Breadcrumbs

NIST CWE Coverage

Overview

NIST is a comprehensive information security standard that provides a catalog of security and privacy controls for information systems and organizations. While initially designed for federal agencies, NIST has become widely adopted in the private sector, especially for organizations handling sensitive data, and serves as a comprehensive standard for information security and privacy protection across various industries.
This article organizes Common Weakness Enumerations (CWEs) relevant to NIST.

Each row in the table below outlines a specific compliance standard, categorized by the following columns:

  1. Compliance Standard: The specific category of the standard to which the CWE is mapped.

  2. Languages: Supported programming languages.

  3. CWE-ID: The relevant CWE for this standard, along with a short description.

NIST CWE Coverage

Compliance Standard

CWE-ID

SC-13: Cryptographic Protection

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-1204: Generation of Weak Initialization Vector (IV)

SC-23: Session Authenticity

  • CWE-352: Cross-Site Request Forgery (CSRF)

  • CWE-384: Session Fixation

SC-28: Protection of Information at Rest

  • CWE-256: Plaintext Storage of a Password

  • CWE-321: Use of Hard-coded Cryptographic Key

  • CWE-798: Use of Hard-coded Credentials

SC-5: Denial of Service Protection

  • CWE-1333: Inefficient Regular Expression Complexity

SC-5: Denial of Service Protection (P1)

  • CWE-400: Uncontrolled Resource Consumption

SI-10: Information Input Validation

  • CWE-20: Improper Input Validation

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-73: External Control of File Name or Path

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

  • CWE-117: Improper Output Neutralization for Logs

  • CWE-346: Origin Validation Error

  • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • CWE-501: Trust Boundary Violation

  • CWE-502: Deserialization of Untrusted Data

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • CWE-918: Server-Side Request Forgery (SSRF)

  • CWE-943: Improper Neutralization of Special Elements in Data Query Logic

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine