 - Medium | |
| 776 | Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) | |||
| 778 | Insufficient Logging | |||
| 780 | Use of RSA Algorithm without OAEP | X | 3 - Medium | |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium | |
| 804 | Guessable CAPTCHA | |||
| 836 | Use of Password Hash Instead of Password for Authentication | |||
| 842 | Placement of User into Incorrect Group | |||
| 862 | Missing Authorization | |||
| 863 | Incorrect Authorization | |||
| 914 | Improper Control of Dynamically-Identified Variables | |||
| 916 | Use of Password Hash With Insufficient Computational Effort | X | 3 - Medium | |
| 917 | Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection) | |||
| 923 | Improper Restriction of Communication Channel to Intended Endpoints | |||
| 925 | Improper Verification of Intent by Broadcast Receiver | |||
| 926 | Improper Export of Android Application Components | |||
| 927 | Use of Implicit Intent for Sensitive Communication | |||
| 939 | Improper Authorization in Handler for Custom URL Scheme | |||
| 940 | Improper Verification of Source of a Communication Channel | |||
| 941 | Incorrectly Specified Destination in a Communication Channel | |||
| 942 | Permissive Cross-domain Policy with Untrusted Domains | X | X | 3 - Medium |
| 943 | Improper Neutralization of Special Elements in Data Query Logic | X | 4 - High | |
| 1004 | Sensitive Cookie Without HttpOnly Flag | |||
| 1022 | Use of Web Link to Untrusted Target with window.opener Access |
The OWASP Mobile standard
The following table lists all the CWEs that might cause an application to not pass a policy that includes an OWASP Mobile policy rule.
| CWE ID | CWE name | Static support | Veracode severity |
|---|---|---|---|
| 15 | External Control of System or Configuration Setting | X | 4 - High |
| 73 | External Control of File Name or Path | X | 3 - Medium |
| 77 | Improper Neutralization of Special Elements in a Command | X | 5 - Very High |
| 78 | Improper Neutralization of Special Elements in an OS Command | X | 5 - Very High |
| 80 | Improper Neutralization of Script Related HTML Tags | X | 3 - Medium |
| 88 | Improper Neutralization of Argument Delimeters | X | 3 - Medium |
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | 4 - High |
| 114 | Process Control | X | 5 - Very High |
| 183 | Permissive List of Allowed Inputs | X | 3 - Medium |
| 201 | Information Exposure Through Sent Data | X | 2 - Low |
| 209 | Information Exposure Through an Error Message | X | 2 - Low |
| 215 | Information Exposure Through Debug Information | X | 2 - Low |
| 242 | Use of Inherently Dangerous Function | X | 5 - Very High |
| 252 | Unchecked Return Value | X | 2 - Low |
| 256 | Unprotected Storage of Credentials | X | 3 - Medium |
| 259 | Use of Hard-coded Password | X | 3 - Medium |
| 287 | Improper Authentication | X | 4 - High |
| 296 | Improper Following of a Certificate's Chain of Trust | 3 - Medium | |
| 297 | Improper Validation of Certificate with Host Mismatch | X | 3 - Medium |
| 311 | Missing Encryption of Sensitive Data | X | 3 - Medium |
| 312 | Cleartext Storage of Sensitive Information | X | 3 - Medium |
| 313 | Cleartext Storage in a File or on Disk | X | 3 - Medium |
| 316 | Cleartext Storage of Sensitive Information in Memory | X | 3 - Medium |
| 319 | Cleartext Transmission of Sensitive Information | X | 3 - Medium |
| 321 | Use of Hard-coded Cryptographic Key | X | 3 - Medium |
| 326 | Inadequate Encryption Strength | X | 3 - Medium |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | 3 - Medium |
| 329 | Not Using a Random IV with CBC Mode | X | 2 - Low |
| 331 | Insufficient Entropy | X | 3 - Medium |
| 345 | Insufficient Verification of Data Authenticity | X | 4 - High |
| 347 | Improper Verification of Cryptographic Signature | X | 2 - Low |
| 354 | Improper Validation of Integrity Check Value | X | 3 - Medium |
| 377 | Insecure Temporary File | X | 3 - Medium |
| 378 | Creation of Temporary File With Insecure Permissions | 3 - Medium | |
| 404 | Improper Resource Shutdown | X | 0 - Informational |
| 415 | Double Free | X | 3 - Medium |
| 416 | Use After Free | X | 2 - Low |
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | X | 3 - Medium |
| 489 | Leftover Debug Code | X | 3 - Medium |
