Differences between Version 1.1 and Version 1.2
Differences between Version 1.1 and Version 1.2
| Total (Version 1.2) |
755 |
| Total (Version 1.1) |
751 |
| Total new |
4 |
| Total deprecated |
0 |
| Total shared |
751 |
| Total important changes |
56 |
| Total major changes |
63 |
| Total minor changes |
3 |
| Total minor changes (no major) |
|
| Total unchanged |
688 |
Field Change Summary
Field Change Summary
Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
| Field |
Major |
Minor |
| Affected_Resources |
0 |
0 |
| Alternate_Terms |
3 |
1 |
| Applicable_Platforms |
12 |
0 |
| Background_Details |
2 |
0 |
| Black_Box_Definitions |
0 |
0 |
| Causal_Nature |
1 |
0 |
| Common_Consequences |
26 |
1 |
| Common_Methods_of_Exploitation |
0 |
0 |
| Context_Notes |
0 |
0 |
| Demonstrative_Examples |
20 |
0 |
| Description |
37 |
0 |
| Detection_Factors |
1 |
0 |
| Enabling_Factors_for_Exploitation |
2 |
0 |
| Functional_Areas |
0 |
1 |
| Likelihood_of_Exploit |
16 |
0 |
| Maintenance_Notes |
3 |
0 |
| Modes_of_Introduction |
2 |
0 |
| Name |
28 |
0 |
| Observed_Examples |
20 |
0 |
| Other_Notes |
18 |
0 |
| Potential_Mitigations |
31 |
0 |
| References |
18 |
0 |
| Related_Attack_Patterns |
0 |
0 |
| Relationship_Notes |
7 |
0 |
| Relationships |
40 |
0 |
| Relevant_Properties |
1 |
0 |
| Research_Gaps |
8 |
0 |
| Source_Taxonomy |
0 |
0 |
| Taxonomy_Mappings |
0 |
0 |
| Terminology_Notes |
2 |
0 |
| Theoretical_Notes |
2 |
0 |
| Time_of_Introduction |
4 |
0 |
| Type |
2 |
0 |
| View_Audience |
0 |
0 |
| View_Filter |
0 |
0 |
| View_Structure |
0 |
0 |
| View_Type |
0 |
0 |
| Weakness_Ordinalities |
3 |
0 |
| White_Box_Definitions |
0 |
0 |
Form and Abstraction Changes
| From |
To |
Total |
| Unchanged |
|
749 |
| Weakness/Base |
Weakness/Class |
1 |
| Weakness/Variant |
Weakness/Base |
1 |
Relationship Changes
The "Version 1.2 Total" lists the total number of relationships
in Version 1.2. The "Shared" value is the total number of
relationships in entries that were in both Version 1.2 and Version 1.1. The
"New" value is the total number of relationships involving
entries that did not exist in Version 1.1. Thus, the total number of
relationships in Version 1.2 would combine stats from Shared entries and
New entries.
| Relationship |
Version 1.2 Total |
Version 1.1 Total |
Version 1.2 Shared |
Unchanged |
Added to Version 1.2 |
Removed from Version 1.2 |
Version 1.2 New |
| ALL |
4371 |
4293 |
4315 |
4283 |
32 |
10 |
56 |
| CanAlsoBe |
38 |
38 |
38 |
38 |
|
|
|
| CanFollow |
78 |
74 |
78 |
74 |
4 |
|
|
| CanPrecede |
78 |
74 |
78 |
74 |
4 |
|
|
| ChildOf |
1852 |
1820 |
1827 |
1815 |
12 |
5 |
25 |
| HasMember |
114 |
111 |
111 |
111 |
|
|
3 |
| MemberOf |
114 |
111 |
111 |
111 |
|
|
3 |
| ParentOf |
1852 |
1820 |
1827 |
1815 |
12 |
5 |
25 |
| PeerOf |
188 |
188 |
188 |
188 |
|
|
|
| RequiredBy |
27 |
27 |
27 |
27 |
|
|
|
| Requires |
27 |
27 |
27 |
27 |
|
|
|
| StartsWith |
3 |
3 |
3 |
3 |
|
|
|
Nodes Removed from Version 1.1
Nodes Added to Version 1.2
| CWE-ID |
CWE Name |
| 750 |
Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors |
| 751 |
Insecure Interaction Between Components |
| 752 |
Risky Resource Management |
| 753 |
Porous Defenses |
Nodes Deprecated in Version 1.2
Important Changes
Important Changes
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
| Key |
| D |
Description |
| N |
Name |
| R |
Relationships |
| | | R |
15 |
External Control of System or Configuration Setting |
| D | N | R |
20 |
Improper Input Validation |
| | | R |
59 |
Failure to Resolve Links Before File Access (aka 'Link Following') |
| D | | R |
73 |
External Control of File Name or Path |
| | | R |
74 |
Failure to Sanitize Data into a Different Plane (aka 'Injection') |
| D | N | R |
78 |
Failure to Preserve OS Command Structure (aka 'OS Command Injection') |
| D | N | R |
79 |
Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') |
| D | N | R |
89 |
Failure to Preserve SQL Query Structure (aka 'SQL Injection') |
| D | N | R |
94 |
Failure to Control Generation of Code (aka 'Code Injection') |
| D | | |
95 |
Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection') |
| | | R |
98 |
Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') |
| D | N | R |
116 |
Improper Encoding or Escaping of Output |
| | N | R |
119 |
Failure to Constrain Operations within the Bounds of a Memory Buffer |
| | | R |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| | | R |
121 |
Stack-based Buffer Overflow |
| | | R |
122 |
Heap-based Buffer Overflow |
| D | N | |
190 |
Integer Overflow or Wraparound |
| D | N | R |
209 |
Error Message Information Leak |
| D | N | R |
250 |
Execution with Unnecessary Privileges |
| D | | |
252 |
Unchecked Return Value |
| D | | R |
259 |
Hard-Coded Password |
| | | R |
275 |
Permission Issues |
| D | N | R |
285 |
