CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 1.10 and Version 1.11  
ID

Differences between Version 1.10 and Version 1.11

Summary
Summary
Total (Version 1.11) 835
Total (Version 1.10) 828
Total new 7
Total deprecated 1
Total shared 828
Total important changes 78
Total major changes 135
Total minor changes 7
Total minor changes (no major) 4
Total unchanged 689

Summary of Entry Types

Type Version 1.10 Version 1.11
Category 119 119
Chain 3 3
Composite 6 6
Deprecated 11 12
View 24 24
Weakness 665 671

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 26 0
Description 40 1
Applicable_Platforms 7 0
Time_of_Introduction 1 0
Demonstrative_Examples 23 1
Detection_Factors 0 0
Likelihood_of_Exploit 1 0
Common_Consequences 18 4
Relationships 35 0
References 1 0
Potential_Mitigations 20 0
Observed_Examples 13 1
Terminology_Notes 1 0
Alternate_Terms 2 0
Related_Attack_Patterns 7 0
Relationship_Notes 6 0
Taxonomy_Mappings 4 0
Maintenance_Notes 1 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 2 0
Background_Details 1 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 1 0
Other_Notes 15 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 1 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 827
Weakness/Base Deprecated 1

Status Changes

From To Total
Unchanged 827
Draft Deprecated 1

Relationship Changes

The "Version 1.11 Total" lists the total number of relationships in Version 1.11. The "Shared" value is the total number of relationships in entries that were in both Version 1.11 and Version 1.10. The "New" value is the total number of relationships involving entries that did not exist in Version 1.10. Thus, the total number of relationships in Version 1.11 would combine stats from Shared entries and New entries.

Relationship Version 1.11 Total Version 1.10 Total Version 1.11 Shared Unchanged Added to Version 1.11 Removed from Version 1.10 Version 1.11 New
ALL 4974 4956 4938 4904 34 52 36
ChildOf 2136 2124 2119 2107 12 17 17
ParentOf 2136 2124 2119 2107 12 17 17
MemberOf 119 119 119 119
HasMember 119 119 119 119
CanPrecede 107 103 106 101 5 2 1
CanFollow 107 103 106 101 5 2 1
StartsWith 3 3 3 3
Requires 19 19 19 19
RequiredBy 19 19 19 19
CanAlsoBe 35 35 35 35
PeerOf 174 188 174 174 14

Nodes Removed from Version 1.10

CWE-ID CWE Name
None.

Nodes Added to Version 1.11

CWE-ID CWE Name
827 Improper Control of Document Type Definition
828 Signal Handler with Functionality that is not Asynchronous-Safe
829 Inclusion of Functionality from Untrusted Control Sphere
830 Inclusion of Web Functionality from an Untrusted Source
831 Signal Handler Function Associated with Multiple Signals
832 Unlock of a Resource that is not Locked
833 Deadlock