| 497 | Exposure of System Data to an Unauthorized Control Sphere | X | 2 - Low |
| 501 | Trust Boundary Violation | X | 3 - Medium |
| 506 | Embedded Malicious Code | X | 4 - High |
| 511 | Logic/Time Bomb | X | 5 - Very High |
| 514 | Covert Channel | X | 2 - Low |
| 522 | Insufficiently Protected Credentials | X | 3 - Medium |
| 601 | URL Redirection to Untrusted Site | X | 3 - Medium |
| 614 | Sensitive Cookie without Secure Attribute | X | 2 - Low |
| 676 | Use of Potentially Dangerous Function | X | 3 - Medium |
| 693 | Protection Mechanism Failure | X | 3 - Medium |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium |
| 757 | Selection of Less Secure Algorithm During Negotiation | X | 3 - Medium |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium |
The Auto-Update CWE Top 25 standard
The following table lists all the CWEs that might cause an application to not pass a policy that includes the Auto-Update CWE Top 25 policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity |
|---|---|---|---|---|
| 20 | Improper Input Validation | X | 0 - Informational | |
| 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | X | X | 3 - Medium |
| 23 | Relative Path Traversal | |||
| 73 | External Control of File Name or Path | X | 3 - Medium | |
| 77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | X | 5 - Very High | |
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | X | 5 - Very High |
| 79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | X | X | 3 - Medium |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium |
| 81 | Improper Neutralization of Script in an Error Message Web Page | 3 - Medium | ||
| 83 | Improper Neutralization of Script in Attributes in a Web Page | X | 3 - Medium | |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | |
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | X | 4 - High |
| 90 | Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) | X | 3 - Medium | |
| 91 | XML Injection (aka Blind XPath Injection) | X | X | 3 - Medium |
| 94 | Improper Control of Generation of Code (Code Injection) | X | 3 - Medium | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection) | X | X | 5 - Very High |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) | X | X | 4 - High |
| 103 | Struts: Incomplete validate() Method Definition | X | 3 - Medium | |
| 104 | Struts: Form Bean Does Not Extend Validation Class | X | 3 - Medium | |
| 112 | Missing XML Validation | X | 3 - Medium | |
| 119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | |||
| 120 | Buffer Copy without Checking Size of Input (Classic Buffer Overflow) | 5 - Very High | ||
| 121 | Stack-based Buffer Overflow | X | 5 - Very High | |
| 125 | Out-of-bounds Read | X | 3 - Medium | |
| 131 | Incorrect Calculation of Buffer Size | |||
| 135 | Incorrect Calculation of Multi-Byte String Length | X | 5 - Very High | |
| 185 | Incorrect Regular Expression | X | 2 - Low | |
| 190 | Integer Overflow or Wraparound | X | 5 - Very High | |
| 200 | Exposure of Sensitive Information to an Unauthorized Actor | X | X | 2 - Low |
| 201 | Insertion of Sensitive Information Into Sent Data | X | 2 - Low | |
| 209 | Generation of Error Message Containing Sensitive Information | X | X | 2 - Low |
| 215 | Insertion of Sensitive Information Into Debugging Code | X | X | 2 - Low |
| 259 | Use of Hard-coded Password | X | X | 3 - Medium |
| 269 | Improper Privilege Management | 3 - Medium | ||
| 272 | Least Privilege Violation | X | 3 - Medium | |
| 285 | Improper Authorization | X | X | 3 - Medium |
| 287 | Improper Authentication | X | X | 4 - High |
| 306 | Missing Authentication for Critical Function | 3 - Medium | ||
| 321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium |
| 346 | Origin Validation Error | X | 3 - Medium | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X | 3 - Medium |
| 359 | Exposure of Private Personal Information to an Unauthorized Actor | X | 2 - Low | |
| 400 | Uncontrolled Resource Consumption | 2 - Low | ||
| 416 | Use After Free | X | 2 - Low | |
| 434 | Unrestricted Upload of File with Dangerous Type | X | 4 - High | |
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | X | 3 - Medium | |
| 476 | NULL Pointer Dereference | 2 - Low | ||
