The product relies on third-party components that are not
actively supported or maintained by the original developer or a trusted proxy
for the original developer.
The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.
On-Chip Debug and Test Interface With Improper Access Control
20
Base
-
The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.
Use of a Cryptographic Primitive with a Risky Implementation
20
Base
-
To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.
The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().
Improper Clearing of Heap Memory Before Release ('Heap Inspection')
19
Variant
-
Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.
Insertion of Sensitive Information Into Debugging Code
18
Base
-
The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.