Categories

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.

The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.

The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

The software specifies a regular expression in a way that causes data to be improperly matched or compared.

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

The software does not neutralize or incorrectly neutralizes output that is written to logs.

The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.