CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 1.6 and Version 1.7  
ID

Differences between Version 1.6 and Version 1.7
Differences between Version 1.6 and Version 1.7

Summary
Summary
Total (Version 1.7) 799
Total (Version 1.6) 791
Total new 8
Total deprecated 0
Total shared 791
Total important changes 20
Total major changes 109
Total minor changes 190
Total minor changes (no major) 165
Total unchanged 517

Summary of Entry Types

Type Version 1.6 Version 1.7
Category 105 105
Chain 3 3
Composite 9 9
Deprecated 11 11
View 22 22
Weakness 641 649

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 12 0
Description 14 0
Applicable_Platforms 17 32
Time_of_Introduction 10 0
Demonstrative_Examples 29 0
Detection_Factors 12 0
Likelihood_of_Exploit 14 0
Common_Consequences 17 175
Relationships 4 0
References 10 0
Potential_Mitigations 42 1
Observed_Examples 15 1
Terminology_Notes 0 0
Alternate_Terms 2 0
Related_Attack_Patterns 9 0
Relationship_Notes 3 0
Taxonomy_Mappings 0 0
Maintenance_Notes 1 0
Modes_of_Introduction 2 0
Affected_Resources 0 0
Functional_Areas 1 1
Research_Gaps 2 0
Background_Details 1 0
Theoretical_Notes 1 0
Weakness_Ordinalities 5 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 1 0
Other_Notes 19 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 791

Status Changes

From To Total
Unchanged 790
Draft Usable 1

Relationship Changes

The "Version 1.7 Total" lists the total number of relationships in Version 1.7. The "Shared" value is the total number of relationships in entries that were in both Version 1.7 and Version 1.6. The "New" value is the total number of relationships involving entries that did not exist in Version 1.6. Thus, the total number of relationships in Version 1.7 would combine stats from Shared entries and New entries.

Relationship Version 1.7 Total Version 1.6 Total Version 1.7 Shared Unchanged Added to Version 1.7 Removed from Version 1.7 Version 1.7 New
ALL 4676 4658 4660 4656 4 2 16
ChildOf 2008 2000 2000 1999 1 1 8
ParentOf 2008 2000 2000 1999 1 1 8
MemberOf 106 106 106 106
HasMember 106 106 106 106
CanPrecede 84 83 84 83 1
CanFollow 84 83 84 83 1
StartsWith 3 3 3 3
Requires 27 27 27 27
RequiredBy 27 27 27 27
CanAlsoBe 37 37 37 37
PeerOf 186 186 186 186

Nodes Removed from Version 1.6

CWE-ID CWE Name
None.

Nodes Added to Version 1.7

CWE-ID CWE Name
790 Improper Filtering of Special Elements
791 Incomplete Filtering of Special Elements
792 Incomplete Filtering of One or More Instances of Special Elements
793 Only Filtering One Instance of a Special Element
794 Incomplete Filtering of Multiple Instances of Special Elements
795 Only Filtering Special Elements at a Specified Location
796 Only Filtering Special Elements Relative to a Marker
797 Only Filtering Special Elements at an Absolute Position

