| CWE-32 |
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory. |
| CWE-321 |
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. |
| CWE-322 |
The software performs a key exchange with an actor without verifying the identity of that actor. |
| CWE-323 |
Nonces should be used for the present occasion and only once. |
| CWE-324 |
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. |
| CWE-325 |
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by that algorithm. |
| CWE-326 |
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-327 |
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| CWE-328 |
The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques. |
| CWE-329 |
Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks. |
