The software allocates file descriptors or handles on behalf of
an actor without imposing any restrictions on how many descriptors can be
allocated, in violation of the intended security policy for that
actor.
The software constructs all or part of an SQL command using
externally-influenced input from an upstream component, but it does not
neutralize or incorrectly neutralizes special elements that could modify the
intended SQL command when it is sent to a downstream
component.
An algorithm in a product has an inefficient worst-case
computational complexity that may be detrimental to system performance and can
be triggered by an attacker, typically using crafted manipulations that ensure
that the worst case is being reached.
The software constructs all or part of an LDAP query using
externally-influenced input from an upstream component, but it does not
neutralize or incorrectly neutralizes special elements that could modify the
intended LDAP query when it is sent to a downstream
component.
The software attempts to access a file based on the filename,
but it does not properly prevent that filename from identifying a link or
shortcut that resolves to an unintended resource.
The software constructs all or part of a code segment using
externally-influenced input from an upstream component, but it does not
neutralize or incorrectly neutralizes special elements that could modify the
syntax or behavior of the intended code segment.
The software does not perform any authentication for
functionality that requires a provable user identity or consumes a significant
amount of resources.