...
CERT Rule | Related Guidelines | ||
|---|---|---|---|
| EXP33-C | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
| EXP33-C | CWE-123, Write-what-where Condition | ||
| EXP33-C | CWE-125, Out-of-bounds Read | ||
| EXP33-C | CWE-665, Improper Initialization | ||
| EXP34-C | CWE-476, NULL Pointer Dereference | ||
| EXP37-C | CWE-628, Function Call with Incorrectly Specified Arguments | ||
| EXP37-C | CWE-686, Function Call with Incorrect Argument Type | ||
| EXP39-C | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
| EXP39-C | CWE-123, Write-what-where Condition | ||
| EXP39-C | CWE-125, Out-of-bounds Read | ||
| EXP45-C | CWE-480, Use of Incorrect Operator | ||
| EXP46-C | CWE-480, Use of incorrect operator | ||
| INT30-C | CWE-190, Integer Overflow or Wraparound | ||
| INT31-C | CWE-192, Integer Coercion Error | ||
| INT31-C | CWE-197, Numeric Truncation Error | ||
| INT31-C | CWE-681, Incorrect Conversion between Numeric Types | ||
| INT32-C | CWE-129, Improper Validation of Array Index | ||
| INT32-C | CWE-190, Integer Overflow or Wraparound | ||
| INT33-C | CWE-369, Divide By Zero | ||
| INT35-C | CWE-190, Integer Overflow or Wraparound | ||
| INT36-C | CWE-466, Return of Pointer Value Outside of Expected Range | ||
| INT36-C | CWE-587, Assignment of a Fixed Address to a Pointer | ||
| FLP32-C | CWE-682, Incorrect Calculation | ||
| FLP34-C | CWE-681, Incorrect Conversion between Numeric Types | ||
| ARR30-C | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
| ARR30-C | CWE-122, Heap-based Buffer Overflow | ||
| ARR30-C | CWE-123, Write-what-where Condition | ||
| ARR30-C | CWE-125, Out-of-bounds Read | ||
| ARR30-C | CWE-129, Improper Validation of Array Index | ||
| ARR30-C | CWE-788, Access of Memory Location after End of Buffer | ||
| ARR36-C | CWE-469, Use of Pointer Subtraction to Determine Size | ||
| ARR37-C | CWE-469, Use of Pointer Subtraction to Determine Size | ||
| ARR38-C | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
| ARR38-C | CWE-121, Stack-based Buffer Overflow | ||
| ARR38-C | CWE-123, Write-what-where Condition | ||
| ARR38-C | CWE-125, Out-of-bounds Read | ||
| ARR38-C | CWE-805, Buffer Access with Incorrect Length Value | ||
| ARR39-C | CWE-468, Incorrect Pointer Scaling | ||
| STR31-C | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
| STR31-C | CWE-120, Buffer Copy without Checking Size of Input ("Classic Buffer Overflow") | ||
| STR31-C | CWE-123, Write-what-where Condition | ||
| STR31-C | CWE-125, Out-of-bounds Read | ||
| STR31-C | CWE-193, Off-by-one Error | ||
| STR32-C | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
| STR32-C | CWE-123, Write-what-where Condition | ||
| STR32-C | CWE-125, Out-of-bounds Read | ||
| STR32-C | CWE-170, Improper Null Termination | ||
| STR34-C | CWE-704, Incorrect Type Conversion or Cast | ||
| STR37MSC41-C | CWE-704, Incorrect Type Conversion or Cast | ||
| STR37-C | CWE-686, Function Call with Incorrect Argument Type | ||
| MEM30-C | CWE-415, Double Free | ||
| MEM30-C | CWE-416, Use After Free | ||
| MEM31-C | CWE-401, Improper Release of Memory Before Removing Last Reference ("Memory Leak") | ||
| MEM34-C | CWE-590, Free of Memory Not on the Heap | ||
| MEM35-C | CWE-131, Incorrect Calculation of Buffer Size | ||
| MEM35-C | CWE-190, Integer Overflow or Wraparound | ||
