Chains and Composites

Chains and Composites

This report lists several chains and composites, as represented by various relationships within CWE. They help to illustrate how weaknesses can be combined to create software vulnerabilities, and they help to expose existing problems with classification and terminology.

A Chain is a sequence of two or more separate weaknesses that can be closely linked together within software. One weakness, X, can directly create the conditions that are necessary to cause another weakness, Y, to enter a vulnerable condition. When this happens, CWE refers to X as "primary" to Y, and Y is "resultant" from X. For example, if an integer overflow (CWE-190) occurs when calculating the amount of memory to allocate, an undersized buffer will be created, which can lead to a buffer overflow (CWE-120). In this case, the integer overflow would be primary to the buffer overflow. Chains can involve more than two weaknesses, and in some cases, they might have a tree-like structure.

While CWE primarily contains "implicit" chaining relationships, there are several chains that are so common that they were assigned their own CWE identifiers. These are called Named Chains. For example, CWE-691 covers the integer-overflow-to-buffer-overflow chain in the previous paragraph.

In the schema for CWE 1.0, the CanPrecede relationship is used to identify when the weakness is primary to others, and CanFollow is used to identify when a weakness is resultant from others. These relationships are mostly found within the Research Concepts view (CWE-1000).

A Composite is a combination of two or more separate weaknesses that can create a vulnerability, but only if they all occur all the same time. One weakness, X, can be "broken down" into component weaknesses Y and Z. For example, Symlink Following (CWE-61) is only possible through a combination of several component weaknesses, including predictability (CWE-340), inadequate permissions (CWE-275), and race conditions (CWE-362). By eliminating any single component, a developer can prevent the composite from becoming exploitable. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability; for example, NUL byte interaction errors (CWE-626) can widen the scope of path traversal weaknesses (CWE-22), which often limit which files could be accessed due to idiosyncracies in filename generation.

In the schema for CWE 1.0, the Requires relationship is used by a composite to identify its component weaknesses, and the RequiredBy relationship is used by the components of that composite. In Draft 9, the component relationship was called IsRequiredBy.

Both chains and composites might explain some of the existing differences in security code scanners. For example, one scanner might report the primary part of a chain, and a different scanner might report the resultant part. Both scanners would be correct, but they would be reporting different CWE identifiers in different portions of the code. It is suspected that chains have a correspondence to some aspects of artifact labels as used in vulnerability theory (primarily in crossover and trigger points), but this has not been actively explored.

In general, both chains and composites pose challenges for vulnerability classification and terminology. Sometimes a researcher is only focusing on one weakness in the chain, or one component of the composite. Attempts to create a hierarchical organization of "vulnerabilities" can be complicated, because vulnerabilities can contain multiple weaknesses. The CWE team is actively researching these concepts. Some early discussion is found in the CWE Research List archives.

