CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 1.1 and Version 1.2  
ID

Differences between Version 1.1 and Version 1.2
Differences between Version 1.1 and Version 1.2

Summary
Summary
Total (Version 1.2) 755
Total (Version 1.1) 751
Total new 4
Total deprecated 0
Total shared 751
Total important changes 56
Total major changes 63
Total minor changes 3
Total minor changes (no major)
Total unchanged 688
Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Affected_Resources 0 0
Alternate_Terms 3 1
Applicable_Platforms 12 0
Background_Details 2 0
Black_Box_Definitions 0 0
Causal_Nature 1 0
Common_Consequences 26 1
Common_Methods_of_Exploitation 0 0
Context_Notes 0 0
Demonstrative_Examples 20 0
Description 37 0
Detection_Factors 1 0
Enabling_Factors_for_Exploitation 2 0
Functional_Areas 0 1
Likelihood_of_Exploit 16 0
Maintenance_Notes 3 0
Modes_of_Introduction 2 0
Name 28 0
Observed_Examples 20 0
Other_Notes 18 0
Potential_Mitigations 31 0
References 18 0
Related_Attack_Patterns 0 0
Relationship_Notes 7 0
Relationships 40 0
Relevant_Properties 1 0
Research_Gaps 8 0
Source_Taxonomy 0 0
Taxonomy_Mappings 0 0
Terminology_Notes 2 0
Theoretical_Notes 2 0
Time_of_Introduction 4 0
Type 2 0
View_Audience 0 0
View_Filter 0 0
View_Structure 0 0
View_Type 0 0
Weakness_Ordinalities 3 0
White_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 749
Weakness/Base Weakness/Class 1
Weakness/Variant Weakness/Base 1

Relationship Changes

The "Version 1.2 Total" lists the total number of relationships in Version 1.2. The "Shared" value is the total number of relationships in entries that were in both Version 1.2 and Version 1.1. The "New" value is the total number of relationships involving entries that did not exist in Version 1.1. Thus, the total number of relationships in Version 1.2 would combine stats from Shared entries and New entries.

Relationship Version 1.2 Total Version 1.1 Total Version 1.2 Shared Unchanged Added to Version 1.2 Removed from Version 1.2 Version 1.2 New
ALL 4371 4293 4315 4283 32 10 56
CanAlsoBe 38 38 38 38
CanFollow 78 74 78 74 4
CanPrecede 78 74 78 74 4
ChildOf 1852 1820 1827 1815 12 5 25
HasMember 114 111 111 111 3
MemberOf 114 111 111 111 3
ParentOf 1852 1820 1827 1815 12 5 25
PeerOf 188 188 188 188
RequiredBy 27 27 27 27
Requires 27 27 27 27
StartsWith 3 3 3 3

Nodes Removed from Version 1.1

CWE-ID CWE Name
None.

Nodes Added to Version 1.2

CWE-ID CWE Name
750 Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
751 Insecure Interaction Between Components
752 Risky Resource Management
753 Porous Defenses

