[
  {
    "instruction": "Could you provide a comprehensive definition for the CWE weakness \"Predictable from Observable State\" so our team can reference it?",
    "context": "",
    "output": "Certainly. Below is a comprehensive description of CWE Predictable from Observable State:\nA number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 341,
      "Name": "Predictable from Observable State",
      "Weakness Abstraction": "Base",
      "Status": "Draft",
      "Description": "A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.",
      "Extended Description": "",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:340:VIEW ID:1000:ORDINAL:Primary::",
      "Weakness Ordinalities": "",
      "Applicable Platforms": "::LANGUAGE CLASS:Not Language-Specific:LANGUAGE PREVALENCE:Undetermined::",
      "Background Details": "",
      "Alternate Terms": "",
      "Modes Of Introduction": "::PHASE:Architecture and Design::PHASE:Implementation:NOTE:REALIZATION: This weakness is caused during implementation of an architectural security tactic.::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Other:IMPACT:Varies by Context:NOTE:This weakness could be exploited by an attacker in a number ways depending on the context. If a predictable number is used to generate IDs or keys that are used within protection mechanisms, then an attacker could gain unauthorized access to the system. If predictable filenames are used for storing sensitive information, then an attacker might gain access to the system and may be able to gain access to the information in the file.::",
      "Detection Methods": "",
      "Potential Mitigations": "::PHASE:Implementation:DESCRIPTION:Increase the entropy used to seed a PRNG.::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (Approved Random Number Generators).::PHASE:Implementation:DESCRIPTION:Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.::",
      "Observed Examples": "::REFERENCE:CVE-2002-0389:DESCRIPTION:Mail server stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives.:LINK:https://www.cve.org/CVERecord?id=CVE-2002-0389::REFERENCE:CVE-2001-1141:DESCRIPTION:PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.:LINK:https://www.cve.org/CVERecord?id=CVE-2001-1141::REFERENCE:CVE-2000-0335:DESCRIPTION:DNS resolver library uses predictable IDs, which allows a local attacker to spoof DNS query results.:LINK:https://www.cve.org/CVERecord?id=CVE-2000-0335::REFERENCE:CVE-2005-1636:DESCRIPTION:MFV. predictable filename and insecure permissions allows file modification to execute SQL queries.:LINK:https://www.cve.org/CVERecord?id=CVE-2005-1636::",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "::TAXONOMY NAME:PLOVER:ENTRY NAME:Predictable from Observable State::",
      "Related Attack Patterns": "",
      "Notes": "::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::"
    }
  },
  {
    "instruction": "Give me a succinct yet informative definition of the CWE weakness Direct Use of Unsafe JNI for inclusion in our risk register.",
    "context": "",
    "output": "Here is a succinct but informative definition of CWE Direct Use of Unsafe JNI:\nWhen a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.. Many safety features that programmers may take for granted do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking.",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 111,
      "Name": "Direct Use of Unsafe JNI",
      "Weakness Abstraction": "Variant",
      "Status": "Draft",
      "Description": "When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.",
      "Extended Description": "Many safety features that programmers may take for granted do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking.",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:695:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:20:VIEW ID:700:ORDINAL:Primary::",
      "Weakness Ordinalities": "::ORDINALITY:Primary::",
      "Applicable Platforms": "::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::",
      "Background Details": "",
      "Alternate Terms": "",
      "Modes Of Introduction": "::PHASE:Implementation::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Access Control:IMPACT:Bypass Protection Mechanism::",
      "Detection Methods": "::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",
      "Potential Mitigations": "::PHASE:Implementation:DESCRIPTION:Implement error handling around the JNI call.::PHASE:Implementation:STRATEGY:Refactoring:DESCRIPTION:Do not use JNI calls if you don't trust the native library.::PHASE:Implementation:STRATEGY:Refactoring:DESCRIPTION:Be reluctant to use JNI calls. A Java API equivalent may exist.::",
