CWEs that violate the OWASP Mobile standard
This table lists all the CWEs that may cause an application to not pass a policy that includes an OWASP Mobile policy rule.
| CWE ID | CWE name | Static support | Veracode severity |
|---|---|---|---|
| 15 | External Control of System or Configuration Setting | X | 4 - High |
| 73 | External Control of File Name or Path | X | 3 - Medium |
| 77 | Improper Neutralization of Special Elements in a Command | X | 5 - Very High |
| 78 | Improper Neutralization of Special Elements in an OS Command | X | 5 - Very High |
| 80 | Improper Neutralization of Script Related HTML Tags | X | 3 - Medium |
| 88 | Improper Neutralization of Argument Delimeters | X | 3 - Medium |
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | 4 - High |
| 114 | Process Control | X | 5 - Very High |
| 183 | Permissive List of Allowed Inputs | X | 3 - Medium |
| 201 | Information Exposure Through Sent Data | X | 2 - Low |
| 209 | Information Exposure Through an Error Message | X | 2 - Low |
| 215 | Information Exposure Through Debug Information | X | 2 - Low |
| 242 | Use of Inherently Dangerous Function | X | 5 - Very High |
| 252 | Unchecked Return Value | X | 2 - Low |
| 256 | Unprotected Storage of Credentials | X | 3 - Medium |
| 259 | Use of Hard-coded Password | X | 3 - Medium |
| 287 | Improper Authentication | X | 4 - High |
| 296 | Improper Following of a Certificate's Chain of Trust | 3 - Medium | |
| 297 | Improper Validation of Certificate with Host Mismatch | X | 3 - Medium |
| 311 | Missing Encryption of Sensitive Data | X | 3 - Medium |
| 312 | Cleartext Storage of Sensitive Information | X | 3 - Medium |
| 313 | Cleartext Storage in a File or on Disk | X | 3 - Medium |
| 316 | Cleartext Storage of Sensitive Information in Memory | X | 3 - Medium |
| 319 | Cleartext Transmission of Sensitive Information | X | 3 - Medium |
| 321 | Use of Hard-coded Cryptographic Key | X | 3 - Medium |
| 326 | Inadequate Encryption Strength | X | 3 - Medium |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | 3 - Medium |
| 329 | Not Using a Random IV with CBC Mode | X | 2 - Low |
| 331 | Insufficient Entropy | X | 3 - Medium |
| 345 | Insufficient Verification of Data Authenticity | X | 4 - High |
| 347 | Improper Verification of Cryptographic Signature | X | 2 - Low |
| 354 | Improper Validation of Integrity Check Value | X | 3 - Medium |
| 377 | Insecure Temporary File | X | 3 - Medium |
| 378 | Creation of Temporary File With Insecure Permissions | 3 - Medium | |
| 404 | Improper Resource Shutdown | X | 0 - Informational |
| 415 | Double Free | X | 3 - Medium |
| 416 | Use After Free | X | 2 - Low |
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | X | 3 - Medium |
| 489 | Leftover Debug Code | X | 3 - Medium |
| 497 | Exposure of System Data to an Unauthorized Control Sphere | X | 2 - Low |
| 501 | Trust Boundary Violation | X | 3 - Medium |
| 506 | Embedded Malicious Code | X | 4 - High |
| 511 | Logic/Time Bomb | X | 5 - Very High |
| 514 | Covert Channel | X | 2 - Low |
| 522 | Insufficiently Protected Credentials | X | 3 - Medium |
| 601 | URL Redirection to Untrusted Site | X | 3 - Medium |
| 614 | Sensitive Cookie without Secure Attribute | X | 2 - Low |
| 676 | Use of Potentially Dangerous Function | X | 3 - Medium |
| 693 | Protection Mechanism Failure | X | 3 - Medium |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium |
| 757 | Selection of Less Secure Algorithm During Negotiation | X | 3 - Medium |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium |