Questions tagged [cwe]

For CWE, Common Weakness Enumeration. Not to be confused with CVE.

CWE™ is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.

6 questions
5
votes
1 answer

Categorizing a data leak which is intentionally / by carelessness / by design

I have found a publicly accessible web page which discloses person-related data when queried with matching input data. This is against the company's own data protection promise. I want to report responsibly with a proper description and…
Marcel
  • 3,494
  • 1
  • 18
  • 35
3
votes
1 answer

Faults vs weaknesses

I am trying to make the link between faults and weaknesses (As defined by Common Weaknesses Enumeration). The word "fault" is generally used in the reliability domain, to designate the cause of an error i.e., the cause of the deviation from a…
Ecterion
  • 103
  • 7
3
votes
1 answer

How to find CAPEC items related to a CVE

Vulnerabilities with a CVE usually also have a CWE associated with them, but almost never CAPEC. CWE's site also only very rarely points to related CAPEC items. Is there a way to find a CVE's related CAPEC items? or a mapping from CWE items to…
drdrek
  • 165
  • 4
1
vote
0 answers

CWE-611: Improper Restriction of XML External Entity Reference with XSL include

Veracode reports that the below code is susceptible to CWE-611: Improper Restriction of XML External Entity Reference. XslCompiledTransform transform = new XslCompiledTransform(); transform.Load(xslwithospath); StringWriter results = new…
Hoppe
  • 143
  • 5
0
votes
2 answers

How can I map CVEs to their underlying CWE?

I was tasked with developing a consistent, relatively complete map for CVEs to CWEs at my internship, and I'm kind of at a loss finding a method to find a 1-to-1 way to map CVEs onto CWEs. Ideally, this would all be automated in the end. The format…
0
votes
1 answer

CWE-234 - Snprintf Missing Parameter issues

We are scanning a third party library using a well know static analysis tool here. We keep getting: "Failure to Handle Missing Parameter CWE ID 234" I'm not a C developer but I can't see what is different or wrong with the examples that have been…
Smitch
  • 3
  • 1