      "Observed Examples": "",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:Unsafe JNI::TAXONOMY NAME:The CERT Oracle Secure Coding Standard for Java (2011):ENTRY ID:SEC08-J:ENTRY NAME:Define wrappers around native methods::TAXONOMY NAME:SEI CERT Oracle Coding Standard for Java:ENTRY ID:JNI01-J:ENTRY NAME:Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary)::TAXONOMY NAME:SEI CERT Oracle Coding Standard for Java:ENTRY ID:JNI00-J:ENTRY NAME:Define wrappers around native methods:MAPPING FIT:Imprecise::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP3:ENTRY NAME:Use of an improper API::",
      "Related Attack Patterns": "",
      "Notes": ""
    }
  },
  {
    "instruction": "Give me a succinct yet informative definition of the CWE weakness Cleartext Storage of Sensitive Information for inclusion in our risk register.",
    "context": "",
    "output": "Here is a succinct but informative definition of CWE Cleartext Storage of Sensitive Information:\nThe product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.. Because the information is stored in cleartext (i.e., unencrypted), attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. When organizations adopt cloud services, it can be easier for attackers to access the data from anywhere on the Internet. In some systems/environments such as cloud, the use of double encryption (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 312,
      "Name": "Cleartext Storage of Sensitive Information",
      "Weakness Abstraction": "Base",
      "Status": "Draft",
      "Description": "The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.",
      "Extended Description": "Because the information is stored in cleartext (i.e., unencrypted), attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. When organizations adopt cloud services, it can be easier for attackers to access the data from anywhere on the Internet. In some systems/environments such as cloud, the use of double encryption (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:311:VIEW ID:1000:ORDINAL:Primary::NATURE:ChildOf:CWE ID:311:VIEW ID:1003:ORDINAL:Primary::NATURE:ChildOf:CWE ID:922:VIEW ID:1000::",
      "Weakness Ordinalities": "",
      "Applicable Platforms": "::LANGUAGE CLASS:Not Language-Specific:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY CLASS:Cloud Computing:TECHNOLOGY PREVALENCE:Undetermined::TECHNOLOGY CLASS:ICS/OT:TECHNOLOGY PREVALENCE:Undetermined::TECHNOLOGY CLASS:Mobile:TECHNOLOGY PREVALENCE:Undetermined::",
      "Background Details": "",
      "Alternate Terms": "",
      "Modes Of Introduction": "::PHASE:Architecture and Design:NOTE:OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Confidentiality:IMPACT:Read Application Data:NOTE:An attacker with access to the system could read sensitive information stored in cleartext.::",
      "Detection Methods": "::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",
      "Potential Mitigations": "::PHASE:Implementation System Configuration Operation:DESCRIPTION:When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]::",
      "Observed Examples": "::REFERENCE:CVE-2022-30275:DESCRIPTION:Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.:LINK:https://www.cve.org/CVERecord?id=CVE-2022-30275::REFERENCE:CVE-2009-2272:DESCRIPTION:password and username stored in cleartext in a cookie:LINK:https://www.cve.org/CVERecord?id=CVE-2009-2272::REFERENCE:CVE-2009-1466:DESCRIPTION:password stored in cleartext in a file with insecure permissions:LINK:https://www.cve.org/CVERecord?id=CVE-2009-1466::REFERENCE:CVE-2009-0152:DESCRIPTION:chat program disables SSL in some circumstances even when the user says to use SSL.:LINK:https://www.cve.org/CVERecord?id=CVE-2009-0152::REFERENCE:CVE-2009-1603:DESCRIPTION:Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption:LINK:https://www.cve.org/CVERecord?id=CVE-2009-1603::REFERENCE:CVE-2009-0964:DESCRIPTION:storage of unencrypted passwords in a database:LINK:https://www.cve.org/CVERecord?id=CVE-2009-0964::REFERENCE:CVE-2008-6157:DESCRIPTION:storage of unencrypted passwords in a database:LINK:https://www.cve.org/CVERecord?id=CVE-2008-6157::REFERENCE:CVE-2008-6828:DESCRIPTION:product stores a password in cleartext in memory:LINK:https://www.cve.org/CVERecord?id=CVE-2008-6828::REFERENCE:CVE-2008-1567:DESCRIPTION:storage of a secret key in cleartext in a temporary file:LINK:https://www.cve.org/CVERecord?id=CVE-2008-1567::REFERENCE:CVE-2008-0174:DESCRIPTION:SCADA product uses HTTP Basic Authentication, which is not