| 497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | X | 2 - Low | |
| 498 | Cloneable Class Containing Sensitive Information | X | 2 - Low | |
| 502 | Deserialization of Untrusted Data | X | 3 - Medium | |
| 526 | Exposure of Sensitive Information Through Environmental Variables | X | 2 - Low | |
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | X | 2 - Low | |
| 538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | X | 2 - Low | |
| 548 | Information Exposure Through Directory Listing | X | 2 - Low | |
| 564 | SQL Injection: Hibernate | X | 4 - High | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | |
| 601 | URL Redirection to Untrusted Site (Open Redirect) | X | X | 3 - Medium |
| 615 | Inclusion of Sensitive Information in Source Code Comments | X | X | 0 - Informational |
| 618 | Exposed Unsafe ActiveX Method | X | 5 - Very High | |
| 639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | |
| 665 | Improper Initialization | X | 2 - Low | |
| 693 | Protection Mechanism Failure | X | X | 3 - Medium |
| 708 | Incorrect Ownership Assignment | X | 4 - High | |
| 787 | Out-of-bounds Write | X | 3 - Medium | |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium | |
| 830 | Inclusion of Web Functionality from an Untrusted Source | X | 2 - Low | |
| 862 | Missing Authorization | |||
| 863 | Incorrect Authorization | |||
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | X | 3 - Medium | |
| 918 | Server-Side Request Forgery (SSRF) | X | X | 3 - Medium |
| 942 | Permissive Cross-domain Policy with Untrusted Domains | X | X | 3 - Medium |
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | X | 2 - Low |
The 2020 CWE Top 25 standard
The following table lists all the CWEs that might cause an application to not pass a policy that includes the 2020 CWE Top 25 policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity |
|---|---|---|---|---|
| 20 | Improper Input Validation | X | 0 - Informational | |
| 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | X | X | 3 - Medium |
| 23 | Relative Path Traversal | |||
| 73 | External Control of File Name or Path | X | 3 - Medium | |
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | X | 5 - Very High |
| 79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | X | X | 3 - Medium |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium |
| 81 | Improper Neutralization of Script in an Error Message Web Page | |||
| 83 | Improper Neutralization of Script in Attributes in a Web Page | X | 3 - Medium | |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | |
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | X | 4 - High |
| 90 | Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) | X | 3 - Medium | |
| 91 | XML Injection (aka Blind XPath Injection) | X | X | 3 - Medium |
| 94 | Improper Control of Generation of Code (Code Injection) | X | 3 - Medium | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection) | X | X | 5 - Very High |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) | X | X | 4 - High |
| 100 | DEPRECATED: Technology-Specific Input Validation Problems | |||
| 103 | Struts: Incomplete validate() Method Definition | X | 3 - Medium | |
| 104 | Struts: Form Bean Does Not Extend Validation Class | X | 3 - Medium | |
| 112 | Missing XML Validation | X | 3 - Medium | |
| 119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | |||
| 120 | Buffer Copy without Checking Size of Input (Classic Buffer Overflow) | |||
| 121 | Stack-based Buffer Overflow | X | 5 - Very High | |
| 125 | Out-of-bounds Read | X | 3 - Medium | |
| 131 | Incorrect Calculation of Buffer Size | |||
| 135 | Incorrect Calculation of Multi-Byte String Length | X | 5 - Very High | |
| 185 | Incorrect Regular Expression | X | 2 - Low | |
| 190 | Integer Overflow or Wraparound | X | 5 - Very High | |
| 200 | Exposure of Sensitive Information to an Unauthorized Actor | X | X | 2 - Low |
| 201 | Insertion of Sensitive Information Into Sent Data | X | 2 - Low | |
| 209 | Generation of Error Message Containing Sensitive Information | X | X | 2 - Low |
| 215 | Insertion of Sensitive Information Into Debugging Code | X | X | 2 - Low |
| 259 | Use of Hard-coded Password | X | X | 3 - Medium |
