Reference
Vulnerability Classification
How CodeWall classifies and scores vulnerabilities using CVSS and CWE.
CodeWall uses industry-standard frameworks to classify and score every finding.
CVSS — Common Vulnerability Scoring System
Every validated finding receives a CVSS v3.1 score that reflects its severity.
Score ranges
| Score | Severity | Description |
|---|---|---|
| 9.0 – 10.0 | Critical | Full system compromise, trivial to exploit |
| 7.0 – 8.9 | High | Significant impact, relatively easy exploitation |
| 4.0 – 6.9 | Medium | Moderate impact or requires specific conditions |
| 0.1 – 3.9 | Low | Limited impact, difficult to exploit |
| 0.0 | Informational | Not directly exploitable |
Scoring factors
CVSS scores account for:
- Attack Vector — network, adjacent, local, or physical
- Attack Complexity — low or high
- Privileges Required — none, low, or high
- User Interaction — none or required
- Scope — changed or unchanged
- Impact — confidentiality, integrity, and availability
CWE — Common Weakness Enumeration
Every finding is mapped to one or more CWE identifiers. CWE provides a standardized taxonomy of software weaknesses.
Common CWEs in CodeWall findings
| CWE | Name | Category |
|---|---|---|
| CWE-79 | Cross-site Scripting (XSS) | Injection |
| CWE-89 | SQL Injection | Injection |
| CWE-78 | OS Command Injection | Injection |
| CWE-287 | Improper Authentication | Authentication |
| CWE-862 | Missing Authorization | Access Control |
| CWE-639 | Authorization Bypass (IDOR) | Access Control |
| CWE-918 | Server-Side Request Forgery | Server-Side |
| CWE-22 | Path Traversal | Server-Side |
| CWE-502 | Deserialization of Untrusted Data | Server-Side |
| CWE-352 | Cross-Site Request Forgery | Client-Side |
| CWE-601 | Open Redirect | Configuration |
| CWE-16 | Configuration | Configuration |
OWASP mapping
Findings also map to the OWASP Top 10 (2021) categories:
- A01 — Broken Access Control (CWE-639, CWE-862)
- A02 — Cryptographic Failures (CWE-327, CWE-328)
- A03 — Injection (CWE-79, CWE-89, CWE-78)
- A04 — Insecure Design (CWE-502)
- A05 — Security Misconfiguration (CWE-16)
- A06 — Vulnerable Components (known CVEs)
- A07 — Authentication Failures (CWE-287)
- A08 — Data Integrity Failures (CWE-502)
- A09 — Logging Failures (CWE-778)
- A10 — SSRF (CWE-918)