Nodes Deprecated in Version 1.11

CWE-ID CWE Name
373 DEPRECATED: State Synchronization Error
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 20 Improper Input Validation
R 34 Path Traversal: '....//'
R 35 Path Traversal: '.../...//'
N 69 Improper Handling of Windows ::DATA Alternate Data Stream
D 75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
D 76 Improper Neutralization of Equivalent Special Elements
D 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
D 85 Doubled Character XSS Manipulations
D 103 Struts: Incomplete validate() Method Definition
N 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 123 Write-what-where Condition
D 138 Improper Neutralization of Special Elements
N 168 Improper Handling of Inconsistent Special Elements
D 172 Encoding Error
N 173 Improper Handling of Alternate Encoding
N 175 Improper Handling of Mixed Encoding
N 176 Improper Handling of Unicode Encoding
N 177 Improper Handling of URL Encoding (Hex Encoding)
N 178 Improper Handling of Case Sensitivity
R 182 Collapse of Data into Unsafe Value
D 226 Sensitive Information Uncleared Before Release
D 227 Failure to Fulfill API Contract ('API Abuse')
N 243 Creation of chroot Jail Without Changing Working Directory
N 244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
R 259 Use of Hard-coded Password
D 297 Improper Validation of Host-specific Certificate Data
D 300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
R 321 Use of Hard-coded Cryptographic Key
R 344 Use of Invariant Value in Dynamically Changing Context
DN 353 Missing Support for Integrity Check
D 354 Improper Validation of Integrity Check Value
DNR 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
D R 364 Signal Handler Race Condition
R 367 Time-of-check Time-of-use (TOCTOU) Race Condition
R 371 State Issues
DNR 373 DEPRECATED: State Synchronization Error
R 381 J2EE Time and State Issues
D R 383 J2EE Bad Practices: Direct Use of Threads
DN 392 Missing Report of Error Condition
R 398 Indicator of Poor Code Quality
N 401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
D 405 Asymmetric Resource Consumption (Amplification)
R 415 Double Free
D R 416 Use After Free
N 424 Improper Protection of Alternate Path
D 431 Missing Handler
DNR 432 Dangerous Signal Handler not Disabled During Sensitive Operations
D 472 External Control of Assumed-Immutable Web Parameter
R 476 NULL Pointer Dereference
DNR 479 Signal Handler Use of a Non-reentrant Function
R 488 Data Leak Between Sessions
D R 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
N 544 Missing Standardized Error Handling Mechanism
DNR 567 Unsynchronized Access to Shared Data in a Multithreaded Context
R 574 EJB Bad Practices: Use of Synchronization Primitives
D 580 clone() Method Without super.clone()
D 599 Trust of OpenSSL Certificate Without Validation
DN 600 Uncaught Exception in Servlet
R 609 Double-Checked Locking
N 637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
N 638 Not Using Complete Mediation
D 648 Incorrect Use of Privileged APIs
D 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
D R 662 Improper Synchronization
DNR 663 Use of a Non-reentrant Function in a Concurrent Context
D R 664 Improper Control of a Resource Through its Lifetime
DNR 667 Improper Locking
R 669 Incorrect Resource Transfer Between Spheres
R 691 Insufficient Control Flow Management
N 703 Improper Check or Handling of Exceptional Conditions
R 706 Use of Incorrectly-Resolved Name or Reference
D 755 Improper Handling of Exceptional Conditions
D 756 Missing Custom Error Page
D 769 File Descriptor Exhaustion
R 776 Unrestricted Recursive Entity References in DTDs ('XML Bomb')
D 798 Use of Hard-coded Credentials
R 820 Missing Synchronization
R 821 Incorrect Synchronization
Detailed Difference Report
Detailed Difference Report
20 Improper Input Validation
Major Demonstrative_Examples, Description
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Potential_Mitigations
Minor None
34 Path Traversal: '....//'
Major Relationships
Minor None
35 Path Traversal: '.../...//'
Major Relationships
Minor None
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Observed_Examples
Minor None
69 Improper Handling of Windows ::DATA Alternate Data Stream
Major Name
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Common_Consequences, Relationship_Notes
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Description
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Description
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Description, Potential_Mitigations
Minor None
85 Doubled Character XSS Manipulations
Major Description
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Demonstrative_Examples
Minor None
94 Failure to Control Generation of Code ('Code Injection')
Major None
Minor Common_Consequences
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Major Potential_Mitigations
Minor None
103 Struts: Incomplete validate() Method Definition
Major Description
Minor None
116 Improper Encoding or Escaping of Output
Major None
Minor Common_Consequences
117 Improper Output Neutralization for Logs
Major Demonstrative_Examples
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Name
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Potential_Mitigations
Minor None
123 Write-what-where Condition
Major Relationships
Minor None
128 Wrap-around Error
Major Background_Details
Minor None
129 Improper Validation of Array Index
Major Demonstrative_Examples, Observed_Examples, Potential_Mitigations
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Potential_Mitigations
Minor None
131 Incorrect Calculation of Buffer Size
Major Potential_Mitigations
Minor None
138 Improper Neutralization of Special Elements
Major Description
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Name
Minor None
170 Improper Null Termination
Major None
Minor Common_Consequences
172 Encoding Error
Major Description
Minor None
173 Improper Handling of Alternate Encoding
Major Name
Minor None
175 Improper Handling of Mixed Encoding
Major Name
Minor None
176 Improper Handling of Unicode Encoding
Major Name
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Name
Minor None
178 Improper Handling of Case Sensitivity
Major Name
Minor None
182 Collapse of Data into Unsafe Value
Major Relationships
Minor None
193 Off-by-one Error
Major Demonstrative_Examples
Minor None
194 Unexpected Sign Extension
Major Applicable_Platforms
Minor None
196 Unsigned to Signed Conversion Error
Major Other_Notes
Minor None
197 Numeric Truncation Error
Major Demonstrative_Examples
Minor None
201 Information Exposure Through Sent Data
Major Common_Consequences
Minor None
211 Product-External Error Message Information Leak
Major Observed_Examples
Minor None
226 Sensitive Information Uncleared Before Release
Major Description
Minor None
227 Failure to Fulfill API Contract ('API Abuse')
Major Description
Minor None
243 Creation of chroot Jail Without Changing Working Directory
Major Demonstrative_Examples, Name
Minor None
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Major Name
Minor None
252 Unchecked Return Value
Major Demonstrative_Examples
Minor None
258 Empty Password in Configuration File
Major Demonstrative_Examples
Minor None