| 269 | Improper Privilege Management | |||
| 272 | Least Privilege Violation | X | 3 - Medium | |
| 274 | Improper Handling of Insufficient Privileges | X | 0 - Informational | |
| 285 | Improper Authorization | X | X | 3 - Medium |
| 287 | Improper Authentication | X | X | 4 - High |
| 306 | Missing Authentication for Critical Function | |||
| 321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium |
| 346 | Origin Validation Error | X | 3 - Medium | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X | 3 - Medium |
| 359 | Exposure of Private Personal Information to an Unauthorized Actor | X | 2 - Low | |
| 400 | Uncontrolled Resource Consumption | |||
| 416 | Use After Free | X | 2 - Low | |
| 434 | Unrestricted Upload of File with Dangerous Type | X | 4 - High | |
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | X | 3 - Medium | |
| 476 | NULL Pointer Dereference | |||
| 497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | X | 2 - Low | |
| 498 | Cloneable Class Containing Sensitive Information | |||
| 502 | Deserialization of Untrusted Data | X | 3 - Medium | |
| 522 | Insufficiently Protected Credentials | X | X | 3 - Medium |
| 526 | Exposure of Sensitive Information Through Environmental Variables | X | 2 - Low | |
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | X | 2 - Low | |
| 538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | X | 0 - Informational | |
| 548 | Exposure of Information Through Directory Listing | X | 2 - Low | |
| 564 | SQL Injection: Hibernate | X | 4 - High | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | |
| 601 | URL Redirection to Untrusted Site (Open Redirect) | X | X | 3 - Medium |
| 611 | Improper Restriction of XML External Entity Reference | X | X | 3 - Medium |
| 615 | Inclusion of Sensitive Information in Source Code Comments | X | X | 0 - Informational |
| 618 | Exposed Unsafe ActiveX Method | X | 5 - Very High | |
| 639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | |
| 665 | Improper Initialization | X | 2 - Low | |
| 693 | Protection Mechanism Failure | X | X | 3 - Medium |
| 708 | Incorrect Ownership Assignment | X | 4 - High | |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | |
| 787 | Out-of-bounds Write | X | 3 - Medium | |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium | |
| 830 | Inclusion of Web Functionality from an Untrusted Source | X | 2 - Low | |
| 862 | Missing Authorization | |||
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | X | 3 - Medium | |
| 918 | Server-Side Request Forgery (SSRF) | X | X | 3 - Medium |
| 942 | Permissive Cross-domain Policy with Untrusted Domains | X | X | 3 - Medium |
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | X | 2 - Low |
The 2019 CWE Top 25 standard
The following table lists all the CWEs that might cause an application to not pass a policy that includes the 2019 CWE Top 25 policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity |
|---|---|---|---|---|
| 20 | Improper Input Validation | X | 0 - Informational | |
| 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | X | X | 3 - Medium |
| 23 | Relative Path Traversal | |||
| 73 | External Control of File Name or Path | X | 3 - Medium | |
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | X | 5 - Very High |
| 79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | X | X | 3 - Medium |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium |
| 81 | Improper Neutralization of Script in an Error Message Web Page | |||
| 83 | Improper Neutralization of Script in Attributes in a Web Page | X | 3 - Medium | |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | |
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | X | 4 - High |
| 90 | Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) | X | 3 - Medium | |
| 91 | XML Injection (aka Blind XPath Injection) | X | X | 3 - Medium |
| 94 | Improper Control of Generation of Code (Code Injection) | X | 3 - Medium | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection) | X | X | 5 - Very High |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) | X | X | 4 - High |
| 100 | DEPRECATED: Technology-Specific Input Validation Problems | |||
| 103 | Struts: Incomplete validate() Method Definition | X | 3 - Medium | |