Nodes Deprecated in Version 1.7

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
R 138 Improper Sanitization of Special Elements
D 192 Integer Coercion Error
DN 200 Information Exposure
DN 203 Information Exposure Through Discrepancy
DN 205 Information Exposure Through Behavioral Discrepancy
DN 207 Information Exposure Through an External Behavioral Inconsistency
N 209 Information Exposure Through an Error Message
N 212 Improper Cross-boundary Cleansing
R 219 Sensitive Data Under Web Root
R 285 Improper Access Control (Authorization)
D 330 Use of Insufficiently Random Values
DN 497 Exposure of System Data to an Unauthorized Control Sphere
DN 527 Exposure of CVS Repository to an Unauthorized Control Sphere
DN 528 Exposure of Core Dump File to an Unauthorized Control Sphere
DN 529 Exposure of Access Control List Files to an Unauthorized Control Sphere
DN 530 Exposure of Backup File to an Unauthorized Control Sphere
DN 538 File and Directory Information Exposure
D 548 Information Leak Through Directory Listing
R 668 Exposure of Resource to Wrong Sphere
Detailed Difference Report
Detailed Difference Report
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major None
Minor Common_Consequences
11 ASP.NET Misconfiguration: Creating Debug Binary
Major None
Minor Common_Consequences
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major None
Minor Common_Consequences
20 Improper Input Validation
Major Applicable_Platforms, Demonstrative_Examples, Detection_Factors
Minor Common_Consequences
26 Path Traversal: '/dir/../filename'
Major None
Minor Applicable_Platforms
59 Improper Link Resolution Before File Access ('Link Following')
Major None
Minor Applicable_Platforms
73 External Control of File Name or Path
Major Detection_Factors
Minor Applicable_Platforms, Common_Consequences
74 Failure to Sanitize Data into a Different Plane ('Injection')
Major None
Minor Common_Consequences
77 Improper Sanitization of Special Elements used in a Command ('Command Injection')
Major None
Minor Common_Consequences
78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
Major Detection_Factors
Minor Common_Consequences
79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
Major Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Observed_Examples
Minor Applicable_Platforms, Common_Consequences
82 Improper Sanitization of Script in Attributes of IMG Tags in a Web Page
Major Observed_Examples
Minor None
89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
Major Potential_Mitigations
Minor Common_Consequences
92 DEPRECATED: Improper Sanitization of Custom Special Characters
Major Related_Attack_Patterns
Minor None
93 Failure to Sanitize CRLF Sequences ('CRLF Injection')
Major Likelihood_of_Exploit
Minor None
94 Failure to Control Generation of Code ('Code Injection')
Major None
Minor Applicable_Platforms, Common_Consequences
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Major Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction
Minor None
102 Struts: Duplicate Validation Forms
Major Background_Details, Common_Consequences, Other_Notes
Minor None
103 Struts: Incomplete validate() Method Definition
Major Common_Consequences, Other_Notes
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major Common_Consequences, Other_Notes
Minor None
108 Struts: Unvalidated Action Form
Major Common_Consequences, Other_Notes
Minor None
110 Struts: Validator Without Form Field
Major None
Minor Common_Consequences
113 Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major None
Minor Common_Consequences
116 Improper Encoding or Escaping of Output
Major Demonstrative_Examples, Potential_Mitigations
Minor Applicable_Platforms, Common_Consequences
117 Improper Output Sanitization for Logs
Major None
Minor Common_Consequences
119 Failure to Constrain Operations within the Bounds of a Memory Buffer
Major Common_Consequences, Demonstrative_Examples, Detection_Factors, Observed_Examples
Minor Applicable_Platforms
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major None
Minor Common_Consequences
121 Stack-based Buffer Overflow
Major None
Minor Common_Consequences
122 Heap-based Buffer Overflow
Major None
Minor Common_Consequences
123 Write-what-where Condition
Major None
Minor Common_Consequences
124 Buffer Underwrite ('Buffer Underflow')