259 Use of Hard-coded Password
Major Relationships
Minor None
272 Least Privilege Violation
Major Other_Notes
Minor None
296 Improper Following of Chain of Trust for Certificate Validation
Major Other_Notes
Minor None
297 Improper Validation of Host-specific Certificate Data
Major Description, Other_Notes
Minor None
299 Improper Check for Certificate Revocation
Major Other_Notes
Minor None
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Major Description
Minor None
309 Use of Password System for Primary Authentication
Major Common_Consequences
Minor None
311 Missing Encryption of Sensitive Data
Major Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns
Minor None
313 Plaintext Storage in a File or on Disk
Major Demonstrative_Examples
Minor None
319 Cleartext Transmission of Sensitive Information
Major Observed_Examples, Related_Attack_Patterns
Minor None
321 Use of Hard-coded Cryptographic Key
Major Relationships
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Relationships
Minor None
345 Insufficient Verification of Data Authenticity
Major Related_Attack_Patterns
Minor None
346 Origin Validation Error
Major Related_Attack_Patterns
Minor None
353 Missing Support for Integrity Check
Major Description, Name
Minor None
354 Improper Validation of Integrity Check Value
Major Description
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships
Minor None
363 Race Condition Enabling Link Following
Major Other_Notes, Relationship_Notes
Minor None
364 Signal Handler Race Condition
Major Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Alternate_Terms, Relationships
Minor None
368 Context Switching Race Condition
Major Observed_Examples
Minor None
371 State Issues
Major Relationships
Minor None
372 Incomplete Internal State Distinction
Major Maintenance_Notes
Minor None
373 DEPRECATED: State Synchronization Error
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
374 Passing Mutable Objects to an Untrusted Method
Major Demonstrative_Examples
Minor None
381 J2EE Time and State Issues
Major Relationships
Minor None
383 J2EE Bad Practices: Direct Use of Threads
Major Description, Other_Notes, Relationships
Minor None
392 Missing Report of Error Condition
Major Description, Name
Minor None
398 Indicator of Poor Code Quality
Major Relationships
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major Demonstrative_Examples, Name
Minor None
404 Improper Resource Shutdown or Release
Major Demonstrative_Examples
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Description
Minor None
413 Improper Resource Locking
Major Demonstrative_Examples
Minor None
415 Double Free
Major Observed_Examples, Relationships
Minor None
416 Use After Free
Major Alternate_Terms, Common_Consequences, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships
Minor Demonstrative_Examples
419 Unprotected Primary Channel
Major Related_Attack_Patterns
Minor None
424 Improper Protection of Alternate Path
Major Name
Minor None
431 Missing Handler
Major Description, Other_Notes
Minor None
432 Dangerous Signal Handler not Disabled During Sensitive Operations
Major Applicable_Platforms, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Potential_Mitigations
Minor None
437 Incomplete Model of Endpoint Features
Major Other_Notes, Relationship_Notes
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Related_Attack_Patterns
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Description
Minor None
476 NULL Pointer Dereference
Major Relationships
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships
Minor None
488 Data Leak Between Sessions
Major Relationships
Minor None
494 Download of Code Without Integrity Check
Major Potential_Mitigations
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
Minor None
544 Missing Standardized Error Handling Mechanism
Major Name
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Relationships
Minor None
580 clone() Method Without super.clone()
Major Description
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Common_Consequences
Minor None
595 Comparison of Object References Instead of Object Contents
Major Demonstrative_Examples
Minor None
599 Trust of OpenSSL Certificate Without Validation
Major Description
Minor None
600 Uncaught Exception in Servlet
Major Description, Name
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Related_Attack_Patterns
Minor None
609 Double-Checked Locking
Major Relationships
Minor None
636 Not Failing Securely ('Failing Open')
Major Research_Gaps
Minor None
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major Name, Research_Gaps
Minor None
638 Not Using Complete Mediation
Major Name
Minor None
639 Access Control Bypass Through User-Controlled Key
Major None
Minor Common_Consequences
640 Weak Password Recovery Mechanism for Forgotten Password
Major Common_Consequences
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Common_Consequences
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Common_Consequences
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Common_Consequences
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Applicable_Platforms, Common_Consequences
Minor None
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Common_Consequences
Minor Observed_Examples
648 Incorrect Use of Privileged APIs
Major Common_Consequences, Description
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Common_Consequences, Description, Enabling_Factors_for_Exploitation, Observed_Examples
Minor None
651 Information Exposure through WSDL File
Major Common_Consequences
Minor Description
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Common_Consequences
Minor None
653 Insufficient Compartmentalization
Major Other_Notes, Relationship_Notes, Terminology_Notes
Minor None
662 Improper Synchronization
Major Description, Relationships, Taxonomy_Mappings
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Description, Name, Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Description, Relationships
Minor None
667 Improper Locking
Major Description, Name, Relationships
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Relationships
Minor None
684 Failure to Provide Specified Functionality
Major Potential_Mitigations
Minor None
691 Insufficient Control Flow Management
Major Relationships
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Name, Relationship_Notes
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Potential_Mitigations
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Relationship_Notes
Minor None
755 Improper Handling of Exceptional Conditions
Major Description, Observed_Examples
Minor None
756 Missing Custom Error Page
Major Description
Minor None
766 Critical Variable Declared Public
Major Observed_Examples
Minor None
769 File Descriptor Exhaustion
Major Description
Minor None
776 Unrestricted Recursive Entity References in DTDs ('XML Bomb')
Major Relationships
Minor None
798 Use of Hard-coded Credentials
Major Description
Minor None
805 Buffer Access with Incorrect Length Value
Major Potential_Mitigations
Minor None
820 Missing Synchronization
Major Demonstrative_Examples, Relationships
Minor None
821 Incorrect Synchronization
Major Relationships
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017