| 104 | Struts: Form Bean Does Not Extend Validation Class | X | 3 - Medium | |
| 112 | Missing XML Validation | X | 3 - Medium | |
| 119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | |||
| 120 | Buffer Copy without Checking Size of Input (Classic Buffer Overflow) | |||
| 121 | Stack-based Buffer Overflow | X | 5 - Very High | |
| 125 | Out-of-bounds Read | X | 3 - Medium | |
| 131 | Incorrect Calculation of Buffer Size | |||
| 135 | Incorrect Calculation of Multi-Byte String Length | X | 5 - Very High | |
| 185 | Incorrect Regular Expression | X | 2 - Low | |
| 190 | Integer Overflow or Wraparound | X | 5 - Very High | |
| 200 | Exposure of Sensitive Information to an Unauthorized Actor | X | X | 2 - Low |
| 201 | Insertion of Sensitive Information Into Sent Data | X | 2 - Low | |
| 209 | Generation of Error Message Containing Sensitive Information | X | X | 2 - Low |
| 215 | Insertion of Sensitive Information Into Debugging Code | X | X | 2 - Low |
| 259 | Use of Hard-coded Password | X | X | 3 - Medium |
| 269 | Improper Privilege Management | |||
| 272 | Least Privilege Violation | X | 3 - Medium | |
| 274 | Improper Handling of Insufficient Privileges | X | 0 - Informational | |
| 285 | Improper Authorization | X | X | 3 - Medium |
| 287 | Improper Authentication | X | X | 4 - High |
| 295 | Improper Certificate Validation | X | 3 - Medium | |
| 321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium |
| 346 | Origin Validation Error | X | 3 - Medium | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X | 3 - Medium |
| 359 | Exposure of Private Personal Information to an Unauthorized Actor | X | 2 - Low | |
| 400 | Uncontrolled Resource Consumption | |||
| 404 | Improper Resource Shutdown or Release | X | 0 - Informational | |
| 416 | Use After Free | X | 2 - Low | |
| 426 | Untrusted Search Path | X | 3 - Medium | |
| 427 | Uncontrolled Search Path Element | X | 3 - Medium | |
| 434 | Unrestricted Upload of File with Dangerous Type | X | 4 - High | |
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | X | 3 - Medium | |
| 476 | NULL Pointer Dereference | |||
| 497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | X | 2 - Low | |
| 498 | Cloneable Class Containing Sensitive Information | |||
| 502 | Deserialization of Untrusted Data | X | 3 - Medium | |
| 526 | Exposure of Sensitive Information Through Environmental Variables | X | 2 - Low | |
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | X | 2 - Low | |
| 538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | X | 0 - Informational | |
| 548 | Exposure of Information Through Directory Listing | X | 2 - Low | |
| 564 | SQL Injection: Hibernate | X | 4 - High | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | |
| 601 | URL Redirection to Untrusted Site (Open Redirect) | X | X | 3 - Medium |
| 611 | Improper Restriction of XML External Entity Reference | X | X | 3 - Medium |
| 615 | Inclusion of Sensitive Information in Source Code Comments | X | X | 0 - Informational |
| 618 | Exposed Unsafe ActiveX Method | X | 5 - Very High | |
| 639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | |
| 665 | Improper Initialization | X | 2 - Low | |
| 693 | Protection Mechanism Failure | X | X | 3 - Medium |
| 708 | Incorrect Ownership Assignment | X | 4 - High | |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | |
| 772 | Missing Release of Resource after Effective Lifetime | |||
| 787 | Out-of-bounds Write | X | 3 - Medium | |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium | |
| 830 | Inclusion of Web Functionality from an Untrusted Source | X | 2 - Low | |
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | X | 3 - Medium | |
| 918 | Server-Side Request Forgery (SSRF) | X | X | 3 - Medium |
| 942 | Permissive Cross-domain Policy with Untrusted Domains | X | X | 3 - Medium |
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | X | 2 - Low |
The CERT standard
The following table lists all the CWEs that might cause an application to not pass a policy that includes a CERT policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity |
|---|---|---|---|---|
| 14 | Compiler Removal of Code to Clear Buffers | |||
| 20 | Improper Input Validation | X | 0 - Informational | |