| MEM35-C | CWE-467, Use of sizeof() on a Pointer Type | ||
| FIO30-C | CWE-134, Uncontrolled Format String | ||
| FIO30-C | CWE-20, Improper Input Validation | ||
| FIO32-C | CWE-67, Improper Handling of Windows Device Names | ||
| FIO37-C | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
| FIO37-C | CWE-123, Write-what-where Condition | ||
| FIO37-C | CWE-125, Out-of-bounds Read | ||
| FIO37-C | CWE-241, Improper Handling of Unexpected Data Type | ||
| FIO42-C | CWE-404, Improper Resource Shutdown or Release | ||
| FIO47-C | CWE-686, Function Call with Incorrect Argument Type | ||
| ENV32-C | CWE-705, Incorrect Control Flow Scoping | ||
| ENV33-C | CWE-78, Improper Neutralization of Special Elements Used in an OS Command (aka "OS Command Injection") | ||
| ENV33-C | CWE-88, Argument Injection or Modification | ||
| SIG30-C | CWE-479, Signal Handler Use of a Non-reentrant Function | ||
| SIG31-C | CWE-662, Improper Synchronization | ||
| SIG34-C | CWE-479, Signal Handler Use of a Non-reentrant Function | ||
| ERR30-C | CWE-456, Missing Initialization of a Variable | ||
| ERR33-C | CWE-252, Unchecked Return Value | ||
| ERR33-C | CWE-253, Incorrect Check of Function Return Value | ||
| ERR33-C | CWE-390, Detection of Error Condition without Action | ||
| ERR33-C | CWE-391, Unchecked Error Condition | ||
| ERR33-C | CWE-476, NULL Pointer Dereference | ||
| ERR34-C | CWE-676, Use of potentially dangerous function | ||
| ERR34-C | CWE-20, Insufficient input validation | ||
| CON31-C | CWE-667, Improper Locking | ||
| CON35-C | CWE-764, Multiple Locks of a Critical Resource | ||
| CON40-C | CWE-366, Race Condition within a Thread | ||
| CON40-C | CWE-413, Improper Resource Locking | ||
| CON40-C | CWE-567, Unsynchronized Access to Shared Data in a Multithreaded Context | ||
| CON40-C | CWE-667, Improper Locking | ||
| CON43-C | CWE-366, Race condition within a thread | ||
| MSC30-C | CWE-327, Use of a Broken or Risky Cryptographic Algorithm | ||
| MSC30-C | CWE-330, Use of Insufficiently Random Values | ||
| MSC30-C | CWE-331, Insufficient Entropy | ||
| MSC30-C | CWE-338, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | ||
| MSC32-C | CWE-327, Use of a Broken or Risky Cryptographic Algorithm | ||
| MSC32-C | CWE-330, Use of Insufficiently Random Values | ||
| MSC32-C | CWE-331, Insufficient Entropy | ||
| MSC32-C | CWE-338, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | ||
| POS30-C | CWE-170, Improper null termination | ||
| POS33-C | CWE-242, Use of inherently dangerous function | ||
| POS34-C | CWE-686, Function call with incorrect argument type | ||
| POS34-C | CWE-562, Return of stack variable address | ||
| POS35-C | CWE-363, Race condition enabling link following | ||
| POS35-C | CWE-365, Race condition in switch | ||
| POS36-C | CWE-250, Execution with unnecessary privileges | ||
| POS36-C | CWE-696, Incorrect behavior order | ||
| POS37-C | CWE-250, Execution with unnecessary privileges | ||
| POS37-C | CWE-273, Failure to check whether privileges were dropped successfully | ||
| POS48-C | CWE-667, Insufficient locking | ||
| POS51-C | CWE-764, Multiple locks of critical resources | ||
| POS54-C | CWE-252, Unchecked return value | ||
| POS54-C | CWE-253, Incorrect check of function return value | ||
| POS54-C | CWE-390, Detection of error condition without action | ||
