The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.
The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
1
Base
-
The code contains a function or method that
operates in a multi-threaded environment but owns an unsafe non-final
static storable or member data element.
Excessive Execution of Sequential Searches of Data Resource
1
Base
-
The product contains a data query against an SQL table or view
that is configured in a way that does not utilize an index and may cause
sequential searches to be performed.
Policy Privileges are not Assigned Consistently Between Control and Data Agents
1
Base
-
The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.
Missing Write Protection for Parametric Data Values
1
Base
-
The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.
Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
1
Base
-
The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.
Use of Blocking Code in Single-threaded, Non-blocking Context
1
Base
-
The product uses a non-blocking model that relies on a single threaded process
for features such as scalability, but it contains code that can block when it is invoked.
When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.
ASP.NET Misconfiguration: Password in Configuration File
0
Variant
-
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.
The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.