Major None
Minor Common_Consequences
128 Wrap-around Error
Major None
Minor Applicable_Platforms, Common_Consequences
129 Improper Validation of Array Index
Major Applicable_Platforms, Common_Consequences, Observed_Examples, Other_Notes, Potential_Mitigations, Theoretical_Notes, Weakness_Ordinalities
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Observed_Examples
Minor Applicable_Platforms
131 Incorrect Calculation of Buffer Size
Major Demonstrative_Examples, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations
Minor None
134 Uncontrolled Format String
Major None
Minor Applicable_Platforms, Common_Consequences
138 Improper Sanitization of Special Elements
Major Relationships
Minor None
170 Improper Null Termination
Major None
Minor Common_Consequences
171 Cleansing, Canonicalization, and Comparison Errors
Major Applicable_Platforms
Minor None
185 Incorrect Regular Expression
Major Common_Consequences, Other_Notes
Minor None
187 Partial Comparison
Major Demonstrative_Examples, Observed_Examples, Other_Notes, Relationship_Notes
Minor None
188 Reliance on Data/Memory Layout
Major None
Minor Common_Consequences
190 Integer Overflow or Wraparound
Major None
Minor Common_Consequences
192 Integer Coercion Error
Major Description, Other_Notes
Minor Common_Consequences
193 Off-by-one Error
Major Demonstrative_Examples, Potential_Mitigations
Minor None
194 Unexpected Sign Extension
Major None
Minor Common_Consequences
195 Signed to Unsigned Conversion Error
Major None
Minor Common_Consequences
196 Unsigned to Signed Conversion Error
Major None
Minor Common_Consequences
197 Numeric Truncation Error
Major None
Minor Common_Consequences
200 Information Exposure
Major Alternate_Terms, Description, Name
Minor None
201 Information Leak Through Sent Data
Major None
Minor Common_Consequences
202 Privacy Leak through Data Queries
Major None
Minor Common_Consequences
203 Information Exposure Through Discrepancy
Major Description, Name
Minor None
204 Response Discrepancy Information Leak
Major Demonstrative_Examples
Minor None
205 Information Exposure Through Behavioral Discrepancy
Major Description, Name
Minor None
207 Information Exposure Through an External Behavioral Inconsistency
Major Description, Name
Minor None
209 Information Exposure Through an Error Message
Major Demonstrative_Examples, Name, Potential_Mitigations, References, Time_of_Introduction
Minor Applicable_Platforms, Common_Consequences
210 Product-Generated Error Message Information Leak
Major Demonstrative_Examples
Minor None
211 Product-External Error Message Information Leak
Major None
Minor Applicable_Platforms
212 Improper Cross-boundary Cleansing
Major Name
Minor None
219 Sensitive Data Under Web Root
Major Relationships
Minor None
234 Failure to Handle Missing Parameter
Major None
Minor Common_Consequences
244 Failure to Clear Heap Memory Before Release ('Heap Inspection')
Major None
Minor Common_Consequences
250 Execution with Unnecessary Privileges
Major None
Minor Common_Consequences
252 Unchecked Return Value
Major Common_Consequences, Demonstrative_Examples, References
Minor None
253 Incorrect Check of Function Return Value
Major None
Minor Common_Consequences
257 Storing Passwords in a Recoverable Format
Major None
Minor Common_Consequences
259 Hard-Coded Password
Major None
Minor Common_Consequences
262 Not Using Password Aging
Major None
Minor Common_Consequences
263 Password Aging with Long Expiration
Major None
Minor Common_Consequences
265 Privilege / Sandbox Issues
Major Potential_Mitigations
Minor None
266 Incorrect Privilege Assignment
Major Potential_Mitigations
Minor None
267 Privilege Defined With Unsafe Actions
Major Potential_Mitigations
Minor None
268 Privilege Chaining
Major Other_Notes, Potential_Mitigations, Research_Gaps
Minor None
269 Improper Privilege Management
Major Potential_Mitigations
Minor None
270 Privilege Context Switching Error
Major Potential_Mitigations
Minor None
271 Privilege Dropping / Lowering Errors
Major Potential_Mitigations
Minor None
272 Least Privilege Violation
Major Potential_Mitigations
Minor Common_Consequences
273 Improper Check for Dropped Privileges
Major None
Minor Common_Consequences
282 Improper Ownership Management
Major Potential_Mitigations
Minor None
283 Unverified Ownership