| POS54-C | CWE-391, Unchecked error condition | ||
| API00-C | CWE-20, Insufficient input validation | ||
| API04-C | CWE-754, Improper check for unusual or exceptional conditions | ||
| ARR00-C | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
| ARR00-C | CWE-123, Write-what-where Condition | ||
| ARR00-C | CWE-125, Out-of-bounds Read | ||
| ARR00-C | CWE-129, Unchecked array indexing | ||
| ARR01-C | CWE-467, Use of sizeof() on a pointer type | ||
| ARR02-C | CWE-665, Incorrect or incomplete initialization | ||
| 259, Use of Hard-Coded Password | |||
| MSC41-C | CWE-798, Use of Hard-Coded Credentials | ||
| API00-C | CWE-476 | ||
| API07-C | CWE-192 | ||
| API07-C | CWE-227 | ||
| API07-C | CWE-590 | ||
| API07-C | CWE-686 | ||
| API07-C | CWE-704 | ||
| API07-C | CWE-761 | ||
| API07-C | CWE-762 | ||
| API07-C | CWE-843 | ||
| ARR01-C | CWE-569 | ||
| ARR01-C | CWE-783 | ||
| CON05-C | CWE-557 | ||
| CON05-C | CWE-662 | CON06-C | CWE-667, Improper Locking |
| CON07-C | CWE-366, Race condition within a thread | ||
| CON07-C | CWE-413, Improper resource locking | ||
| CON07-C | CWE-567, Unsynchronized access to shared data in a multithreaded context | ||
| CON07-C | CWE-667, Improper locking | ||
| CON08-C | CWE-362, Concurrent execution using shared resource with improper synchronization ("race condition") | ||
| CON08-C | CWE-366, Race condition within a thread | ||
| CON08-C | CWE-662, Improper synchronization | ||
| DCL06-C | CWE-547, Use of hard-coded, security-relevant constants | ||
| DCL10-C | CWE-628, Function call with incorrectly specified arguments | ||
| ENV01-C | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
| ENV01-C | CWE-123, Write-what-where Condition | ||
| ENV01-C | CWE-125, Out-of-bounds Read | ||
| ENV02-C | CWE-462, Duplicate key in associative list (Alist) | ||
| ENV02-C | CWE-807, Reliance on untrusted inputs in a security decision | ||
| ENV03-C | CWE-78, Failure to sanitize data into an OS command (aka "OS command injection") | ||
| ENV03-C | CWE-88, Argument injection or modification | ||
| ENV03-C | CWE-426, Untrusted search path | ||
| ENV03-C | CWE-471, Modification of Assumed-Immutable Data (MAID) | ||
| ENV03-C | CWE-807, Reliance on intrusted inputs in a security decision | ||
| ERR00-C | CWE-391, Unchecked error condition | ||
| ERR00-C | CWE-544, Missing standardized error handling mechanism | ||
| ERR04-C | CWE-705, Incorrect control flow scoping | ||
| ERR07-C | CWE-20, Improper Input Validation | ||
| ERR07-C | CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||
| ERR07-C | CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||
| ERR07-C | CWE-91, XML Injection (aka Blind XPath Injection) | ||
| ERR07-C | CWE-94, Improper Control of Generation of Code ('Code Injection') | ||
| ERR07-C | CWE-114, Process Control | ||
| ERR07-C | CWE-601, URL Redirection to Untrusted Site ('Open Redirect') | ||
| ERR07-C | CWE-676, Use of potentially dangerous function | ||
| EXP02-C | CWE-768, Incorrect short circuit evaluation | ||
| EXP05-C | CWE-704, Incorrect type conversion or cast | ||
| EXP08-C | CWE-468, Incorrect pointer scaling | ||
| EXP09-C | CWE-805, Buffer access with incorrect length value | ||
| EXP12-C | CWE-754, Improper check for unusual or exceptional conditions | ||
| EXP15-C | CWE-480, Use of incorrect operator | ||
