CWE · MITRE source
CWE-614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 6 mapping(s) from 4 framework(s): ATT&CK 3 (partial) · ASVS 5.0 1 (full) · OWASP-Web 1 (full) · CAPEC 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A02:2025 Security Misconfiguration.
NIST 800-53 r5 controls that address this weakness (2)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-23 | Session Authenticity | SC | Forces the Secure flag on session cookies, preventing their transmission over unauthenticated HTTP channels. |
SC-8 | Transmission Confidentiality and Integrity | SC | Enforcing confidentiality on transmitted sensitive cookies requires the Secure attribute, preventing exposure on insecure channels. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-8037 UPD | 7.0 | 9.1 | 0.0022 | 2025-07-22 |
CVE-2021-27764 | 5.5 | 7.4 | 0.0052 | 2022-05-06 |
CVE-2022-25151 | 5.5 | 7.5 | 0.0077 | 2022-06-09 |
CVE-2022-3174 | 5.5 | 7.5 | 0.0056 | 2022-09-13 |
CVE-2022-4409 | 5.5 | 7.5 | 0.0042 | 2022-12-11 |
CVE-2022-21940 | 5.5 | 7.5 | 0.0037 | 2023-02-09 |
CVE-2024-2493 | 5.5 | 7.5 | 0.0031 | 2024-04-23 |
CVE-2025-24897 | 5.5 | 8.2 | 0.0013 | 2025-02-11 |
CVE-2024-10718 | 5.5 | 7.5 | 0.0031 | 2025-03-20 |
CVE-2020-27650 | 3.5 | 5.8 | 0.0055 | 2020-10-29 |
CVE-2020-27651 | 3.5 | 5.8 | 0.0076 | 2020-10-29 |
CVE-2020-29024 | 3.5 | 5.3 | 0.0051 | 2021-02-16 |
CVE-2021-3882 | 3.5 | 6.8 | 0.0094 | 2021-10-14 |
CVE-2022-24045 | 3.5 | 6.5 | 0.0054 | 2022-05-20 |
CVE-2015-3207 | 3.5 | 5.3 | 0.0057 | 2022-07-07 |
CVE-2022-3250 | 3.5 | 5.3 | 0.0040 | 2022-09-21 |
CVE-2022-3251 | 3.5 | 5.3 | 0.0051 | 2022-09-21 |
CVE-2022-4683 | 3.5 | 6.5 | 0.0038 | 2022-12-23 |
CVE-2023-0055 | 3.5 | 5.3 | 0.0044 | 2023-01-04 |
CVE-2023-3520 | 3.5 | 4.6 | 0.0026 | 2023-07-06 |
CVE-2023-5866 | 3.5 | 5.7 | 0.0029 | 2023-10-31 |
CVE-2023-42016 | 3.5 | 4.3 | 0.0027 | 2024-02-09 |
CVE-2023-46179 | 3.5 | 4.3 | 0.0028 | 2024-03-15 |
CVE-2024-35211 | 3.5 | 5.5 | 0.0022 | 2024-06-11 |
CVE-2023-33860 | 3.5 | 5.3 | 0.0024 | 2024-07-10 |