encrypted:LINK:https://www.cve.org/CVERecord?id=CVE-2008-0174::REFERENCE:CVE-2007-5778:DESCRIPTION:login credentials stored unencrypted in a registry key:LINK:https://www.cve.org/CVERecord?id=CVE-2007-5778::REFERENCE:CVE-2001-1481:DESCRIPTION:Plaintext credentials in world-readable file.:LINK:https://www.cve.org/CVERecord?id=CVE-2001-1481::REFERENCE:CVE-2005-1828:DESCRIPTION:Password in cleartext in config file.:LINK:https://www.cve.org/CVERecord?id=CVE-2005-1828::REFERENCE:CVE-2005-2209:DESCRIPTION:Password in cleartext in config file.:LINK:https://www.cve.org/CVERecord?id=CVE-2005-2209::REFERENCE:CVE-2002-1696:DESCRIPTION:Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.:LINK:https://www.cve.org/CVERecord?id=CVE-2002-1696::REFERENCE:CVE-2004-2397:DESCRIPTION:Plaintext storage of private key and passphrase in log file when user imports the key.:LINK:https://www.cve.org/CVERecord?id=CVE-2004-2397::REFERENCE:CVE-2002-1800:DESCRIPTION:Admin password in plaintext in a cookie.:LINK:https://www.cve.org/CVERecord?id=CVE-2002-1800::REFERENCE:CVE-2001-1537:DESCRIPTION:Default configuration has cleartext usernames/passwords in cookie.:LINK:https://www.cve.org/CVERecord?id=CVE-2001-1537::REFERENCE:CVE-2001-1536:DESCRIPTION:Usernames/passwords in cleartext in cookies.:LINK:https://www.cve.org/CVERecord?id=CVE-2001-1536::REFERENCE:CVE-2005-2160:DESCRIPTION:Authentication information stored in cleartext in a cookie.:LINK:https://www.cve.org/CVERecord?id=CVE-2005-2160::",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "::TAXONOMY NAME:PLOVER:ENTRY NAME:Plaintext Storage of Sensitive Information::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP23:ENTRY NAME:Exposed Data::TAXONOMY NAME:ISA/IEC 62443:ENTRY ID:Part 4-2:ENTRY NAME:Req CR4.1A::TAXONOMY NAME:ISA/IEC 62443:ENTRY ID:Part 3-3:ENTRY NAME:Req SR4.1::",
      "Related Attack Patterns": "::37::",
      "Notes": "::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::"
    }
  },
  {
    "instruction": "I am compiling documentation\u2014please describe the Common Weakness Enumeration (CWE) entry \"Acceptance of Extraneous Untrusted Data With Trusted Data\" in plain language.",
    "context": "",
    "output": "Here is a plain-language description of CWE Acceptance of Extraneous Untrusted Data With Trusted Data:\nThe product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 349,
      "Name": "Acceptance of Extraneous Untrusted Data With Trusted Data",
      "Weakness Abstraction": "Base",
      "Status": "Draft",
      "Description": "The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.",
      "Extended Description": "",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:345:VIEW ID:1000:ORDINAL:Primary::",
      "Weakness Ordinalities": "",
      "Applicable Platforms": "::LANGUAGE CLASS:Not Language-Specific:LANGUAGE PREVALENCE:Undetermined::",
      "Background Details": "",
      "Alternate Terms": "",
      "Modes Of Introduction": "::PHASE:Implementation::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Access Control:SCOPE:Integrity:IMPACT:Bypass Protection Mechanism:IMPACT:Modify Application Data:NOTE:An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.::",
      "Detection Methods": "",
      "Potential Mitigations": "",
      "Observed Examples": "::REFERENCE:CVE-2002-0018:DESCRIPTION:Does not verify that trusted entity is authoritative for all entities in its response.:LINK:https://www.cve.org/CVERecord?id=CVE-2002-0018::REFERENCE:CVE-2006-5462:DESCRIPTION:use of extra data in a signature allows certificate signature forging:LINK:https://www.cve.org/CVERecord?id=CVE-2006-5462::",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "::TAXONOMY NAME:PLOVER:ENTRY NAME:Untrusted Data Appended with Trusted Data::TAXONOMY NAME:The CERT Oracle Secure Coding Standard for Java (2011):ENTRY ID:ENV01-J:ENTRY NAME:Place all security-sensitive code in a single JAR and sign and seal it::",
      "Related Attack Patterns": "::141::142::75::",
      "Notes": ""
    }
  },
  {
    "instruction": "Could you provide a comprehensive definition for the CWE weakness \"Spyware\" so our team can reference it?",
    "context": "",
    "output": "Certainly. Below is a comprehensive description of CWE Spyware:\nThe product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.. Spyware is a commonly used term with many definitions and interpretations. In general, it is meant to refer to products that collect information or install functionality that human users might not allow if they were fully aware of the actions being taken by the software. For example, a user might expect that tax software would collect a social security number and include it when filing a tax return, but that same user would not expect gaming software to obtain the social security number from that tax software's data.",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 512,
