Categories

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

The software does not properly manage a user within its environment.

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

The software does not properly distinguish between different types of elements in a way that leads to insecure behavior.

The program releases a resource that is still intended to be used by the program itself or another actor.

The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software.

The product allocates memory based on an untrusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.