Major Potential_Mitigations
Minor None
284 Access Control (Authorization) Issues
Major Potential_Mitigations
Minor None
285 Improper Access Control (Authorization)
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Observed_Examples, Relationships
Minor None
287 Improper Authentication
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, References
Minor None
291 Trusting Self-reported IP Address
Major None
Minor Common_Consequences
292 Trusting Self-reported DNS Name
Major None
Minor Common_Consequences
293 Using Referer Field for Authentication
Major None
Minor Common_Consequences
294 Authentication Bypass by Capture-replay
Major None
Minor Common_Consequences
296 Improper Following of Chain of Trust for Certificate Validation
Major None
Minor Common_Consequences
297 Improper Validation of Host-specific Certificate Data
Major None
Minor Common_Consequences
298 Improper Validation of Certificate Expiration
Major None
Minor Common_Consequences
299 Improper Check for Certificate Revocation
Major None
Minor Common_Consequences
301 Reflection Attack in an Authentication Protocol
Major None
Minor Common_Consequences
307 Failure to Restrict Excessive Authentication Attempts
Major Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
Minor None
308 Use of Single-factor Authentication
Major None
Minor Common_Consequences
309 Use of Password System for Primary Authentication
Major None
Minor Common_Consequences
311 Failure to Encrypt Sensitive Data
Major None
Minor Common_Consequences
317 Plaintext Storage in GUI
Major None
Minor Applicable_Platforms
319 Cleartext Transmission of Sensitive Information
Major None
Minor Common_Consequences
321 Use of Hard-coded Cryptographic Key
Major None
Minor Common_Consequences
322 Key Exchange without Entity Authentication
Major None
Minor Common_Consequences
323 Reusing a Nonce, Key Pair in Encryption
Major None
Minor Common_Consequences
324 Use of a Key Past its Expiration Date
Major None
Minor Common_Consequences
326 Inadequate Encryption Strength
Major None
Minor Common_Consequences
327 Use of a Broken or Risky Cryptographic Algorithm
Major References
Minor Common_Consequences
329 Not Using a Random IV with CBC Mode
Major None
Minor Common_Consequences
330 Use of Insufficiently Random Values
Major Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Time_of_Introduction
Minor Functional_Areas
332 Insufficient Entropy in PRNG
Major Potential_Mitigations
Minor Common_Consequences
333 Improper Handling of Insufficient Entropy in TRNG
Major None
Minor Common_Consequences
334 Small Space of Random Values
Major Potential_Mitigations
Minor None
336 Same Seed in PRNG
Major Potential_Mitigations
Minor None
337 Predictable Seed in PRNG
Major Potential_Mitigations
Minor None
338 Use of Cryptographically Weak PRNG
Major None
Minor Common_Consequences
339 Small Seed Space in PRNG
Major Potential_Mitigations
Minor None
341 Predictable from Observable State
Major Potential_Mitigations
Minor None
342 Predictable Exact Value from Previous Values
Major Potential_Mitigations
Minor None
343 Predictable Value Range from Previous Values
Major Potential_Mitigations
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Potential_Mitigations
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, Time_of_Introduction
Minor None
353 Failure to Add Integrity Check Value
Major None
Minor Common_Consequences
354 Improper Validation of Integrity Check Value
Major None
Minor Common_Consequences
359 Privacy Violation
Major Other_Notes, References
Minor None
360 Trust of System Event Data
Major None
Minor Common_Consequences
362 Race Condition
Major None
Minor Applicable_Platforms, Common_Consequences
364 Signal Handler Race Condition
Major None
Minor Applicable_Platforms, Common_Consequences
365 Race Condition in Switch
Major None
Minor Common_Consequences
366 Race Condition within a Thread
Major None
Minor Common_Consequences
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major None
Minor Common_Consequences
369 Divide By Zero
Major None
Minor Common_Consequences
370 Missing Check for Certificate Revocation after Initial Check
Major None
Minor Common_Consequences
373 State Synchronization Error
Major None
Minor Common_Consequences
374 Mutable Objects Passed by Reference
Major None
Minor Common_Consequences
