1. Home
  2. CWE Database
  3. CWE-1059
Class · High

CWE-1059: Insufficient Technical Documentation

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant softwa...

CWE-1059 · Class Level ·1 CVEs ·1 Mitigations

Description

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.

When technical documentation is limited or lacking, products are more difficult to maintain. This indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. When using time-limited or labor-limited third-party/in-house security consulting services (such as threat modeling, vulnerability discovery, or pentesting), insufficient documentation can force those consultants to invest unnecessary time in learning how the product is organized, instead of focusing their expertise on finding the flaws or suggesting effective mitigations. With respect to hardware design, the lack of a formal, final manufacturer reference can make it difficult or impossible to evaluate the final product, including post-manufacture verification. One cannot ensure that design functionality or operation is within acceptable tolerances, conforms to specifications, and is free from unexpected behavior. Hardware-related documentation may include engineering artifacts such as hardware description language (HDLs), netlists, Gerber files, Bills of Materials, EDA (Electronic Design Automation) tool files, etc.

Potential Impact

Other

Varies by Context, Hide Activities, Reduce Reliability, Quality Degradation, Reduce Maintainability

Mitigations & Prevention

DocumentationArchitecture and Design

Ensure that design documentation is detailed enough to allow for post-manufacturing verification.

Real-World CVE Examples

CVE IDDescription
CVE-2022-3203A wireless access point manual specifies that the only method of configuration is via web interface (CWE-1059), but there is an undisclosed telnet server that was activated by default (CWE-912).

CWE-710: Improper Adherence to Coding Standards

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the...

Taxonomy Mappings

  • ISA/IEC 62443: Part 2-4 — Req SP.02.03 BR
  • ISA/IEC 62443: Part 2-4 — Req SP.02.03 RE(1)
  • ISA/IEC 62443: Part 2-4 — Req SP.03.03 RE(1)
  • ISA/IEC 62443: Part 4-1 — Req SG-1
  • ISA/IEC 62443: Part 4-1 — Req SG-2
  • ISA/IEC 62443: Part 4-1 — Req SG-3
  • ISA/IEC 62443: Part 4-1 — Req SG-4
  • ISA/IEC 62443: Part 4-1 — Req SG-5
  • ISA/IEC 62443: Part 4-1 — Req SG-6
  • ISA/IEC 62443: Part 4-1 — Req SG-7

Frequently Asked Questions

What is CWE-1059?

CWE-1059 (Insufficient Technical Documentation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant softwa...

How can CWE-1059 be exploited?

Attackers can exploit CWE-1059 (Insufficient Technical Documentation) to varies by context, hide activities, reduce reliability, quality degradation, reduce maintainability. This weakness is typically introduced during the Architecture and Design, Documentation phase of software development.

How do I prevent CWE-1059?

Key mitigations include: Ensure that design documentation is detailed enough to allow for post-manufacturing verification.

What is the severity of CWE-1059?

CWE-1059 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.