CWE - CWE-743: CWE CATEGORY: CERT C Secure Coding Standard (2008) Chapter 10

Home > CWE List > CWE- Individual Dictionary Definition (4.18)

CWE Glossary Definition

CWE CATEGORY: CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO)

Category ID: 743

Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities

Summary

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

Membership

Nature	Type	ID	Name
MemberOf	ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	734	Weaknesses Addressed by the CERT C Secure Coding Standard (2008)
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
HasMember	VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	37	Path Traversal: '/absolute/pathname/here'
HasMember	VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	38	Path Traversal: '\absolute\pathname\here'
HasMember	VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	39	Path Traversal: 'C:dirname'
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	41	Improper Resolution of Path Equivalence
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	59	Improper Link Resolution Before File Access ('Link Following')
HasMember	VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	62	UNIX Hard Link
HasMember	VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	64	Windows Shortcut Following (.LNK)
HasMember	VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	65	Windows Hard Link
HasMember	VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	67	Improper Handling of Windows Device Names
HasMember	ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	134	Use of Externally-Controlled Format String
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	241	Improper Handling of Unexpected Data Type
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	276	Incorrect Default Permissions
HasMember	VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	279	Incorrect Execution-Assigned Permissions
HasMember	ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	367	Time-of-check Time-of-use (TOCTOU) Race Condition
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	379	Creation of Temporary File in Directory with Insecure Permissions
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	391	Unchecked Error Condition
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	403	Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
HasMember	ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	404	Improper Resource Shutdown or Release
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	552	Files or Directories Accessible to External Parties
HasMember	ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	675	Multiple Operations on Resource in Single-Operation Context
HasMember	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	676	Use of Potentially Dangerous Function
HasMember	VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	686	Function Call With Incorrect Argument Type
HasMember	ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	732	Incorrect Permission Assignment for Critical Resource

Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: Category

Rationale:

This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.

Comments:

See member weaknesses of this category.

Notes

Relationship

In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs:

CWE-22 FIO02-C Canonicalize path names originating from untrusted sources
CWE-37 FIO05-C Identify files using multiple file attributes
CWE-38 FIO05-C Identify files using multiple file attributes
CWE-39 FIO05-C Identify files using multiple file attributes
CWE-41 FIO02-C Canonicalize path names originating from untrusted sources
CWE-59 FIO02-C Canonicalize path names originating from untrusted sources
CWE-62 FIO05-C Identify files using multiple file attributes
CWE-64 FIO05-C Identify files using multiple file attributes
CWE-65 FIO05-C Identify files using multiple file attributes
CWE-67 FIO32-C Do not perform operations on devices that are only appropriate for files
CWE-119 FIO37-C Do not assume character data has been read
CWE-134 FIO30-C Exclude user input from format strings
CWE-134 FIO30-C Exclude user input from format strings
CWE-241 FIO37-C Do not assume character data has been read
CWE-276 FIO06-C Create files with appropriate access permissions
CWE-279 FIO06-C Create files with appropriate access permissions
CWE-362 FIO31-C Do not simultaneously open the same file multiple times
CWE-367 FIO01-C Be careful using functions that use file names for identification
CWE-379 FIO15-C Ensure that file operations are performed in a secure directory
CWE-379 FIO43-C Do not create temporary files in shared directories
CWE-391 FIO04-C Detect and handle input and output errors
CWE-391 FIO33-C Detect and handle input output errors resulting in undefined behavior
CWE-403 FIO42-C Ensure files are properly closed when they are no longer needed
CWE-404 FIO42-C Ensure files are properly closed when they are no longer needed
CWE-552 FIO15-C Ensure that file operations are performed in a secure directory
CWE-675 FIO31-C Do not simultaneously open the same file multiple times
CWE-676 FIO01-C Be careful using functions that use file names for identification
CWE-686 FIO00-C Take care when creating format strings
CWE-732 FIO06-C Create files with appropriate access permissions

References

[REF-597] Robert C. Seacord. "The CERT C Secure Coding Standard". 1st Edition. Addison-Wesley Professional. 2008年10月14日.

Content History

Submissions
Submission Date	Submitter	Organization
2008年11月24日 (CWE 1.1, 2008年11月24日)	CWE Content Team	MITRE
2008年11月24日 (CWE 1.1, 2008年11月24日)
Modifications
Modification Date	Modifier	Organization
2011年09月13日	CWE Content Team	MITRE
2011年09月13日	updated Relationships
2017年11月08日	CWE Content Team	MITRE
2017年11月08日	updated Description, Name, Relationship_Notes
2019年01月03日	CWE Content Team	MITRE
2019年01月03日	updated Description, Name, References
2023年04月27日	CWE Content Team	MITRE
2023年04月27日	updated Mapping_Notes
2023年06月29日	CWE Content Team	MITRE
2023年06月29日	updated Mapping_Notes
Previous Entry Names
Change Date	Previous Entry Name
2017年11月08日	CERT C Secure Coding Section 09 - Input Output (FIO)
2019年01月03日	CERT C Secure Coding (2008 Version) Section 09 - Input Output (FIO)

More information is available — Please edit the custom filter or select a different filter.

Page Last Updated: September 09, 2025

MITRE

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

HSSEDI