      "Name": "Spyware",
      "Weakness Abstraction": "Base",
      "Status": "Incomplete",
      "Description": "The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.",
      "Extended Description": "Spyware is a commonly used term with many definitions and interpretations. In general, it is meant to refer to products that collect information or install functionality that human users might not allow if they were fully aware of the actions being taken by the software. For example, a user might expect that tax software would collect a social security number and include it when filing a tax return, but that same user would not expect gaming software to obtain the social security number from that tax software's data.",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:506:VIEW ID:1000:ORDINAL:Primary::",
      "Weakness Ordinalities": "",
      "Applicable Platforms": "",
      "Background Details": "",
      "Alternate Terms": "",
      "Modes Of Introduction": "::PHASE:Architecture and Design::PHASE:Implementation::PHASE:Operation::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Confidentiality:IMPACT:Read Application Data::",
      "Detection Methods": "",
      "Potential Mitigations": "::PHASE:Operation:DESCRIPTION:Use spyware detection and removal software.::PHASE:Installation:DESCRIPTION:Always verify the integrity of the product that is being installed.::",
      "Observed Examples": "",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "",
      "Related Attack Patterns": "",
      "Notes": ""
    }
  },
  {
    "instruction": "I am compiling documentation\u2014please describe the Common Weakness Enumeration (CWE) entry \"Small Seed Space in PRNG\" in plain language.",
    "context": "",
    "output": "Here is a plain-language description of CWE Small Seed Space in PRNG:\nA Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.. PRNGs are entirely deterministic once seeded, so it should be extremely difficult to guess the seed. If an attacker can collect the outputs of a PRNG and then brute force the seed by trying every possibility to see which seed matches the observed output, then the attacker will know the output of any subsequent calls to the PRNG. A small seed space implies that the attacker will have far fewer possible values to try to exhaust all possibilities.",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 339,
      "Name": "Small Seed Space in PRNG",
      "Weakness Abstraction": "Variant",
      "Status": "Draft",
      "Description": "A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.",
      "Extended Description": "PRNGs are entirely deterministic once seeded, so it should be extremely difficult to guess the seed. If an attacker can collect the outputs of a PRNG and then brute force the seed by trying every possibility to see which seed matches the observed output, then the attacker will know the output of any subsequent calls to the PRNG. A small seed space implies that the attacker will have far fewer possible values to try to exhaust all possibilities.",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:335:VIEW ID:1000:ORDINAL:Primary::NATURE:PeerOf:CWE ID:341:VIEW ID:1000::",
      "Weakness Ordinalities": "",
      "Applicable Platforms": "::LANGUAGE CLASS:Not Language-Specific:LANGUAGE PREVALENCE:Undetermined::",
      "Background Details": "",
      "Alternate Terms": "",
      "Modes Of Introduction": "::PHASE:Implementation:NOTE:REALIZATION: This weakness is caused during implementation of an architectural security tactic.::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Other:IMPACT:Varies by Context::",
      "Detection Methods": "",
      "Potential Mitigations": "::PHASE:Architecture and Design:DESCRIPTION:Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a random enough number.::PHASE:Architecture and Design Requirements:STRATEGY:Libraries or Frameworks:DESCRIPTION:Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.::",
      "Observed Examples": "::REFERENCE:CVE-2019-10908:DESCRIPTION:product generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has only a 48-bit seed.:LINK:https://www.cve.org/CVERecord?id=CVE-2019-10908::",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "::TAXONOMY NAME:PLOVER:ENTRY NAME:Small Seed Space in PRNG::",
      "Related Attack Patterns": "",
