{"@ID": "1059", "@Name": "Insufficient Technical Documentation", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product does not contain sufficient\n         technical or engineering documentation (whether on paper or\n         in electronic form) that contains descriptions of all the\n         relevant software/hardware elements of the product, such as\n         its usage, structure, architectural components, interfaces, design, implementation,\n         configuration, operation, etc.", "Extended_Description": {"xhtml:p": ["When technical documentation is limited or lacking, products are more difficult to maintain.  This indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities.", "When using time-limited or labor-limited third-party/in-house security consulting services (such as threat modeling, vulnerability discovery, or pentesting), insufficient documentation can force those consultants to invest unnecessary time in learning how the product is organized, instead of focusing their expertise on finding the flaws or suggesting effective mitigations.", "With respect to hardware design, the lack of a formal, final manufacturer reference can make it difficult or impossible to evaluate the final product, including post-manufacture verification. One cannot ensure that design functionality or operation is within acceptable tolerances, conforms to specifications, and is free from unexpected behavior. Hardware-related documentation may include engineering artifacts such as hardware description language (HDLs), netlists, Gerber files, Bills of Materials, EDA (Electronic Design Automation) tool files, etc."]}, "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "710", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Indirect"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}, {"@Class": "ICS/OT", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Documentation"}]}, "Common_Consequences": {"Consequence": {"Scope": "Other", "Impact": ["Varies by Context", "Hide Activities", "Reduce Reliability", "Quality Degradation", "Reduce Maintainability"], "Note": "Without a method of verification, one cannot be sure that everything only functions as expected."}}, "Potential_Mitigations": {"Mitigation": {"Phase": ["Documentation", "Architecture and Design"], "Description": "Ensure that design documentation is detailed enough to allow for post-manufacturing verification."}}, "Observed_Examples": {"Observed_Example": {"Reference": "CVE-2022-3203", "Description": "A wireless access point manual specifies that the only method of configuration is via web interface (CWE-1059), but there is an undisclosed telnet server that was activated by default (CWE-912).", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-3203"}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 2-4", "Entry_Name": "Req SP.02.03 BR"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 2-4", "Entry_Name": "Req SP.02.03 RE(1)"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 2-4", "Entry_Name": "Req SP.03.03 RE(1)"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SG-1"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SG-2"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SG-3"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SG-4"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SG-5"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SG-6"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SG-7"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-1248", "@Section": "Poorly Documented or Undocumented Features"}, {"@External_Reference_ID": "REF-1254"}]}, "Mapping_Notes": {"Usage": "Prohibited", "Rationale": "This entry is primarily a quality issue with no direct security implications.", "Comments": "Look for weaknesses that are focused specifically on insecure behaviors that have more direct security implications.", "Reasons": {"Reason": {"@Type": "Other"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2018-07-02", "Submission_Version": "3.2", "Submission_ReleaseDate": "2019-01-03", "Submission_Comment": "Entry derived from Common Quality Enumeration (CQE) Draft 0.9."}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Applicable_Platforms, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated References"}], "Contribution": [{"@Type": "Content", "Contribution_Name": "Paul A. Wortman", "Contribution_Organization": "Wells Fargo", "Contribution_Date": "2021-06-11", "Contribution_Comment": "Submitted hardware-specific information about a \"golden standard\" that was integrated into this entry"}, {"@Type": "Content", "Contribution_Name": "\"Mapping CWE to 62443\" Sub-Working Group", "Contribution_Organization": "CWE-CAPEC ICS/OT SIG", "Contribution_Date": "2023-04-25", "Contribution_Comment": "Suggested mappings to ISA/IEC 62443."}], "Previous_Entry_Name": {"@Date": "2022-04-28", "#text": "Incomplete Documentation"}}}
