Broken Access Control
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data. Now includes SSRF.
Security Misconfiguration
The application might be vulnerable if it is missing appropriate security hardening or has improperly configured permissions on cloud services.
Software Supply Chain Failures
Expanded from 'Vulnerable and Outdated Components' to address broader supply chain risks including unknown vulnerabilities introduced by third-parties, compromised packages, and build system attacks.
Cryptographic Failures
Failures related to cryptography which often lead to sensitive data exposure. This includes using weak algorithms, improper key management, and missing encryption.
Injection
Injection flaws occur when an application sends hostile data to an interpreter. This includes SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection.
Insecure Design
Insecure design is a broad category representing different weaknesses, expressed as missing or ineffective control design. This is distinct from implementation flaws.
Authentication Failures
Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.
Data Integrity Failures
Data integrity failures relate to code and infrastructure that does not protect against integrity violations, including insecure deserialization and unsigned updates.
Security Logging and Alerting Failures
This category helps detect, escalate, and respond to active breaches. Without logging and alerting, breaches cannot be detected in time to respond.
Mishandling of Exceptional Conditions
A new category containing 24 CWEs focusing on improper error handling, logical errors, failing open, and other scenarios stemming from abnormal conditions that systems may encounter.