CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > Reports > Chains and Composites  

Chains and Composites

Introduction
Introduction

This report lists several chains and composites, as represented by various relationships within CWE. They help to illustrate how weaknesses can be combined to create software vulnerabilities, and they help to expose existing problems with classification and terminology.

A Chain is a sequence of two or more separate weaknesses that can be closely linked together within software. One weakness, X, can directly create the conditions that are necessary to cause another weakness, Y, to enter a vulnerable condition. When this happens, CWE refers to X as "primary" to Y, and Y is "resultant" from X. For example, if an integer overflow (CWE-190) occurs when calculating the amount of memory to allocate, an undersized buffer will be created, which can lead to a buffer overflow (CWE-120). In this case, the integer overflow would be primary to the buffer overflow. Chains can involve more than two weaknesses, and in some cases, they might have a tree-like structure.

While CWE primarily contains "implicit" chaining relationships, there are several chains that are so common that they were assigned their own CWE identifiers. These are called Named Chains. For example, CWE-691 covers the integer-overflow-to-buffer-overflow chain in the previous paragraph.

In the schema for CWE 1.0, the CanPrecede relationship is used to identify when the weakness is primary to others, and CanFollow is used to identify when a weakness is resultant from others. These relationships are mostly found within the Research Concepts view (CWE-1000).

A Composite is a combination of two or more separate weaknesses that can create a vulnerability, but only if they all occur all the same time. One weakness, X, can be "broken down" into component weaknesses Y and Z. For example, Symlink Following (CWE-61) is only possible through a combination of several component weaknesses, including predictability (CWE-340), inadequate permissions (CWE-275), and race conditions (CWE-362). By eliminating any single component, a developer can prevent the composite from becoming exploitable. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability; for example, NUL byte interaction errors (CWE-626) can widen the scope of path traversal weaknesses (CWE-22), which often limit which files could be accessed due to idiosyncracies in filename generation.

In the schema for CWE 1.0, the Requires relationship is used by a composite to identify its component weaknesses, and the RequiredBy relationship is used by the components of that composite. In Draft 9, the component relationship was called IsRequiredBy.

Both chains and composites might explain some of the existing differences in security code scanners. For example, one scanner might report the primary part of a chain, and a different scanner might report the resultant part. Both scanners would be correct, but they would be reporting different CWE identifiers in different portions of the code. It is suspected that chains have a correspondence to some aspects of artifact labels as used in vulnerability theory (primarily in crossover and trigger points), but this has not been actively explored.

In general, both chains and composites pose challenges for vulnerability classification and terminology. Sometimes a researcher is only focusing on one weakness in the chain, or one component of the composite. Attempts to create a hierarchical organization of "vulnerabilities" can be complicated, because vulnerabilities can contain multiple weaknesses. The CWE team is actively researching these concepts. Some early discussion is found in the CWE Research List archives.

