Categories

Weaknesses in this category are related to the management of credentials.

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.