Skip to main content

Mitre CWE Top 25 Weaknesses

2021 Common Weakness Enumeration (CWE) 25 Most Dangerous Software Weaknesses

NOTE: Some weaknesses from this list are not applicable since they only apply to certain software languages which LunaSec does not support.

VulnerabilityDescriptionLunaSec Mitigation
(2) Cross Site Scripting (XSS) Mitigation
(4) Improper Input Validation LunaSec Tokenizer only ever treats data as data when it is being stored. In the LunaSec Secure Frame, there are hardened data validators which can enforce validation for certain formats (ex. credit card numbers).
(5) OS Command Injection Injection Mitigation
(6) SQL Injection Injection Mitigation
(9) Cross-Site Request Forgery (CSRF) Injection Mitigation
(10) Unrestricted Upload of File with Dangerous Type blob storage to securely store sensitive data, such as S3, means that data will only ever be treated as data. If file processing needs to be performed on files uploaded to LunaSec, using LunaSec Functions will greatly reduce the impact of this vulnerability if it exists in your application's code or a third party library you might use.
(11) Missing Authentication for Critical Function Access Control Mitigation
(14) Improper Authentication Authentication Mitigation
(16) Use of Hard-coded KratosCredentials (21) Insufficiently Protected KratosCredentials
(18) Missing Authorization order to access the data corresponding to a token in the LunaSec Stack, a valid authorization grant must exist for the requesting user. Even with this system, it is possible for a grant to simply be created for the user without actually performing a proper authorization check. To solve this issue, a LunaSec Secure Authorizer can be used to perform just in time authorization checks at the point in time a token is being detokenized.
(19) Incorrect Default Permissions LunaSec Stack is designed to be as secure as possible for each level of configuration. Higher security levels provide more security guarantees by default, therefore decreasing the risk of a vulnerable default configuration.
(20) Exposure of Sensitive Information to an Unauthorized Actor Disclosure Mitigation
(21) Insufficiently Protected KratosCredentials keys used for encrypting the sensitive data given to LunaSec are encrypted themselves at rest in a hardened database. Additionally the Tokenizer Secret, which is used as a part of the encryption process, is stored in the AWS Secrets Manager. If the Level 5 security configuration is being used, the Cloud HSM even further protects against this vulnerability by locking the tokenizer secret in dedicated hardware.
(22) Incorrect Permission Assignment for a Critical Resource (19) Incorrect Default Permissions
(24) Server-Side Request Forgery (SSRF) Side Request Forgery
(25) Command Injection Injection Mitigation