| 1 |
A01:2021 Broken Access Control |
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
8 |
|
|
CWE-276: Incorrect Default Permissions |
25 |
|
|
CWE-352: Cross-Site Request Forgery (CSRF) |
9 |
|
|
CWE-862: Missing Authorization |
11 |
|
|
CWE-863: Incorrect Authorization |
24 |
| 2 |
A02:2021 Cryptographic Failures |
– |
– |
| 3 |
A03:2021 Injection |
CWE-20: Improper Input Validation |
6 |
|
|
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) |
16 |
|
|
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
5 |
|
|
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
2 |
|
|
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
3 |
|
|
CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
23 |
| 4 |
A04:2021 Insecure Design |
CWE-269: Improper Privilege Management |
22 |
|
|
CWE-434: Unrestricted Upload of File with Dangerous Type |
10 |
| 5 |
A05:2021 Security Misconfiguration |
– |
– |
| 6 |
A06:2021 Vulnerable and Outdated Components |
– |
– |
| 7 |
A07:2021 Identification and Authentication Failures |
CWE-287: Improper Authentication |
13 |
|
|
CWE-306: Missing Authentication for Critical Function |
20 |
|
|
CWE-798: Use of Hard-coded Credentials |
18 |
| 8 |
A08:2021 Software and Data Integrity Failures |
CWE-502: Deserialization of Untrusted Data |
15 |
| 9 |
A09:2021 Security Logging and Monitoring Failures |
– |
– |
| 10 |
A10:2021 Server-Side Request Forgery (SSRF) |
CWE-918: Server-Side Request Forgery (SSRF) |
19 |
| – |
– |
CWE-787 Out-of-bounds Write |
1 |
| – |
– |
CWE-416 Use After Free |
4 |
| – |
– |
CWE-125: Out-of-bounds Read |
7 |
| – |
– |
CWE-476: NULL Pointer Dereference |
12 |
| – |
– |
CWE-190: Integer Overflow or Wraparound |
13 |
| – |
– |
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
17 |
| – |
– |
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) |
21 |