375 Passing Mutable Objects to an Untrusted Method
Major None
Minor Common_Consequences
378 Creation of Temporary File With Insecure Permissions
Major None
Minor Common_Consequences
379 Creation of Temporary File in Directory with Incorrect Permissions
Major None
Minor Common_Consequences
385 Covert Timing Channel
Major None
Minor Common_Consequences
386 Symbolic Name not Mapping to Correct Object
Major None
Minor Common_Consequences
387 Signal Errors
Major Other_Notes
Minor None
388 Error Handling
Major None
Minor Common_Consequences
389 Error Conditions, Return Values, Status Codes
Major Other_Notes, Weakness_Ordinalities
Minor None
394 Unexpected Status Code or Return Value
Major Other_Notes, Relationship_Notes
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References
Minor None
401 Failure to Release Memory Before Removing Last Reference ('Memory Leak')
Major None
Minor Common_Consequences
404 Improper Resource Shutdown or Release
Major None
Minor Common_Consequences
405 Asymmetric Resource Consumption (Amplification)
Major None
Minor Common_Consequences
407 Algorithmic Complexity
Major Applicable_Platforms, Likelihood_of_Exploit
Minor Common_Consequences
410 Insufficient Resource Pool
Major None
Minor Common_Consequences
412 Unrestricted Externally Accessible Lock
Major None
Minor Common_Consequences
415 Double Free
Major None
Minor Common_Consequences
416 Use After Free
Major None
Minor Common_Consequences
426 Untrusted Search Path
Major References
Minor Common_Consequences, Potential_Mitigations
428 Unquoted Search Path or Element
Major None
Minor Applicable_Platforms
434 Unrestricted File Upload
Major Applicable_Platforms, Functional_Areas, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction
Minor None
447 Unimplemented or Unsupported Feature in UI
Major Other_Notes, Potential_Mitigations, Research_Gaps
Minor None
453 Insecure Default Variable Initialization
Major None
Minor Applicable_Platforms
454 External Initialization of Trusted Variables
Major None
Minor Applicable_Platforms
457 Use of Uninitialized Variable
Major None
Minor Applicable_Platforms, Common_Consequences
460 Improper Cleanup on Thrown Exception
Major None
Minor Common_Consequences
463 Deletion of Data Structure Sentinel
Major None
Minor Common_Consequences
464 Addition of Data Structure Sentinel
Major None
Minor Common_Consequences
467 Use of sizeof() on a Pointer Type
Major Demonstrative_Examples
Minor Common_Consequences
468 Incorrect Pointer Scaling
Major None
Minor Common_Consequences
469 Use of Pointer Subtraction to Determine Size
Major None
Minor Common_Consequences
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major None
Minor Applicable_Platforms, Common_Consequences
472 External Control of Assumed-Immutable Web Parameter
Major None
Minor Common_Consequences
473 PHP External Variable Modification
Major Other_Notes, Relationship_Notes
Minor None
474 Use of Function with Inconsistent Implementations
Major None
Minor Applicable_Platforms
476 NULL Pointer Dereference
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Weakness_Ordinalities
Minor None
478 Missing Default Case in Switch Statement
Major None
Minor Common_Consequences
479 Unsafe Function Call from a Signal Handler
Major None
Minor Common_Consequences
480 Use of Incorrect Operator
Major None
Minor Applicable_Platforms
482 Comparing instead of Assigning
Major None
Minor Common_Consequences
483 Incorrect Block Delimitation
Major None
Minor Applicable_Platforms, Common_Consequences
486 Comparison of Classes by Name
Major None
Minor Common_Consequences
487 Reliance on Package-level Scope
Major None
Minor Common_Consequences
489 Leftover Debug Code
Major None
Minor Common_Consequences
492 Use of Inner Class Containing Sensitive Data
Major Demonstrative_Examples, Potential_Mitigations
Minor Common_Consequences
493 Critical Public Variable Without Final Modifier
Major None
Minor Common_Consequences
494 Download of Code Without Integrity Check
Major None
Minor Common_Consequences
497 Exposure of System Data to an Unauthorized Control Sphere
Major Description, Name
Minor None
498 Information Leak through Class Cloning
Major None
Minor Common_Consequences
499 Serializable Class Containing Sensitive Data
Major None
Minor Common_Consequences