| 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | X | X | 3 - Medium |
| 37 | Path Traversal: '/absolute/pathname/here' | |||
| 38 | Path Traversal: '\absolute\pathname\here' | |||
| 39 | Path Traversal: 'C:dirname' | |||
| 41 | Improper Resolution of Path Equivalence | |||
| 59 | Improper Link Resolution Before File Access (Link Following) | |||
| 62 | UNIX Hard Link | |||
| 64 | Windows Shortcut Following (.LNK) | |||
| 65 | Windows Hard Link | |||
| 67 | Improper Handling of Windows Device Names | |||
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | X | 5 - Very High |
| 88 | Argument Injection or Modification | X | 3 - Medium | |
| 111 | Direct Use of Unsafe JNI | X | 4 - High | |
| 116 | Improper Encoding or Escaping of Output | |||
| 117 | Improper Output Neutralization for Logs | X | 3 - Medium | |
| 119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | |||
| 120 | Buffer Copy without Checking Size of Input (Classic Buffer Overflow) | |||
| 121 | Stack-based Buffer Overflow | X | 5 - Very High | |
| 122 | Heap-based Buffer Overflow | |||
| 123 | Write-what-where Condition | |||
| 125 | Out-of-bounds Read | X | 3 - Medium | |
| 128 | Wrap-around Error | |||
| 129 | Improper Validation of Array Index | X | 3 - Medium | |
| 131 | Incorrect Calculation of Buffer Size | |||
| 134 | Use of Externally-Controlled Format String | X | 5 - Very High | |
| 135 | Incorrect Calculation of Multi-Byte String Length | X | 5 - Very High | |
| 144 | Improper Neutralization of Line Delimiters | |||
| 150 | Improper Neutralization of Escape, Meta, or Control Sequences | |||
| 170 | Improper Null Termination | X | 3 - Medium | |
| 171 | Cleansing, Canonicalization, and Comparison Errors | |||
| 176 | Improper Handling of Unicode Encoding | |||
| 180 | Incorrect Behavior Order: Validate Before Canonicalize | |||
| 182 | Collapse of Data into Unsafe Value | |||
| 190 | Integer Overflow or Wraparound | X | 5 - Very High | |
| 191 | Integer Underflow (Wrap or Wraparound) | X | 3 - Medium | |
| 192 | Integer Coercion Error | X | 3 - Medium | |
| 193 | Off-by-one Error | X | 3 - Medium | |
| 194 | Unexpected Sign Extension | |||
| 195 | Signed to Unsigned Conversion Error | X | 3 - Medium | |
| 197 | Numeric Truncation Error | X | 3 - Medium | |
| 198 | Use of Incorrect Byte Ordering | |||
| 209 | Information Exposure Through an Error Message | X | X | 2 - Low |
| 226 | Sensitive Information Uncleared Before Release | |||
| 227 | 7PK - API Abuse | |||
| 230 | Improper Handling of Missing Values | |||
| 232 | Improper Handling of Undefined Values | |||
| 241 | Improper Handling of Unexpected Data Type | |||
| 242 | Use of Inherently Dangerous Function | X | 5 - Very High | |
| 244 | Improper Clearing of Heap Memory Before Release (Heap Inspection) | |||
| 248 | Uncaught Exception | X | 2 - Low | |
| 250 | Execution with Unnecessary Privileges | |||
| 252 | Unchecked Return Value | X | 2 - Low | |
| 253 | Incorrect Check of Function Return Value | |||
| 259 | Use of Hard-coded Password | X | X | 3 - Medium |
| 266 | Incorrect Privilege Assignment | |||
| 272 | Least Privilege Violation | X | 3 - Medium | |
| 273 | Improper Check for Dropped Privileges | X | 3 - Medium | |
| 276 | Incorrect Default Permissions | |||
| 279 | Incorrect Execution-Assigned Permissions | |||
| 289 | Authentication Bypass by Alternate Name | |||
| 300 | Channel Accessible by Non-Endpoint (Man-in-the-Middle) | |||
| 302 | Authentication Bypass by Assumed-Immutable Data | |||
| 311 | Missing Encryption of Sensitive Data | X | 3 - Medium | |
| 319 | Cleartext Transmission of Sensitive Information | X | 3 - Medium | |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | X | 3 - Medium |
| 330 | Use of Insufficiently Random Values | X | 3 - Medium | |
| 331 | Insufficient Entropy | X | 3 - Medium | |
| 332 | Insufficient Entropy in PRNG | |||
| 333 | Improper Handling of Insufficient Entropy in TRNG | |||
| 336 | Same Seed in Pseudo-Random Number Generator (PRNG) | |||
| 337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | |||
| 338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | X | 3 - Medium | |
| 347 | Improper Verification of Cryptographic Signature | X | 2 - Low | |
| 349 | Acceptance of Extraneous Untrusted Data With Trusted Data | |||