Improper Access Control (Authorization) |
| | N | |
287 |
Improper Authentication |
| D | N | |
312 |
Cleartext Storage of Sensitive Information |
| D | N | R |
319 |
Cleartext Transmission of Sensitive Information |
| D | | R |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
| D | | |
328 |
Reversible One-Way Hash |
| D | | R |
330 |
Use of Insufficiently Random Values |
| D | | R |
352 |
Cross-Site Request Forgery (CSRF) |
| D | | R |
362 |
Race Condition |
| | | R |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
| D | | |
400 |
Uncontrolled Resource Consumption (aka 'Resource Exhaustion') |
| | | R |
404 |
Improper Resource Shutdown or Release |
| D | | R |
426 |
Untrusted Search Path |
| | | R |
434 |
Unrestricted File Upload |
| | | R |
472 |
External Control of Assumed-Immutable Web Parameter |
| D | N | R |
494 |
Download of Code Without Integrity Check |
| D | | R |
565 |
Use of Cookies in Security Decision |
| D | N | R |
602 |
Client-Side Enforcement of Server-Side Security |
| | | R |
609 |
Double-Checked Locking |
| D | N | |
636 |
Not Failing Securely (aka 'Failing Open') |
| D | N | |
637 |
Failure to Use Economy of Mechanism |
| D | N | |
638 |
Failure to Use Complete Mediation |
| D | N | R |
642 |
External Control of Critical State Data |
| | N | |
653 |
Insufficient Compartmentalization |
| D | N | |
654 |
Reliance on a Single Factor in a Security Decision |
| D | N | |
655 |
Failure to Satisfy Psychological Acceptability |
| D | N | |
656 |
Reliance on Security through Obscurity |
| D | N | R |
665 |
Improper Initialization |
| D | N | |
671 |
Lack of Administrator Control over Security |
| D | | R |
682 |
Incorrect Calculation |
| | | R |
693 |
Protection Mechanism Failure |
| | | R |
707 |
Failure to Enforce that Messages or Data are Well-Formed |
| D | N | R |
732 |
Insecure Permission Assignment for Critical Resource |
| | N | |
749 |
Exposed Dangerous Method or Function |
Detailed Difference Report
Detailed Difference Report
| 15 |
External Control of System or Configuration Setting |
|
Major |
Relationships |
|
Minor |
None |
| 20 |
Improper Input Validation |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships |
|
Minor |
None |
| 59 |
Failure to Resolve Links Before File Access (aka 'Link Following') |
|
Major |
Relationships |
|
Minor |
None |
| 73 |
External Control of File Name or Path |
|
Major |
Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 74 |
Failure to Sanitize Data into a Different Plane (aka 'Injection') |
|
Major |
Relationships |
|
Minor |
None |
| 78 |
Failure to Preserve OS Command Structure (aka 'OS Command Injection') |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Terminology_Notes |
|
Minor |
Alternate_Terms |
| 79 |
Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') |
|
Major |
Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships |
|
Minor |
None |
| 89 |
Failure to Preserve SQL Query Structure (aka 'SQL Injection') |
|
Major |
Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships |
|
Minor |
None |
| 94 |
Failure to Control Generation of Code (aka 'Code Injection') |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships |
|
Minor |
None |
| 95 |
Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection') |
|
Major |
Description, Observed_Examples, Other_Notes, Research_Gaps |
|
Minor |
None |
| 98 |
Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') |
|
Major |
Relationships |
|
Minor |
None |
| 116 |
Improper Encoding or Escaping of Output |
|
Major |
Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes, Theoretical_Notes |
|
Minor |
None |
| 119 |
Failure to Constrain Operations within the Bounds of a Memory Buffer |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships |
|
Minor |
None |
| 120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
Common_Consequences, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships |
|
Minor |
None |
| 121 |
Stack-based Buffer Overflow |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
| 122 |
Heap-based Buffer Overflow |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
| 123 |
Write-what-where Condition |
|
Major |
Common_Consequences |
|
Minor |
None |
| 124 |
Boundary Beginning Violation ('Buffer Underwrite') |
|
Major |
Common_Consequences |
|
Minor |
None |
| 129 |
Unchecked Array Indexing |
|
Major |
Common_Consequences |
|
Minor |
None |
| 190 |
Integer Overflow or Wraparound |
|
Major |
Description, Name |
|
Minor |
None |
| 209 |
Error Message Information Leak |
|
Major |
Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction |
|
Minor |
None |
| 250 |
Execution with Unnecessary Privileges |
|
Major |
Common_Consequences, Description, Likelihood_of_Exploit, Maintenance_Notes, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction |
|
Minor |
None |
| 252 |
Unchecked Return Value |
