Categories

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

The software does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().