| EXP16-C | CWE-480, Use of incorrect operator | ||
| EXP16-C | CWE-482, Comparing instead of assigning | ||
| FIO01-C | CWE-73, External control of file name or path | ||
| FIO01-C | CWE-367, Time-of-check, time-of-use race condition | ||
| FIO01-C | CWE-676, Use of potentially dangerous function | ||
| FIO02-C | CWE-22, Path traversal | ||
| FIO02-C | CWE-23, Relative Path Traversal | ||
| FIO02-C | CWE-28, Path Traversal: '..\filedir' | ||
| FIO02-C | CWE-40, Path Traversal: '\\UNC\share\name\' (Windows UNC Share) | ||
| FIO02-C | CWE-41, Failure to resolve path equivalence | ||
| FIO02-C | CWE-59, Failure to resolve links before file access (aka "link following") | ||
| FIO02-C | CWE-73, External control of file name or path | ||
| FIO05-C | CWE-37, Path issue—Slash absolute path | ||
| FIO05-C | CWE-38, Path Issue—Backslash absolute path | ||
| FIO05-C | CWE-39, Path Issue—Drive letter or Windows volume | ||
| FIO05-C | CWE-62, UNIX hard link | ||
| FIO05-C | CWE-64, Windows shortcut following (.LNK) | ||
| FIO05-C | CWE-65, Windows hard link | ||
| FIO06-C | CWE-276, Insecure default permissions | ||
| FIO06-C | CWE-279, Insecure execution-assigned permissions | ||
| FIO06-C | CWE-732, Incorrect permission assignment for critical resource | ||
| FIO15-C | CWE-379, Creation of temporary file in directory with insecure permissions | ||
| FIO15-C | CWE-552, Files or directories accessible to external parties | ||
| FIO21-C | CWE-379, Creation of temporary file in directory with insecure permissions | ||
| FIO22-C | CWE-403, UNIX file descriptor leak | ||
| FIO22-C | CWE-404, Improper resource shutdown or release | ||
| FIO22-C | CWE-770, Allocation of resources without limits or throttling | ||
| FIO24-C | CWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition") | ||
| FIO24-C | CWE-675, Duplicate Operations on Resource | ||
| FLP03-C | CWE-369, Divide by zero | ||
| FLP06-C | CWE-681, Incorrect conversion between numeric types | ||
| FLP06-C | CWE-682, Incorrect calculation | ||
| INT02-C | CWE-192, Integer coercion error | ||
| INT02-C | CWE-197, Numeric truncation error | ||
| INT05-C | CWE-192, Integer coercion error | ||
| INT05-C | CWE-197, Numeric truncation error | ||
| INT07-C | CWE-682, Incorrect calculation | ||
| INT10-C | CWE-682, Incorrect calculation | ||
| INT10-C | CWE-129, Unchecked array indexing | ||
| INT13-C | CWE-682, Incorrect calculation | ||
| INT15-C | CWE-681, Incorrect conversion between numeric types | ||
| INT18-C | CWE-681, Incorrect conversion between numeric types | ||
| INT18-C | CWE-190, Integer overflow (wrap or wraparound) | ||
| MEM00-C | CWE-415, Double free | ||
| MEM00-C | CWE-416, Use after free | ||
| MEM01-C | CWE-415, Double free | ||
| MEM01-C | CWE-416, Use after free | ||
| MEM03-C | CWE-226, Sensitive information uncleared before release | ||
| MEM03-C | CWE-244, Failure to clear heap memory before release ("heap inspection") | ||
| MEM04-C | CWE-687, Function call with incorrectly specified argument value | ||
| MEM06-C | CWE-591, Sensitive data storage in improperly locked memory | ||
| MEM06-C | CWE-528, Information leak through core dump files | ||
| MEM07-C | CWE-190, Integer overflow (wrap or wraparound) | ||
| MEM07-C | CWE-128, Wrap-around error | ||
| MEM10-C | CWE-20, Improper Input Validation | ||
