Skip to main content

Mitre CWE Top 25 Weaknesses

2021 Common Weakness Enumeration (CWE) 25 Most Dangerous Software Weaknesses

NOTE: Some weaknesses from this list are not applicable since they only apply to certain software languages which LunaSec does not support.

VulnerabilityDescriptionLunaSec Mitigation
(2) Cross Site Scripting (XSS)https://cwe.mitre.org/data/definitions/79.htmlXSS Mitigation
(4) Improper Input Validationhttps://cwe.mitre.org/data/definitions/20.htmlThe LunaSec Tokenizer only ever treats data as data when it is being stored. In the LunaSec Secure Frame, there are hardened data validators which can enforce validation for certain formats (ex. credit card numbers).
(5) OS Command Injectionhttps://cwe.mitre.org/data/definitions/78.htmlCode Injection Mitigation
(6) SQL Injectionhttps://cwe.mitre.org/data/definitions/89.htmlSQL Injection Mitigation
(9) Cross-Site Request Forgery (CSRF)https://cwe.mitre.org/data/definitions/352.htmlSQL Injection Mitigation
(10) Unrestricted Upload of File with Dangerous Typehttps://cwe.mitre.org/data/definitions/434.htmlUsing blob storage to securely store sensitive data, such as S3, means that data will only ever be treated as data. If file processing needs to be performed on files uploaded to LunaSec, using LunaSec Functions will greatly reduce the impact of this vulnerability if it exists in your application's code or a third party library you might use.
(11) Missing Authentication for Critical Functionhttps://cwe.mitre.org/data/definitions/306.htmlImproper Access Control Mitigation
(14) Improper Authenticationhttps://cwe.mitre.org/data/definitions/287.htmlImproper Authentication Mitigation
(16) Use of Hard-coded KratosCredentialshttps://cwe.mitre.org/data/definitions/798.htmlSee (21) Insufficiently Protected KratosCredentials
(18) Missing Authorizationhttps://cwe.mitre.org/data/definitions/862.htmlIn order to access the data corresponding to a token in the LunaSec Stack, a valid authorization grant must exist for the requesting user. Even with this system, it is possible for a grant to simply be created for the user without actually performing a proper authorization check. To solve this issue, a LunaSec Secure Authorizer can be used to perform just in time authorization checks at the point in time a token is being detokenized.
(19) Incorrect Default Permissionshttps://cwe.mitre.org/data/definitions/276.htmlThe LunaSec Stack is designed to be as secure as possible for each level of configuration. Higher security levels provide more security guarantees by default, therefore decreasing the risk of a vulnerable default configuration.
(20) Exposure of Sensitive Information to an Unauthorized Actorhttps://cwe.mitre.org/data/definitions/200.htmlInformation Disclosure Mitigation
(21) Insufficiently Protected KratosCredentialshttps://cwe.mitre.org/data/definitions/522.htmlEncryption keys used for encrypting the sensitive data given to LunaSec are encrypted themselves at rest in a hardened database. Additionally the Tokenizer Secret, which is used as a part of the encryption process, is stored in the AWS Secrets Manager. If the Level 5 security configuration is being used, the Cloud HSM even further protects against this vulnerability by locking the tokenizer secret in dedicated hardware.
(22) Incorrect Permission Assignment for a Critical Resourcehttps://cwe.mitre.org/data/definitions/732.htmlSee (19) Incorrect Default Permissions
(24) Server-Side Request Forgery (SSRF)https://cwe.mitre.org/data/definitions/918.htmlServer Side Request Forgery
(25) Command Injectionhttps://cwe.mitre.org/data/definitions/77.htmlCode Injection Mitigation