CWE-20 Improper Input Validation
	CWE-22 Path Traversal
	CWE-41 Improper Resolution of Path Equivalence
	CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
CWE-46 Path Equivalence: 'filename ' (Trailing Space)
	CWE-289 Authentication Bypass by Alternate Name
CWE-52 Path Equivalence: '/multiple/trailing/slash//'
	CWE-289 Authentication Bypass by Alternate Name
CWE-73 External Control of File Name or Path
	CWE-22 Path Traversal
	CWE-41 Improper Resolution of Path Equivalence
	CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') (also a composite)
		CWE-94 Failure to Control Generation of Code ('Code Injection')
	CWE-434 Unrestricted File Upload (also a composite)
	CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-93 Failure to Sanitize CRLF Sequences ('CRLF Injection')
	CWE-117 Improper Output Sanitization for Logs
CWE-113 Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
	CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
		CWE-494 Download of Code Without Integrity Check
CWE-116 Improper Encoding or Escaping of Output
	CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
CWE-128 Wrap-around Error
	CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-129 Improper Validation of Array Index
	CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
	CWE-789 Uncontrolled Memory Allocation
		CWE-476 NULL Pointer Dereference
CWE-131 Incorrect Calculation of Buffer Size
	CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-171 Cleansing, Canonicalization, and Comparison Errors
	CWE-289 Authentication Bypass by Alternate Name
CWE-172 Encoding Error
	CWE-22 Path Traversal
	CWE-41 Improper Resolution of Path Equivalence
CWE-173 Failure to Handle Alternate Encoding
	CWE-289 Authentication Bypass by Alternate Name
CWE-178 Failure to Resolve Case Sensitivity
	CWE-433 Unparsed Raw Web Content Delivery
	CWE-289 Authentication Bypass by Alternate Name
CWE-184 Incomplete Blacklist
	CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
	CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
	CWE-434 Unrestricted File Upload (also a composite)
	CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') (also a composite)
CWE-185 Incorrect Regular Expression
	CWE-187 Partial Comparison
	CWE-182 Collapse of Data Into Unsafe Value
		CWE-33 Path Traversal: '....' (Multiple Dot)
		CWE-34 Path Traversal: '....//'
		CWE-35 Path Traversal: '.../...//'
CWE-190 Integer Overflow or Wraparound
	CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-193 Off-by-one Error
	CWE-617 Reachable Assertion
	CWE-170 Improper Null Termination
		CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (also a composite)
			CWE-123 Write-what-where Condition
		CWE-126 Buffer Over-read
	CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-195 Signed to Unsigned Conversion Error
	CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-231 Improper Handling of Extra Values
	CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (also a composite)
CWE-244 Failure to Clear Heap Memory Before Release ('Heap Inspection')
	CWE-669 Incorrect Resource Transfer Between Spheres
CWE-252 Unchecked Return Value
	CWE-476 NULL Pointer Dereference
CWE-304 Missing Critical Step in Authentication
	CWE-287 Improper Authentication
CWE-363 Race Condition Enabling Link Following
	CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-364 Signal Handler Race Condition
	CWE-123 Write-what-where Condition
CWE-390 Detection of Error Condition Without Action
	CWE-401 Failure to Release Memory Before Removing Last Reference ('Memory Leak')
CWE-410 Insufficient Resource Pool
	CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CWE-416 Use After Free
	CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (also a composite)
	CWE-123 Write-what-where Condition
CWE-425 Direct Request ('Forced Browsing') (also a composite component)
	CWE-471 Modification of Assumed-Immutable Data (MAID) (also a composite component)
CWE-430 Deployment of Wrong Handler
	CWE-433 Unparsed Raw Web Content Delivery
CWE-431 Missing Handler
	CWE-433 Unparsed Raw Web Content Delivery
CWE-456 Missing Initialization (also a composite component)
	CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
	CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (also a composite)
CWE-473 PHP External Variable Modification (also a composite component)
	CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') (also a composite)
CWE-481 Assigning instead of Comparing
	CWE-697 Insufficient Comparison
CWE-498 Information Leak through Class Cloning
	CWE-200 Information Leak (Information Disclosure)
CWE-499 Serializable Class Containing Sensitive Data
	CWE-200 Information Leak (Information Disclosure)
CWE-590 Free of Memory not on the Heap
	CWE-123 Write-what-where Condition
CWE-600 Failure to Catch All Exceptions in Servlet
	CWE-209 Error Message Information Leak
CWE-602 Client-Side Enforcement of Server-Side Security
	CWE-471 Modification of Assumed-Immutable Data (MAID) (also a composite component)
CWE-609 Double-Checked Locking
	CWE-362 Race Condition (also a composite component)
CWE-613 Insufficient Session Expiration (also a composite component)
	CWE-287 Improper Authentication
CWE-656 Reliance on Security through Obscurity
	CWE-259 Hard-Coded Password
	CWE-321 Use of Hard-coded Cryptographic Key
	CWE-472 External Control of Assumed-Immutable Web Parameter (also a composite component)
CWE-662 Insufficient Synchronization
	CWE-362 Race Condition (also a composite component)
CWE-681 Incorrect Conversion between Numeric Types
	CWE-682 Incorrect Calculation
		CWE-170 Improper Null Termination
CWE-756 Missing Custom Error Page
	CWE-209 Error Message Information Leak
CWE-782 Exposed IOCTL with Insufficient Access Control
	CWE-781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code