Nodes Deprecated in Version 1.2

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 15 External Control of System or Configuration Setting
DNR 20 Improper Input Validation
R 59 Failure to Resolve Links Before File Access (aka 'Link Following')
D R 73 External Control of File Name or Path
R 74 Failure to Sanitize Data into a Different Plane (aka 'Injection')
DNR 78 Failure to Preserve OS Command Structure (aka 'OS Command Injection')
DNR 79 Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
DNR 89 Failure to Preserve SQL Query Structure (aka 'SQL Injection')
DNR 94 Failure to Control Generation of Code (aka 'Code Injection')
D 95 Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')
R 98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
DNR 116 Improper Encoding or Escaping of Output
NR 119 Failure to Constrain Operations within the Bounds of a Memory Buffer
R 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 121 Stack-based Buffer Overflow
R 122 Heap-based Buffer Overflow
DN 190 Integer Overflow or Wraparound
DNR 209 Error Message Information Leak
DNR 250 Execution with Unnecessary Privileges
D 252 Unchecked Return Value
D R 259 Hard-Coded Password
R 275 Permission Issues
DNR 285 Improper Access Control (Authorization)
N 287 Improper Authentication
DN 312 Cleartext Storage of Sensitive Information
DNR 319 Cleartext Transmission of Sensitive Information
D R 327 Use of a Broken or Risky Cryptographic Algorithm
D 328 Reversible One-Way Hash
D R 330 Use of Insufficiently Random Values
D R 352 Cross-Site Request Forgery (CSRF)
D R 362 Race Condition
R 367 Time-of-check Time-of-use (TOCTOU) Race Condition
D 400 Uncontrolled Resource Consumption (aka 'Resource Exhaustion')
R 404 Improper Resource Shutdown or Release
D R 426 Untrusted Search Path
R 434 Unrestricted File Upload
R 472 External Control of Assumed-Immutable Web Parameter
DNR 494 Download of Code Without Integrity Check
D R 565 Use of Cookies in Security Decision
DNR 602 Client-Side Enforcement of Server-Side Security
R 609 Double-Checked Locking
DN 636 Not Failing Securely (aka 'Failing Open')
DN 637 Failure to Use Economy of Mechanism
DN 638 Failure to Use Complete Mediation
DNR 642 External Control of Critical State Data
N 653 Insufficient Compartmentalization
DN 654 Reliance on a Single Factor in a Security Decision
DN 655 Failure to Satisfy Psychological Acceptability
DN 656 Reliance on Security through Obscurity
DNR 665 Improper Initialization
DN 671 Lack of Administrator Control over Security
D R 682 Incorrect Calculation
R 693 Protection Mechanism Failure
R 707 Failure to Enforce that Messages or Data are Well-Formed
DNR 732 Insecure Permission Assignment for Critical Resource
N 749 Exposed Dangerous Method or Function
Detailed Difference Report
Detailed Difference Report
15 External Control of System or Configuration Setting
Major Relationships
Minor None
20 Improper Input Validation
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships
Minor None
59 Failure to Resolve Links Before File Access (aka 'Link Following')
Major Relationships
Minor None
73 External Control of File Name or Path
Major Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Weakness_Ordinalities
Minor None
74 Failure to Sanitize Data into a Different Plane (aka 'Injection')
Major Relationships
Minor None
78 Failure to Preserve OS Command Structure (aka 'OS Command Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Terminology_Notes
Minor Alternate_Terms
79 Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
Major Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships
Minor None
89 Failure to Preserve SQL Query Structure (aka 'SQL Injection')
Major Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships
Minor None
94 Failure to Control Generation of Code (aka 'Code Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships
Minor None
95 Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')
Major Description, Observed_Examples, Other_Notes, Research_Gaps
Minor None
98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
Major Relationships
Minor None
116 Improper Encoding or Escaping of Output
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes, Theoretical_Notes
Minor None
119 Failure to Constrain Operations within the Bounds of a Memory Buffer
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Common_Consequences, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships
Minor None
121 Stack-based Buffer Overflow
Major Common_Consequences, Relationships
Minor None
122 Heap-based Buffer Overflow
Major Common_Consequences, Relationships
Minor None
123 Write-what-where Condition
Major Common_Consequences
Minor None
124 Boundary Beginning Violation ('Buffer Underwrite')
Major Common_Consequences
Minor None
129 Unchecked Array Indexing
Major Common_Consequences
Minor None
190 Integer Overflow or Wraparound
Major Description, Name
Minor None
209 Error Message Information Leak
Major Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
250 Execution with Unnecessary Privileges
Major Common_Consequences, Description, Likelihood_of_Exploit, Maintenance_Notes, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
252 Unchecked Return Value
Major Background_Details, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations
Minor None
259 Hard-Coded Password
Major Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations, Relationships
Minor None
275 Permission Issues
Major Relationships
Minor None
285 Improper Access Control (Authorization)
Major Common_Consequences, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, References, Relationships
Minor None
287 Improper Authentication
Major Name
Minor None
312 Cleartext Storage of Sensitive Information
Major Description, Name
Minor None
319 Cleartext Transmission of Sensitive Information
Major Common_Consequences, Description, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Relationships
Minor None
328 Reversible One-Way Hash
Major Description, References
Minor None
330 Use of Insufficiently Random Values
Major Description, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Applicable_Platforms, Description, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Theoretical_Notes
Minor None
362 Race Condition
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships, Research_Gaps
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Alternate_Terms, Observed_Examples, Other_Notes, References, Relationship_Notes, Relationships, Research_Gaps
Minor Common_Consequences
400 Uncontrolled Resource Consumption (aka 'Resource Exhaustion')
Major Description
Minor None
404 Improper Resource Shutdown or Release
Major Common_Consequences, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Weakness_Ordinalities
Minor None
421 Race Condition During Access to Alternate Channel
Major References
Minor None
426 Untrusted Search Path
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Functional_Areas
434 Unrestricted File Upload
Major Relationships
Minor None
457 Use of Uninitialized Variable
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Relationships
Minor None
494 Download of Code Without Integrity Check
Major Applicable_Platforms, Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, References, Relationships, Research_Gaps, Type
Minor None
565 Use of Cookies in Security Decision
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationships
Minor None
590 Free of Invalid Pointer Not on the Heap
Major Potential_Mitigations
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Time_of_Introduction
Minor None
609 Double-Checked Locking
Major Relationships
Minor None
636 Not Failing Securely (aka 'Failing Open')
Major Description, Name
Minor None
637 Failure to Use Economy of Mechanism
Major Description, Name
Minor None
638 Failure to Use Complete Mediation
Major Description, Name
Minor None
642 External Control of Critical State Data
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Relevant_Properties, Type
Minor None
653 Insufficient Compartmentalization
Major Name
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Description, Name
Minor None
655 Failure to Satisfy Psychological Acceptability
Major Description, Name
Minor None
656 Reliance on Security through Obscurity
Major Description, Name
Minor None
665 Improper Initialization
Major Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
Minor None
671 Lack of Administrator Control over Security
Major Description, Name
Minor None
682 Incorrect Calculation
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Potential_Mitigations, Relationships
Minor None
693 Protection Mechanism Failure
Major Relationships
Minor None
707 Failure to Enforce that Messages or Data are Well-Formed
Major Relationships
Minor None
732 Insecure Permission Assignment for Critical Resource
Major Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships
Minor None
749 Exposed Dangerous Method or Function
Major Name
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017