| MEM10-C | CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||
| MEM10-C | CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||
| MEM10-C | CWE-91, XML Injection (aka Blind XPath Injection) | ||
| MEM10-C | CWE-94, Improper Control of Generation of Code ('Code Injection') | ||
| MEM10-C | CWE-114, Process Control | ||
| MEM10-C | CWE-601, URL Redirection to Untrusted Site ('Open Redirect') | ||
| MEM11-C | CWE-770, Allocation of resources without limits or throttling | ||
| MSC00-C | CWE-563, Unused variable | ||
| MSC00-C | CWE-570, Expression is always false | ||
| MSC00-C | CWE-571, Expression is always true | ||
| MSC06-C | CWE-14, Compiler removal of code to clear buffers | ||
| MSC07-C | CWE-561, Dead code | ||
| MSC09-C | CWE-116, Improper encoding or escaping of output | ||
| MSC10-C | CWE-176, Failure to handle Unicode encoding | ||
| MSC10-C | CWE-116, Improper encoding or escaping of output | ||
| MSC11-C | CWE-190, Reachable assertion | ||
| MSC18-C | CWE-259, Use of Hard-coded Password | ||
| MSC18-C | CWE-261, Weak Cryptography for Passwords | ||
| MSC18-C | CWE-311, Missing encryption of sensitive data | ||
| MSC18-C | CWE-319, Cleartext Transmission of Sensitive Information | ||
| MSC18-C | CWE-321, Use of Hard-coded Cryptographic Key | ||
| MSC18-C | CWE-326, Inadequate encryption strength | ||
| MSC18-C | CWE-798, Use of hard-coded credentials | ||
| MSC24-C | CWE-20, Insufficient input validation | ||
| MSC24-C | CWE-73, External control of file name or path | ||
| MSC24-C | CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||
| MSC24-C | CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||
| MSC24-C | CWE-91, XML Injection (aka Blind XPath Injection) | ||
| MSC24-C | CWE-94, Improper Control of Generation of Code ('Code Injection') | ||
| MSC24-C | CWE-114, Process Control | ||
| MSC24-C | CWE-120, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | ||
| MSC24-C | CWE-192, Integer coercion error | ||
| MSC24-C | CWE-197, Numeric truncation error | ||
| MSC24-C | CWE-367, Time-of-check, time-of-use race condition | ||
| MSC24-C | CWE-464, Addition of data structure sentinel | ||
| MSC24-C | CWE-601, URL Redirection to Untrusted Site ('Open Redirect') | ||
| MSC24-C | CWE-676, Use of potentially dangerous function | ||
| POS01-C | CWE-59, Failure to resolve links before file access (aka "link following") | ||
| POS01-C | CWE-362, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | ||
| POS01-C | CWE-367, Time-of-check, time-of-use (TOCTOU) race condition | ||
| POS02-C | CWE-250, Execution with unnecessary privileges | ||
| POS02-C | CWE-272, Least privilege violation | ||
| PRE09-C | CWE-684, Failure to provide specified functionality | ||
| SIG00-C | CWE-662, Insufficient synchronization | ||
| STR02-C | CWE-88, Argument injection or modification | ||
| STR02-C | CWE-78, Failure to sanitize data into an OS command (aka "OS command injection") | ||
| STR03-C | CWE-170, Improper null termination | ||
| STR03-C | CWE-464, Addition of data structure sentinel | ||
| STR06-C | CWE-464, Addition of data structure sentinel | ||
| WIN02-C | CWE-250, Execution with unnecessary privileges | ||
| WIN02-C | CWE-272, Least privilege violation | ||
| WIN04-C | CWE-311, Missing encryption of sensitive data | ||
| WIN04-C | CWE-319, Cleartext Transmission of Sensitive Information |