| 359 | Exposure of Private Information (Privacy Violation) | X | 2 - Low | |
| 362 | Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) | |||
| 363 | Race Condition Enabling Link Following | |||
| 366 | Race Condition within a Thread | X | 3 - Medium | |
| 367 | Time-of-check Time-of-use (TOCTOU) Race Condition | X | 3 - Medium | |
| 369 | Divide By Zero | |||
| 374 | Passing Mutable Objects to an Untrusted Method | |||
| 375 | Returning a Mutable Object to an Untrusted Caller | |||
| 377 | Insecure Temporary File | X | 3 - Medium | |
| 379 | Creation of Temporary File in Directory with Incorrect Permissions | |||
| 382 | J2EE Bad Practices: Use of System.exit() | X | 2 - Low | |
| 390 | Detection of Error Condition Without Action | |||
| 392 | Missing Report of Error Condition | |||
| 395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference | |||
| 397 | Declaration of Throws for Generic Exception | |||
| 400 | Uncontrolled Resource Consumption | |||
| 401 | Improper Release of Memory Before Removing Last Reference | X | 2 - Low | |
| 403 | Exposure of File Descriptor to Unintended Control Sphere (File Descriptor Leak) | |||
| 404 | Improper Resource Shutdown or Release | X | 0 - Informational | |
| 405 | Asymmetric Resource Consumption (Amplification) | |||
| 409 | Improper Handling of Highly Compressed Data (Data Amplification) | |||
| 410 | Insufficient Resource Pool | |||
| 412 | Unrestricted Externally Accessible Lock | |||
| 413 | Improper Resource Locking | |||
| 415 | Double Free | X | 3 - Medium | |
| 416 | Use After Free | X | 2 - Low | |
| 426 | Untrusted Search Path | X | 3 - Medium | |
| 456 | Missing Initialization of a Variable | |||
| 459 | Incomplete Cleanup | |||
| 460 | Improper Cleanup on Thrown Exception | |||
| 462 | Duplicate Key in Associative List (Alist) | |||
| 464 | Addition of Data Structure Sentinel | |||
| 466 | Return of Pointer Value Outside of Expected Range | |||
| 467 | Use of sizeof() on a Pointer Type | |||
| 468 | Incorrect Pointer Scaling | |||
| 469 | Use of Pointer Subtraction to Determine Size | |||
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | X | 3 - Medium | |
| 476 | NULL Pointer Dereference | |||
| 479 | Signal Handler Use of a Non-reentrant Function | X | 3 - Medium | |
| 480 | Use of Incorrect Operator | |||
| 481 | Assigning instead of Comparing | |||
| 482 | Comparing instead of Assigning | |||
| 486 | Comparison of Classes by Name | |||
| 487 | Reliance on Package-level Scope | |||
| 491 | Public cloneable() Method Without Final (Object Hijack) | |||
| 492 | Use of Inner Class Containing Sensitive Data | |||
| 493 | Critical Public Variable Without Final Modifier | |||
| 494 | Download of Code Without Integrity Check | |||
| 497 | Exposure of System Data to an Unauthorized Control Sphere | X | 2 - Low | |
| 498 | Cloneable Class Containing Sensitive Information | |||
| 499 | Serializable Class Containing Sensitive Data | |||
| 500 | Public Static Field Not Marked Final | |||
| 502 | Deserialization of Untrusted Data | X | 3 - Medium | |
| 528 | Exposure of Core Dump File to an Unauthorized Control Sphere | |||
| 532 | Insertion of Sensitive Information into Log File | X | 2 - Low | |
| 543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context | |||
| 544 | Missing Standardized Error Handling Mechanism | |||
| 547 | Use of Hard-coded, Security-relevant Constants | X | 3 - Medium | |
| 552 | Files or Directories Accessible to External Parties | |||
| 561 | Dead Code | |||
| 562 | Return of Stack Variable Address | |||
| 563 | Assignment to Variable without Use | |||
| 567 | Unsynchronized Access to Shared Data in a Multithreaded Context | |||
| 568 | finalize() Method Without super.finalize() | |||
| 570 | Expression is Always False | |||
| 571 | Expression is Always True | |||
| 572 | Call to Thread run() instead of start() | |||
| 573 | Improper Following of Specification by Caller | |||
| 581 | Object Model Violation: Just One of Equals and Hashcode Defined | |||
| 582 | Array Declared Public, Final, and Static | |||
| 583 | finalize() Method Declared Public | |||
| 584 | Return Inside Finally Block | |||
| 586 | Explicit Call to Finalize() | |||
| 587 | Assignment of a Fixed Address to a Pointer | |||