      "Notes": "::TYPE:Maintenance:NOTE:This entry may have a chaining relationship with predictable from observable state (CWE-341).::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::"
    }
  },
  {
    "instruction": "Please fetch and present an official-style description of the CWE weakness \"J2EE Misconfiguration: Missing Custom Error Page\" for our secure-coding guide.",
    "context": "",
    "output": "Certainly. Here is an official-style description for CWE J2EE Misconfiguration: Missing Custom Error Page:\nThe default error page of a web application should not display sensitive information about the product.. A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response. When an attacker explores a web site looking for vulnerabilities, the amount of information that the site provides is crucial to the eventual success or failure of any attempted attacks.",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 7,
      "Name": "J2EE Misconfiguration: Missing Custom Error Page",
      "Weakness Abstraction": "Variant",
      "Status": "Incomplete",
      "Description": "The default error page of a web application should not display sensitive information about the product.",
      "Extended Description": "A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response. When an attacker explores a web site looking for vulnerabilities, the amount of information that the site provides is crucial to the eventual success or failure of any attempted attacks.",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:756:VIEW ID:1000:ORDINAL:Primary::",
      "Weakness Ordinalities": "",
      "Applicable Platforms": "::LANGUAGE NAME:Java:LANGUAGE PREVALENCE:Undetermined::",
      "Background Details": "",
      "Alternate Terms": "",
      "Modes Of Introduction": "::PHASE:Implementation::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Confidentiality:IMPACT:Read Application Data:NOTE:A stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.::",
      "Detection Methods": "",
      "Potential Mitigations": "::PHASE:Implementation:DESCRIPTION:Handle exceptions appropriately in source code.::PHASE:Implementation System Configuration:DESCRIPTION:Always define appropriate error pages. The application configuration should specify a default error page in order to guarantee that the application will never leak error messages to an attacker. Handling standard HTTP error codes is useful and user-friendly in addition to being a good security practice, and a good configuration will also define a last-chance error handler that catches any exception that could possibly be thrown by the application.::PHASE:Implementation:DESCRIPTION:Do not attempt to process an error or attempt to mask it.::PHASE:Implementation:DESCRIPTION:Verify return values are correct and do not supply sensitive information about the system.::",
      "Observed Examples": "",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "::TAXONOMY NAME:7 Pernicious Kingdoms:ENTRY NAME:J2EE Misconfiguration: Missing Error Handling::",
      "Related Attack Patterns": "",
      "Notes": ""
    }
  },
  {
    "instruction": "Give me a succinct yet informative definition of the CWE weakness Exposure of Resource to Wrong Sphere for inclusion in our risk register.",
    "context": "",
    "output": "Here is a succinct but informative definition of CWE Exposure of Resource to Wrong Sphere:\nThe product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.. Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files. A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system. In either case, the end result is that a resource has been exposed to the wrong party.",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 668,
      "Name": "Exposure of Resource to Wrong Sphere",
      "Weakness Abstraction": "Class",
      "Status": "Draft",
      "Description": "The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.",
      "Extended Description": "Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files. A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system. In either case, the end result is that a resource has been exposed to the wrong party.",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:664:VIEW ID:1000:ORDINAL:Primary::",
      "Weakness Ordinalities": "",
      "Applicable Platforms": "",
      "Background Details": "",
      "Alternate Terms": "",
      "Modes Of Introduction": "::PHASE:Architecture and Design::PHASE:Implementation:NOTE:REALIZATION: This weakness is caused during implementation of an architectural security tactic.::PHASE:Operation::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Other:IMPACT:Read Application Data:IMPACT:Modify Application Data:IMPACT:Other::",
