Categories

The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

The software does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.

The software allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.

Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the container term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.

Weaknesses in this category are related to improper management of system state.Weaknesses in this category are related to improper management of system state.

A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.

The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor.

The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.