CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-510
Trapdoor
CWE-511
Logic/Time Bomb
CWE-512
Spyware
CWE-514
Covert Channel
CWE-515
Covert Storage Channel
CWE-516
DEPRECATED: Covert Timing Channel
CWE-520
.NET Misconfiguration: Use of Impersonation
CWE-521
Weak Password Requirements
CWE-522
Insufficiently Protected Credentials
CWE-523
Unprotected Transport of Credentials
CWE-524
Use of Cache Containing Sensitive Information
CWE-525
Use of Web Browser Cache Containing Sensitive Information
CWE-526
Cleartext Storage of Sensitive Information in an Environment Variable
CWE-527
Exposure of Version-Control Repository to an Unauthorized Control Sphere
CWE-528
Exposure of Core Dump File to an Unauthorized Control Sphere
CWE-529
Exposure of Access Control List Files to an Unauthorized Control Sphere
CWE-530
Exposure of Backup File to an Unauthorized Control Sphere
CWE-531
Inclusion of Sensitive Information in Test Code
CWE-532
Insertion of Sensitive Information into Log File
CWE-533
DEPRECATED: Information Exposure Through Server Log Files
CWE-534
DEPRECATED: Information Exposure Through Debug Log Files
CWE-535
Exposure of Information Through Shell Error Message
CWE-536
Servlet Runtime Error Message Containing Sensitive Information
CWE-537
Java Runtime Error Message Containing Sensitive Information
CWE-538
Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE-539
Use of Persistent Cookies Containing Sensitive Information
CWE-540
Inclusion of Sensitive Information in Source Code
CWE-541
Inclusion of Sensitive Information in an Include File
CWE-542
DEPRECATED: Information Exposure Through Cleanup Log Files
CWE-543
Use of Singleton Pattern Without Synchronization in a Multithreaded Context
CWE-544
Missing Standardized Error Handling Mechanism
CWE-545
DEPRECATED: Use of Dynamic Class Loading
CWE-546
Suspicious Comment
CWE-547
Use of Hard-coded, Security-relevant Constants
CWE-548
Exposure of Information Through Directory Listing
CWE-549
Missing Password Field Masking
CWE-550
Server-generated Error Message Containing Sensitive Information
CWE-551
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
CWE-552
Files or Directories Accessible to External Parties
CWE-553
Command Shell in Externally Accessible Directory
CWE-554
ASP.NET Misconfiguration: Not Using Input Validation Framework
CWE-555
J2EE Misconfiguration: Plaintext Password in Configuration File
CWE-556
ASP.NET Misconfiguration: Use of Identity Impersonation
CWE-558
Use of getlogin() in Multithreaded Application
CWE-560
Use of umask() with chmod-style Argument
CWE-561
Dead Code
CWE-562
Return of Stack Variable Address
CWE-563
Assignment to Variable without Use
CWE-564
SQL Injection: Hibernate
CWE-565
Reliance on Cookies without Validation and Integrity Checking
