Collaborate Disseminate
I want to give good illustrations for CWEs in C/C++. I define "good" as follows:
Most of the time when we want to illustrate stack overflow (CWE-121), we will show the following code (taken from https://cwe.mitre.org/data/definit… Continue reading What are some good examples to illustrate CWE in C? [closed]
In my work, we use a database to collect information about vulnerabilities which have CVE-ids assigned to them. One of these data is the CWE, which we store in a single column directly in the table containing the CVEs. The question is whet… Continue reading Can a single CVE have multiple CWEs? [closed]
Use-after-free and OS command injection vulnerabilities reach the top five most dangerous software weaknesses in the 2023 CWE Top 25 list.
The post MITRE Updates CWE Top 25 Most Dangerous Software Weaknesses appeared first on SecurityWeek.
Continue reading MITRE Updates CWE Top 25 Most Dangerous Software Weaknesses
I’m doing a vulnerability assessment for a whole slew of web servers, and almost every single one of them (hundreds) are misconfigured like the following two examples:
Case 1: one or more hostnames resolve to the server’s IP address (let’s… Continue reading CWE for "Misconfigured server allows insecure https request to IP-addressed URL"?
The VBScript’s RegExp object used in Classic ASP allows one to set a pattern then execute it. If a user provides the search string, is it exploitable for IDS08-J / CWE-625 (Permissive Regex)? Or does the RegExp object sanitize input to … Continue reading Is VBScript RegExp object exploitable with a code injection or does it escape special characters?
I’m looking for the relevant CWE’s for specific attacks against prompt-based language ML models, such as GPT-3, GPT-4 etc.
Specifically:
Prompt Injection: Amending prompts with malicious input to change the output of the model in ways not… Continue reading CWEs for Language Machine Learning Models
When I looked up hardcoded password vulnerability in software world, I saw there are three kinds of vulnerabilities. These are that:
CWE-798: Use of Hard-coded Credentials
The Hardcoded Creds vulnerability definition:
"The software c… Continue reading Why are there multiple "Hardcoded Password" Entries in CWE instead of single one?
When I investigated the Google results, the software vulnerability "Hardcoded Password" (cwe-798 & cwe-259) is a vulnerability for IoT devices’ software (see: link1) and thick client software (see: link2, link3). When passwor… Continue reading What types of software can have "Hardcoded Password" vulnerability?
I have googled to the ends of the earth and I cannot find a static analysis tool for Python code that includes an analysis based on the Common Weakness Enumeration (CWE) list. Bandit seems like functionally it does what I want but I have a… Continue reading CWE Static Analysis Tool for Python [closed]
Cybersecurity threats are rising fast, leading enterprises that build applications to look more closely at security measures built on precautionary principles, including threat modeling, which has become core to ensuring applications can withstand fut… Continue reading Threat Modeling in the Age of Automation