|
Major |
Background_Details, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 259 |
Hard-Coded Password |
|
Major |
Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations, Relationships |
|
Minor |
None |
| 275 |
Permission Issues |
|
Major |
Relationships |
|
Minor |
None |
| 285 |
Improper Access Control (Authorization) |
|
Major |
Common_Consequences, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, References, Relationships |
|
Minor |
None |
| 287 |
Improper Authentication |
|
Major |
Name |
|
Minor |
None |
| 312 |
Cleartext Storage of Sensitive Information |
|
Major |
Description, Name |
|
Minor |
None |
| 319 |
Cleartext Transmission of Sensitive Information |
|
Major |
Common_Consequences, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationships |
|
Minor |
None |
| 327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Relationships |
|
Minor |
None |
| 328 |
Reversible One-Way Hash |
|
Major |
Description, References |
|
Minor |
None |
| 330 |
Use of Insufficiently Random Values |
|
Major |
Description, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationships |
|
Minor |
None |
| 352 |
Cross-Site Request Forgery (CSRF) |
|
Major |
Applicable_Platforms, Description, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Theoretical_Notes |
|
Minor |
None |
| 362 |
Race Condition |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships, Research_Gaps |
|
Minor |
None |
| 367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
|
Major |
Alternate_Terms, Observed_Examples, Other_Notes, References, Relationship_Notes, Relationships, Research_Gaps |
|
Minor |
Common_Consequences |
| 400 |
Uncontrolled Resource Consumption (aka 'Resource Exhaustion') |
|
Major |
Description |
|
Minor |
None |
| 404 |
Improper Resource Shutdown or Release |
|
Major |
Common_Consequences, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 421 |
Race Condition During Access to Alternate Channel |
|
Major |
References |
|
Minor |
None |
| 426 |
Untrusted Search Path |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, Relationships, Time_of_Introduction |
|
Minor |
Functional_Areas |
| 434 |
Unrestricted File Upload |
|
Major |
Relationships |
|
Minor |
None |
| 457 |
Use of Uninitialized Variable |
|
Major |
Common_Consequences, Demonstrative_Examples, Potential_Mitigations |
|
Minor |
None |
| 470 |
Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection') |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations |
|
Minor |
None |
| 472 |
External Control of Assumed-Immutable Web Parameter |
|
Major |
Relationships |
|
Minor |
None |
| 494 |
Download of Code Without Integrity Check |
|
Major |
Applicable_Platforms, Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, References, Relationships, Research_Gaps, Type |
|
Minor |
None |
| 565 |
Use of Cookies in Security Decision |
|
Major |
Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationships |
|
Minor |
None |
| 590 |
Free of Invalid Pointer Not on the Heap |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Time_of_Introduction |
|
Minor |
None |
| 609 |
Double-Checked Locking |
|
Major |
Relationships |
|
Minor |
None |
| 636 |
Not Failing Securely (aka 'Failing Open') |
|
Major |
Description, Name |
|
Minor |
None |
| 637 |
Failure to Use Economy of Mechanism |
|
Major |
Description, Name |
|
Minor |
None |
| 638 |
Failure to Use Complete Mediation |
|
Major |
Description, Name |
|
Minor |
None |
| 642 |
External Control of Critical State Data |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Relevant_Properties, Type |
|
Minor |
None |
| 653 |
Insufficient Compartmentalization |
|
Major |
Name |
|
Minor |
None |
| 654 |
Reliance on a Single Factor in a Security Decision |
|
Major |
Description, Name |
|
Minor |
None |
| 655 |
Failure to Satisfy Psychological Acceptability |
|
Major |
Description, Name |
|
Minor |
None |
| 656 |
Reliance on Security through Obscurity |
|
Major |
Description, Name |
|
Minor |
None |
| 665 |
Improper Initialization |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 671 |
Lack of Administrator Control over Security |
|
Major |
Description, Name |
|
Minor |
None |
| 682 |
Incorrect Calculation |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Potential_Mitigations, Relationships |
|
Minor |
None |
| 693 |
Protection Mechanism Failure |
|
Major |
Relationships |
|
Minor |
None |
| 707 |
Failure to Enforce that Messages or Data are Well-Formed |
|
Major |
Relationships |
|
Minor |
None |
| 732 |
Insecure Permission Assignment for Critical Resource |
|
Major |
Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships |
|
Minor |
None |
| 749 |
Exposed Dangerous Method or Function |
|
Major |
Name |
|
Minor |
None |
More information is available — Please edit the custom filter or select a different filter.
|
