Categories

The software performs a data query with a large number of joins and sub-queries on a large data table.

The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.

The product implements a cryptographic algorithm using a non-standard or unproven cryptographic primitive.

The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.

The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.