Categories

The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.

The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.

The software does not adequately filter user-controlled input for special elements with control implications.

The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.

The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.