      "Detection Methods": "",
      "Potential Mitigations": "",
      "Observed Examples": "",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "",
      "Related Attack Patterns": "",
      "Notes": "::TYPE:Mapping:NOTE:Use for Mapping: Discouraged (this CWE ID should not be used to map to real-world vulnerabilities). Rationale: CWE-668 is high-level and can be used as a catch-all when lower-level CWE IDs might be applicable. It is sometimes used for low-information vulnerability reports [REF-1287]. It is a level-1 Class (i.e., a child of a Pillar). It is not useful for trend analysis. Comments: closely analyze the specific mistake that is allowing the resource to be exposed, and perform a CWE mapping for that mistake.::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::"
    }
  },
  {
    "instruction": "For the CWE weakness titled \"Missing Origin Validation in WebSockets\", what definition should stakeholders be familiar with before mitigation planning?",
    "context": "",
    "output": "Of course. The following definition applies to CWE Missing Origin Validation in WebSockets:\nThe product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.. WebSockets provide a bi-directional low latency communication (near real-time) between a client and a server. WebSockets are different than HTTP in that the connections are long-lived, as the channel will remain open until the client or the server is ready to send the message, whereas in HTTP, once the response occurs (which typically happens immediately), the transaction completes. A WebSocket can leverage the existing HTTP protocol over ports 80 and 443, but it is not limited to HTTP. WebSockets can make cross-origin requests that are not restricted by browser-based protection mechanisms such as the Same Origin Policy (SOP) or Cross-Origin Resource Sharing (CORS). Without explicit origin validation, this makes CSRF attacks more powerful. Alternate terms: Cross-Site WebSocket hijacking (CSWSH)",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 1385,
      "Name": "Missing Origin Validation in WebSockets",
      "Weakness Abstraction": "Variant",
      "Status": "Incomplete",
      "Description": "The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.",
      "Extended Description": "WebSockets provide a bi-directional low latency communication (near real-time) between a client and a server. WebSockets are different than HTTP in that the connections are long-lived, as the channel will remain open until the client or the server is ready to send the message, whereas in HTTP, once the response occurs (which typically happens immediately), the transaction completes. A WebSocket can leverage the existing HTTP protocol over ports 80 and 443, but it is not limited to HTTP. WebSockets can make cross-origin requests that are not restricted by browser-based protection mechanisms such as the Same Origin Policy (SOP) or Cross-Origin Resource Sharing (CORS). Without explicit origin validation, this makes CSRF attacks more powerful.",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:346:VIEW ID:1000:ORDINAL:Primary::",
      "Weakness Ordinalities": "",
      "Applicable Platforms": "::LANGUAGE CLASS:Not Language-Specific:LANGUAGE PREVALENCE:Undetermined::TECHNOLOGY NAME:Web Server:TECHNOLOGY PREVALENCE:Undetermined::",
      "Background Details": "",
      "Alternate Terms": "::TERM:Cross-Site WebSocket hijacking (CSWSH):DESCRIPTION:this term is used for attacks that exploit this weakness::",
      "Modes Of Introduction": "::PHASE:Architecture and Design::PHASE:Implementation::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:Availability:SCOPE:Non-Repudiation:SCOPE:Access Control:IMPACT:Varies by Context:IMPACT:Gain Privileges or Assume Identity:IMPACT:Bypass Protection Mechanism:IMPACT:Read Application Data:IMPACT:Modify Application Data:IMPACT:DoS: Crash, Exit, or Restart:NOTE:The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of the CSRF is limited only by the victim's privileges.::",
      "Detection Methods": "",
      "Potential Mitigations": "::PHASE:Implementation:DESCRIPTION:Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.::PHASE:Implementation:DESCRIPTION:Use a randomized CSRF token to verify requests.::PHASE:Implementation:DESCRIPTION:Use TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'.::PHASE:Architecture and Design Implementation:DESCRIPTION:Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function.::PHASE:Implementation:DESCRIPTION:Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.:EFFECTIVENESS:Defense in Depth::PHASE:Implementation:DESCRIPTION:Use a library that provides restriction of the payload size. For example, WS library for Node includes 'maxPayloadoption' that can be set.:EFFECTIVENESS:Defense in Depth::PHASE:Implementation:DESCRIPTION:Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.::",