500 Public Static Field Not Marked Final
Major None
Minor Common_Consequences
502 Deserialization of Untrusted Data
Major None
Minor Common_Consequences
515 Covert Storage Channel
Major None
Minor Common_Consequences
525 Information Leak Through Browser Caching
Major None
Minor Common_Consequences
527 Exposure of CVS Repository to an Unauthorized Control Sphere
Major Description, Name
Minor None
528 Exposure of Core Dump File to an Unauthorized Control Sphere
Major Description, Name
Minor None
529 Exposure of Access Control List Files to an Unauthorized Control Sphere
Major Description, Name
Minor None
530 Exposure of Backup File to an Unauthorized Control Sphere
Major Description, Name
Minor Common_Consequences
532 Information Leak Through Log Files
Major None
Minor Common_Consequences
536 Information Leak Through Servlet Runtime Error Message
Major None
Minor Common_Consequences
538 File and Directory Information Exposure
Major Description, Maintenance_Notes, Name
Minor None
548 Information Leak Through Directory Listing
Major Common_Consequences, Description
Minor None
561 Dead Code
Major None
Minor Common_Consequences
565 Reliance on Cookies without Validation and Integrity Checking
Major None
Minor Common_Consequences
575 EJB Bad Practices: Use of AWT Swing
Major Demonstrative_Examples, Potential_Mitigations
Minor None
576 EJB Bad Practices: Use of Java I/O
Major Demonstrative_Examples
Minor None
577 EJB Bad Practices: Use of Sockets
Major Demonstrative_Examples, Potential_Mitigations
Minor None
578 EJB Bad Practices: Use of Class Loader
Major Demonstrative_Examples, Potential_Mitigations
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major None
Minor Common_Consequences
585 Empty Synchronized Block
Major None
Minor Common_Consequences
587 Assignment of a Fixed Address to a Pointer
Major None
Minor Common_Consequences
588 Attempt to Access Child of a Non-structure Pointer
Major None
Minor Common_Consequences
590 Free of Memory not on the Heap
Major None
Minor Common_Consequences
591 Sensitive Data Storage in Improperly Locked Memory
Major None
Minor Common_Consequences
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major None
Minor Common_Consequences
594 J2EE Framework: Saving Unserializable Objects to Disk
Major None
Minor Common_Consequences
599 Trust of OpenSSL Certificate Without Validation
Major None
Minor Common_Consequences
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations
Minor None
602 Client-Side Enforcement of Server-Side Security
Major None
Minor Applicable_Platforms, Common_Consequences
605 Multiple Binds to the Same Port
Major None
Minor Common_Consequences
620 Unverified Password Change
Major Other_Notes, Weakness_Ordinalities
Minor None
622 Unvalidated Function Hook Arguments
Major Other_Notes, Weakness_Ordinalities
Minor None
636 Not Failing Securely ('Failing Open')
Major None
Minor Common_Consequences
638 Failure to Use Complete Mediation
Major None
Minor Common_Consequences
639 Access Control Bypass Through User-Controlled Key
Major None
Minor Common_Consequences
640 Weak Password Recovery Mechanism for Forgotten Password
Major None
Minor Common_Consequences
641 Insufficient Filtering of File and Other Resource Names for Executable Content
Major None
Minor Common_Consequences
642 External Control of Critical State Data
Major None
Minor Applicable_Platforms, Common_Consequences
643 Failure to Sanitize Data within XPath Expressions ('XPath injection')
Major None
Minor Common_Consequences
644 Improper Sanitization of HTTP Headers for Scripting Syntax
Major None
Minor Common_Consequences
645 Overly Restrictive Account Lockout Mechanism
Major None
Minor Common_Consequences
646 Reliance on File Name or Extension of Externally-Supplied File
Major None
Minor Common_Consequences
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major None
Minor Common_Consequences
648 Incorrect Use of Privileged APIs
Major None
Minor Common_Consequences
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major None
Minor Common_Consequences
650 Trusting HTTP Permission Methods on the Server Side
Major None
Minor Common_Consequences
651 Information Leak through WSDL File
Major None
Minor Applicable_Platforms, Common_Consequences
652 Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')
