Categories

The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.

The product uses the wrong operator when comparing a string, such as using == when the equals() method should be used instead.

The software does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error, which can cause the software to execute in a less secure fashion than intended by the administrator.

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.

The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.

The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed/updated in the field.

The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.