      "Observed Examples": "::REFERENCE:CVE-2020-25095:DESCRIPTION:web console for SIEM product does not check Origin header, allowing Cross Site WebSocket Hijacking (CSWH):LINK:https://www.cve.org/CVERecord?id=CVE-2020-25095::REFERENCE:CVE-2018-6651:DESCRIPTION:Chain: gaming client attempts to validate the Origin header, but only uses a substring, allowing Cross-Site WebSocket hijacking by forcing requests from an origin whose hostname is a substring of the valid origin.:LINK:https://www.cve.org/CVERecord?id=CVE-2018-6651::REFERENCE:CVE-2018-14730:DESCRIPTION:WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:3123/ connection.:LINK:https://www.cve.org/CVERecord?id=CVE-2018-14730::REFERENCE:CVE-2018-14731:DESCRIPTION:WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1/ connection to a randomized port number.:LINK:https://www.cve.org/CVERecord?id=CVE-2018-14731::REFERENCE:CVE-2018-14732:DESCRIPTION:WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:8080/ connection.:LINK:https://www.cve.org/CVERecord?id=CVE-2018-14732::",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "",
      "Related Attack Patterns": "",
      "Notes": ""
    }
  },
  {
    "instruction": "For the CWE weakness titled \"Unexpected Status Code or Return Value\", what definition should stakeholders be familiar with before mitigation planning?",
    "context": "",
    "output": "Of course. The following definition applies to CWE Unexpected Status Code or Return Value:\nThe product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.",
    "category": "CWE_Flan",
    "instruction_type": "cwe_define",
    "parsed_raw_data": {
      "CWE-ID": 394,
      "Name": "Unexpected Status Code or Return Value",
      "Weakness Abstraction": "Base",
      "Status": "Draft",
      "Description": "The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.",
      "Extended Description": "",
      "Related Weaknesses": "::NATURE:ChildOf:CWE ID:754:VIEW ID:1000:ORDINAL:Primary::",
      "Weakness Ordinalities": "",
      "Applicable Platforms": "::LANGUAGE CLASS:Not Language-Specific:LANGUAGE PREVALENCE:Undetermined::",
      "Background Details": "",
      "Alternate Terms": "",
      "Modes Of Introduction": "::PHASE:Implementation::",
      "Exploitation Factors": "",
      "Likelihood of Exploit": "",
      "Common Consequences": "::SCOPE:Integrity:SCOPE:Other:IMPACT:Unexpected State:IMPACT:Alter Execution Logic::",
      "Detection Methods": "",
      "Potential Mitigations": "",
      "Observed Examples": "::REFERENCE:CVE-2004-1395:DESCRIPTION:Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server's listening loop to exit.:LINK:https://www.cve.org/CVERecord?id=CVE-2004-1395::REFERENCE:CVE-2002-2124:DESCRIPTION:Unchecked return code from recv() leads to infinite loop.:LINK:https://www.cve.org/CVERecord?id=CVE-2002-2124::REFERENCE:CVE-2005-2553:DESCRIPTION:Kernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn't.:LINK:https://www.cve.org/CVERecord?id=CVE-2005-2553::REFERENCE:CVE-2005-1858:DESCRIPTION:Memory not properly cleared when read() function call returns fewer bytes than expected.:LINK:https://www.cve.org/CVERecord?id=CVE-2005-1858::REFERENCE:CVE-2000-0536:DESCRIPTION:Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.:LINK:https://www.cve.org/CVERecord?id=CVE-2000-0536::REFERENCE:CVE-2001-0910:DESCRIPTION:Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.:LINK:https://www.cve.org/CVERecord?id=CVE-2001-0910::REFERENCE:CVE-2004-2371:DESCRIPTION:Game server doesn't check return values for functions that handle text strings and associated size values.:LINK:https://www.cve.org/CVERecord?id=CVE-2004-2371::REFERENCE:CVE-2005-1267:DESCRIPTION:Resultant infinite loop when function call returns -1 value.:LINK:https://www.cve.org/CVERecord?id=CVE-2005-1267::",
      "Functional Areas": "",
      "Affected Resources": "",
      "Taxonomy Mappings": "::TAXONOMY NAME:PLOVER:ENTRY NAME:Unexpected Status Code or Return Value::TAXONOMY NAME:Software Fault Patterns:ENTRY ID:SFP4:ENTRY NAME:Unchecked Status Condition::TAXONOMY NAME:SEI CERT Perl Coding Standard:ENTRY ID:EXP00-PL:ENTRY NAME:Do not return undef:MAPPING FIT:Imprecise::",
      "Related Attack Patterns": "",
      "Notes": "::TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::"
    }
  }
]