Major None
Minor Common_Consequences
653 Insufficient Compartmentalization
Major None
Minor Common_Consequences
654 Reliance on a Single Factor in a Security Decision
Major None
Minor Common_Consequences
655 Insufficient Psychological Acceptability
Major None
Minor Common_Consequences
656 Reliance on Security through Obscurity
Major None
Minor Common_Consequences
665 Improper Initialization
Major None
Minor Common_Consequences
667 Insufficient Locking
Major None
Minor Common_Consequences
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
674 Uncontrolled Recursion
Major None
Minor Common_Consequences
681 Incorrect Conversion between Numeric Types
Major Applicable_Platforms, Likelihood_of_Exploit, Potential_Mitigations
Minor None
682 Incorrect Calculation
Major None
Minor Common_Consequences
690 Unchecked Return Value to NULL Pointer Dereference
Major Demonstrative_Examples
Minor None
704 Incorrect Type Conversion or Cast
Major None
Minor Applicable_Platforms
712 OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)
Major Related_Attack_Patterns
Minor None
713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Major Related_Attack_Patterns
Minor None
714 OWASP Top Ten 2007 Category A3 - Malicious File Execution
Major Related_Attack_Patterns
Minor None
716 OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)
Major Related_Attack_Patterns
Minor None
717 OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Major Related_Attack_Patterns
Minor None
718 OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management
Major Related_Attack_Patterns
Minor None
719 OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Major Related_Attack_Patterns
Minor None
721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
Major Related_Attack_Patterns
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References
Minor None
733 Compiler Optimization Removal or Modification of Security-critical Code
Major None
Minor Applicable_Platforms
749 Exposed Dangerous Method or Function
Major Applicable_Platforms, Likelihood_of_Exploit
Minor None
754 Improper Check for Exceptional Conditions
Major Applicable_Platforms, Likelihood_of_Exploit, Time_of_Introduction
Minor None
755 Improper Handling of Exceptional Conditions
Major Applicable_Platforms, Likelihood_of_Exploit, Time_of_Introduction
Minor None
762 Mismatched Memory Management Routines
Major Applicable_Platforms, Likelihood_of_Exploit
Minor None
766 Critical Variable Declared Public
Major Demonstrative_Examples
Minor Common_Consequences
768 Incorrect Short Circuit Evaluation
Major None
Minor Common_Consequences
770 Allocation of Resources Without Limits or Throttling
Major Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Observed_Examples, References, Time_of_Introduction
Minor Common_Consequences
771 Missing Reference to Active Allocated Resource
Major None
Minor Common_Consequences
772 Missing Release of Resource after Effective Lifetime
Major None
Minor Common_Consequences
773 Missing Reference to Active File Descriptor or Handle
Major None
Minor Common_Consequences
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major None
Minor Common_Consequences
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Observed_Examples
Minor Common_Consequences
776 Unrestricted Recursive Entity References in DTDs ('XML Bomb')
Major None
Minor Common_Consequences
777 Regular Expression without Anchors
Major None
Minor Common_Consequences
778 Insufficient Logging
Major None
Minor Common_Consequences
779 Logging of Excessive Data
Major None
Minor Common_Consequences
780 Use of RSA Algorithm without OAEP
Major None
Minor Common_Consequences
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Major Common_Consequences, Potential_Mitigations, References, Time_of_Introduction
Minor Applicable_Platforms
782 Exposed IOCTL with Insufficient Access Control
Major Time_of_Introduction
Minor Applicable_Platforms, Common_Consequences, Observed_Examples
783 Operator Precedence Logic Error
Major Observed_Examples
Minor Applicable_Platforms, Common_Consequences
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Major None
Minor Applicable_Platforms, Common_Consequences
789 Uncontrolled Memory Allocation
Major None
Minor Common_Consequences

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017