Back to top
Chains
Chains
CWE-20 Improper Input Validation
--> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
--> CWE-41 Improper Resolution of Path Equivalence
--> CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-46 Path Equivalence: 'filename ' (Trailing Space)
--> CWE-289 Authentication Bypass by Alternate Name
CWE-52 Path Equivalence: '/multiple/trailing/slash//'
--> CWE-289 Authentication Bypass by Alternate Name
CWE-73 External Control of File Name or Path
--> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
--> CWE-41 Improper Resolution of Path Equivalence
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
--> CWE-94 Improper Control of Generation of Code ('Code Injection')
--> CWE-434 Unrestricted Upload of File with Dangerous Type
--> CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
--> CWE-117 Improper Output Neutralization for Logs
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
--> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
--> CWE-494 Download of Code Without Integrity Check
CWE-116 Improper Encoding or Escaping of Output
--> CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-128 Wrap-around Error
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-129 Improper Validation of Array Index
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
--> CWE-823 Use of Out-of-range Pointer Offset
--> CWE-125 Out-of-bounds Read
--> CWE-787 Out-of-bounds Write
--> CWE-789 Uncontrolled Memory Allocation
--> CWE-476 NULL Pointer Dereference
CWE-130 Improper Handling of Length Parameter Inconsistency
--> CWE-805 Buffer Access with Incorrect Length Value
CWE-171 Cleansing, Canonicalization, and Comparison Errors
--> CWE-289 Authentication Bypass by Alternate Name
CWE-172 Encoding Error
--> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
--> CWE-41 Improper Resolution of Path Equivalence
CWE-173 Improper Handling of Alternate Encoding
--> CWE-289 Authentication Bypass by Alternate Name
CWE-178 Improper Handling of Case Sensitivity
--> CWE-433 Unparsed Raw Web Content Delivery
--> CWE-289 Authentication Bypass by Alternate Name
CWE-183 Permissive Whitelist
--> CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-184 Incomplete Blacklist
--> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
--> CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
--> CWE-434 Unrestricted Upload of File with Dangerous Type
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
CWE-185 Incorrect Regular Expression
--> CWE-187 Partial Comparison
--> CWE-182 Collapse of Data into Unsafe Value
--> CWE-33 Path Traversal: '....' (Multiple Dot)
--> CWE-34 Path Traversal: '....//'
--> CWE-35 Path Traversal: '.../...//'
CWE-190 Integer Overflow or Wraparound
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-193 Off-by-one Error
--> CWE-617 Reachable Assertion
--> CWE-170 Improper Null Termination
--> CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
--> CWE-123 Write-what-where Condition
--> CWE-126 Buffer Over-read
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-208 Information Exposure Through Timing Discrepancy
--> CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-219 Sensitive Data Under Web Root
--> CWE-668 Exposure of Resource to Wrong Sphere
CWE-231 Improper Handling of Extra Values
--> CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-242 Use of Inherently Dangerous Function
--> CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
--> CWE-669 Incorrect Resource Transfer Between Spheres
CWE-252 Unchecked Return Value
--> CWE-476 NULL Pointer Dereference
CWE-304 Missing Critical Step in Authentication
--> CWE-287 Improper Authentication
CWE-363 Race Condition Enabling Link Following
--> CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-364 Signal Handler Race Condition
--> CWE-415 Double Free
--> CWE-416 Use After Free
--> CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
--> CWE-123 Write-what-where Condition
--> CWE-123 Write-what-where Condition
CWE-390 Detection of Error Condition Without Action
--> CWE-401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
CWE-410 Insufficient Resource Pool
--> CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CWE-425 Direct Request ('Forced Browsing')
--> CWE-471 Modification of Assumed-Immutable Data (MAID) (also a composite component)
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
CWE-430 Deployment of Wrong Handler
--> CWE-433 Unparsed Raw Web Content Delivery
CWE-431 Missing Handler
--> CWE-433 Unparsed Raw Web Content Delivery
CWE-456 Missing Initialization
--> CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
--> CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
CWE-467 Use of sizeof() on a Pointer Type
--> CWE-131 Incorrect Calculation of Buffer Size
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-473 PHP External Variable Modification
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
CWE-479 Signal Handler Use of a Non-reentrant Function
--> CWE-123 Write-what-where Condition
CWE-481 Assigning instead of Comparing
--> CWE-697 Insufficient Comparison
CWE-498 Cloneable Class Containing Sensitive Information
--> CWE-200 Information Exposure
CWE-499 Serializable Class Containing Sensitive Data
--> CWE-200 Information Exposure
CWE-562 Return of Stack Variable Address
--> CWE-825 Expired Pointer Dereference
--> CWE-125 Out-of-bounds Read
--> CWE-787 Out-of-bounds Write
CWE-567 Unsynchronized Access to Shared Data in a Multithreaded Context
--> CWE-488 Exposure of Data Element to Wrong Session
CWE-590 Free of Memory not on the Heap
--> CWE-123 Write-what-where Condition
CWE-600 Uncaught Exception in Servlet
--> CWE-209 Information Exposure Through an Error Message
CWE-602 Client-Side Enforcement of Server-Side Security
--> CWE-471 Modification of Assumed-Immutable Data (MAID) (also a composite component)
CWE-606 Unchecked Input for Loop Condition
--> CWE-834 Excessive Iteration
CWE-609 Double-Checked Locking
--> CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-613 Insufficient Session Expiration (also a composite component)
--> CWE-287 Improper Authentication
CWE-656 Reliance on Security Through Obscurity
--> CWE-259 Use of Hard-coded Password
--> CWE-321 Use of Hard-coded Cryptographic Key
--> CWE-472 External Control of Assumed-Immutable Web Parameter (also a composite component)
CWE-662 Improper Synchronization
--> CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (also a composite component)
CWE-681 Incorrect Conversion between Numeric Types
--> CWE-682 Incorrect Calculation
--> CWE-170 Improper Null Termination
CWE-756 Missing Custom Error Page
--> CWE-209 Information Exposure Through an Error Message
CWE-782 Exposed IOCTL with Insufficient Access Control
--> CWE-781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
--> CWE-822 Untrusted Pointer Dereference
--> CWE-125 Out-of-bounds Read
--> CWE-787 Out-of-bounds Write
CWE-824 Access of Uninitialized Pointer
--> CWE-125 Out-of-bounds Read
--> CWE-787 Out-of-bounds Write
CWE-826 Premature Release of Resource During Expected Lifetime
--> CWE-672 Operation on a Resource after Expiration or Release
CWE-827 Improper Control of Document Type Definition
--> CWE-776 Unrestricted Recursive Entity References in DTDs ('XML Bomb')
CWE-839 Numeric Range Comparison Without Minimum Check
--> CWE-195 Signed to Unsigned Conversion Error
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
--> CWE-682 Incorrect Calculation
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
--> CWE-124 Buffer Underwrite ('Buffer Underflow')
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Back to top
Named Chains
Named Chains
CWE-680Integer Overflow to Buffer Overflow
CWE-690Unchecked Return Value to NULL Pointer Dereference
CWE-692Incomplete Blacklist to Cross-Site Scripting
Back to top
Composites
Composites
CWE-61 UNIX Symbolic Link (Symlink) Following
  • CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (also a chain link)
  • CWE-340 Predictability Problems
  • CWE-216 Containment Errors (Container Errors)
  • CWE-386 Symbolic Name not Mapping to Correct Object
  • CWE-275 Permission Issues
CWE-291 Trusting Self-reported IP Address
  • CWE-348 Use of Less Trusted Source
  • CWE-471 Modification of Assumed-Immutable Data (MAID) (also a chain link)
CWE-352 Cross-Site Request Forgery (CSRF)
  • CWE-346 Origin Validation Error
  • CWE-441 Unintended Proxy/Intermediary
  • CWE-642 External Control of Critical State Data
  • CWE-613 Insufficient Session Expiration (also a chain link)
CWE-384 Session Fixation
  • CWE-346 Origin Validation Error
  • CWE-472 External Control of Assumed-Immutable Web Parameter (also a chain link)
  • CWE-441 Unintended Proxy/Intermediary
CWE-426 Untrusted Search Path
  • CWE-216 Containment Errors (Container Errors)
  • CWE-275 Permission Issues
  • CWE-471 Modification of Assumed-Immutable Data (MAID) (also a chain link)
CWE-689 Permission Race Condition During Resource Copy
  • CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (also a chain link)
  • CWE-732 Incorrect Permission Assignment for Critical Resource
Back to top
Page Last Updated: September 12, 2011
 

CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us