| 589 | Call to Non-ubiquitous API | |||
| 590 | Free of Memory not on the Heap | |||
| 591 | Sensitive Data Storage in Improperly Locked Memory | |||
| 595 | Comparison of Object References Instead of Object Contents | |||
| 597 | Use of Wrong Operator in String Comparison | X | 2 - Low | |
| 600 | Uncaught Exception in Servlet | |||
| 606 | Unchecked Input for Loop Condition | |||
| 609 | Double-Checked Locking | |||
| 617 | Reachable Assertion | |||
| 625 | Permissive Regular Expression | |||
| 628 | Function Call with Incorrectly Specified Arguments | X | 2 - Low | |
| 647 | Use of Non-Canonical URL Paths for Authorization Decisions | |||
| 662 | Improper Synchronization | |||
| 664 | Improper Control of a Resource Through its Lifetime | |||
| 665 | Improper Initialization | X | 2 - Low | |
| 666 | Operation on Resource in Wrong Phase of Lifetime | |||
| 667 | Improper Locking | |||
| 672 | Operation on a Resource after Expiration or Release | |||
| 675 | Duplicate Operations on Resource | X | 2 - Low | |
| 676 | Use of Potentially Dangerous Function | X | 3 - Medium | |
| 680 | Integer Overflow to Buffer Overflow | |||
| 681 | Incorrect Conversion between Numeric Types | |||
| 682 | Incorrect Calculation | |||
| 684 | Incorrect Provision of Specified Functionality | |||
| 685 | Function Call With Incorrect Number of Arguments | |||
| 686 | Function Call With Incorrect Argument Type | |||
| 687 | Function Call With Incorrectly Specified Argument Value | |||
| 690 | Unchecked Return Value to NULL Pointer Dereference | |||
| 696 | Incorrect Behavior Order | |||
| 697 | Incorrect Comparison | |||
| 703 | Improper Check or Handling of Exceptional Conditions | |||
| 704 | Incorrect Type Conversion or Cast | |||
| 705 | Incorrect Control Flow Scoping | |||
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | |
| 754 | Improper Check for Unusual or Exceptional Conditions | |||
| 758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | |||
| 762 | Mismatched Memory Management Routines | |||
| 766 | Critical Data Element Declared Public | |||
| 770 | Allocation of Resources Without Limits or Throttling | |||
| 771 | Missing Reference to Active Allocated Resource | |||
| 772 | Missing Release of Resource after Effective Lifetime | |||
| 773 | Missing Reference to Active File Descriptor or Handle | |||
| 775 | Missing Release of File Descriptor or Handle after Effective Lifetime | |||
| 783 | Operator Precedence Logic Error | |||
| 786 | Access of Memory Location Before Start of Buffer | |||
| 789 | Uncontrolled Memory Allocation | |||
| 798 | Use of Hard-coded Credentials | X | 3 - Medium | |
| 805 | Buffer Access with Incorrect Length Value | |||
| 807 | Reliance on Untrusted Inputs in a Security Decision | |||
| 820 | Missing Synchronization | |||
| 833 | Deadlock | |||
| 838 | Inappropriate Encoding for Output Context | |||
| 843 | Access of Resource Using Incompatible Type (Type Confusion) | |||
| 908 | Use of Uninitialized Resource | |||
| 910 | Use of Expired File Descriptor |
OWASP 2023 API Security Top 10 support
The following table describes which categories in the OWASP 2023 API Security Top 10 that Veracode supports for Dynamic Analysis and DAST Essentials.
| Category | Description | Dynamic Analysis | DAST Essentials |
|---|---|---|---|
| API1:2023 | Broken Object Level Authorization | Partial support (fuzzing paths) | Partial support (fuzzing paths) |
| API2:2023 | Broken Authentication | Full support | Full support |
| API3:2023 | Broken Object Level Authorization | * | * |
| API4:2023 | Unrestricted Resource Consumption | * | * |
| API5:2023 | Broken Functiopn Level Authorization | * | * |
| API6:2023 | Unrestricted Access to Sensitive Business Flows | * | * |
| API7:2023 | Server Side Request Forgery | Full support | Full support |
| API8:2023 | Security Misconfiguration | Full support | Full support |
| API9:2023 | Improper Inventory Management | Partial support | Partial support |
| API10:2023 | Unsafe Consumption of APIs | * | * |
- Veracode Dynamic Analysis and DAST Essentials might provide inaccurate results for these categories. For accurate results, Veracode recommends that you test these categories with Manual Penetration Testing (MPT).