An incorrect or suboptimal configuration of an information system or system component that may lead to vulnerabilities.
See NIST SP 800-128 under Misconfiguration for detailed information.
A setting within a computer program that violates a configuration policy or that permits or causes unintended behavior that impacts the security posture of a system. CCE can be used for enumerating misconfigurations. NOTE: NIST generally defines vulnerability as including both software flaws and configuration issues [misconfigurations]. For the purposes of the validation program and dependent procurement language, the SCAP Validation program is defining vulnerability and misconfiguration as two separate entities, with “vulnerability” referring strictly to software flaws.
See NISTIR 7511 Rev. 4 under Misconfiguration for detailed information.