CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 1.8.1 and Version 1.9  
ID

Differences between Version 1.8.1 and Version 1.9

Summary
Summary
Total (Version 1.9) 821
Total (Version 1.8.1) 810
Total new 11
Total deprecated 0
Total shared 810
Total important changes 70
Total major changes 155
Total minor changes 6
Total minor changes (no major)
Total unchanged 655

Summary of Entry Types

Type Version 1.8.1 Version 1.9
Category 109 119
Chain 3 3
Composite 6 6
Deprecated 11 11
View 23 24
Weakness 658 658

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 22 2
Description 55 0
Applicable_Platforms 1 0
Time_of_Introduction 0 0
Demonstrative_Examples 23 3
Detection_Factors 19 0
Likelihood_of_Exploit 0 0
Common_Consequences 25 0
Relationships 18 0
References 26 0
Potential_Mitigations 89 1
Observed_Examples 6 0
Terminology_Notes 1 0
Alternate_Terms 0 0
Related_Attack_Patterns 0 0
Relationship_Notes 5 0
Taxonomy_Mappings 1 0
Maintenance_Notes 3 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 2 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 1 0
Other_Notes 9 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 2 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 808
Weakness/Base Weakness/Variant 1
Weakness/Variant Weakness/Base 1

Status Changes

From To Total
Unchanged 810

Relationship Changes

The "Version 1.9 Total" lists the total number of relationships in Version 1.9. The "Shared" value is the total number of relationships in entries that were in both Version 1.9 and Version 1.8.1. The "New" value is the total number of relationships involving entries that did not exist in Version 1.8.1. Thus, the total number of relationships in Version 1.9 would combine stats from Shared entries and New entries.

Relationship Version 1.9 Total Version 1.8.1 Total Version 1.9 Shared Unchanged Added to Version 1.9 Removed from Version 1.8.1 Version 1.9 New
ALL 4874 4818 4818 4818 56
ChildOf 2096 2078 2078 2078 18
ParentOf 2096 2078 2078 2078 18
MemberOf 119 109 109 109 10
HasMember 119 109 109 109 10
CanPrecede 90 90 90 90
CanFollow 90 90 90 90
StartsWith 3 3 3 3
Requires 19 19 19 19
RequiredBy 19 19 19 19
CanAlsoBe 37 37 37 37
PeerOf 186 186 186 186

Nodes Removed from Version 1.8.1

CWE-ID CWE Name
None.

Nodes Added to Version 1.9

CWE-ID CWE Name
809 Weaknesses in OWASP Top Ten (2010)
810 OWASP Top Ten 2010 Category A1 - Injection
811 OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
812 OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management
813 OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
814 OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF)
815 OWASP Top Ten 2010 Category A6 - Security Misconfiguration
816 OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage
817 OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access
818 OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection
819 OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards

Nodes Deprecated in Version 1.9

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
D 23 Relative Path Traversal
D 24 Path Traversal: '../filedir'
D 25 Path Traversal: '/../filedir'
D 26 Path Traversal: '/dir/../filename'
D 27 Path Traversal: 'dir/../../filename'
D 28 Path Traversal: '..\filedir'
D 29 Path Traversal: '\..\filename'
D 30 Path Traversal: '\dir\..\filename'
D 31 Path Traversal: 'dir\..\..\filename'
D 32 Path Traversal: '...' (Triple Dot)
D 33 Path Traversal: '....' (Multiple Dot)
D 34 Path Traversal: '....//'
D 35 Path Traversal: '.../...//'
D 36 Absolute Path Traversal
DN 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
DN 76 Improper Neutralization of Equivalent Special Elements
DN 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
DNR 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
DNR 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DN 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
DN 81 Improper Neutralization of Script in an Error Message Web Page
DN 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
DN 84 Improper Neutralization of Encoded URI Schemes in a Web Page
DN 87 Improper Neutralization of Alternate XSS Syntax
R 88 Argument Injection or Modification
DNR 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
DNR 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
D R 91 XML Injection (aka Blind XPath Injection)
D 92 DEPRECATED: Improper Sanitization of Custom Special Characters
DN 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
D 94 Failure to Control Generation of Code ('Code Injection')
DN 95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
DN 97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
DN 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
DN 117 Improper Output Neutralization for Logs
D 139 DEPRECATED: General Special Element Problems
DN 140 Improper Neutralization of Delimiters
D 145 Improper Neutralization of Section Delimiters
D 146 Improper Neutralization of Expression/Command Delimiters
N 148 Improper Neutralization of Input Leaders
N 149 Improper Neutralization of Quoting Syntax
D 181 Incorrect Behavior Order: Validate Before Filter
D 182 Collapse of Data into Unsafe Value
R 219 Sensitive Data Under Web Root
R 285 Improper Access Control (Authorization)
R 287 Improper Authentication
R 312 Cleartext Storage of Sensitive Information
R 319 Cleartext Transmission of Sensitive Information
R 326 Inadequate Encryption Strength
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 352 Cross-Site Request Forgery (CSRF)
N 374 Passing Mutable Objects to an Untrusted Method
D 400 Uncontrolled Resource Consumption ('Resource Exhaustion')
D 476 NULL Pointer Dereference
D 483 Incorrect Block Delimitation
D 566 Access Control Bypass Through User-Controlled SQL Primary Key
R 601 URL Redirection to Untrusted Site ('Open Redirect')
D 628 Function Call with Incorrectly Specified Arguments
R 639 Access Control Bypass Through User-Controlled Key
DN 641 Improper Restriction of Names for Files and Other Resources
D 644 Improper Neutralization of HTTP Headers for Scripting Syntax
R 732 Incorrect Permission Assignment for Critical Resource
D 762 Mismatched Memory Management Routines
D 763 Release of Invalid Pointer or Reference
D 769 File Descriptor Exhaustion
D 777 Regular Expression without Anchors
D 792 Incomplete Filtering of One or More Instances of Special Elements
D 794 Incomplete Filtering of Multiple Instances of Special Elements
D 795 Only Filtering Special Elements at a Specified Location
Detailed Difference Report
Detailed Difference Report
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Demonstrative_Examples
Minor None
20 Improper Input Validation
Major Potential_Mitigations, Research_Gaps, Terminology_Notes
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Potential_Mitigations, References, Relationships
Minor None
23 Relative Path Traversal
Major Description, Potential_Mitigations
Minor None
24 Path Traversal: '../filedir'
Major Description, Potential_Mitigations
Minor None
25 Path Traversal: '/../filedir'
Major Description, Potential_Mitigations
Minor None
26 Path Traversal: '/dir/../filename'
Major Description, Potential_Mitigations
Minor None
27 Path Traversal: 'dir/../../filename'
Major Description, Potential_Mitigations
Minor None
28 Path Traversal: '..\filedir'
Major Description, Potential_Mitigations
Minor None
29 Path Traversal: '\..\filename'
Major Description, Potential_Mitigations
Minor None
30 Path Traversal: '\dir\..\filename'
Major Description, Potential_Mitigations
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Description, Potential_Mitigations
Minor None
32 Path Traversal: '...' (Triple Dot)
Major Description, Maintenance_Notes, Potential_Mitigations
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Description, Potential_Mitigations
Minor None
34 Path Traversal: '....//'
Major Description, Potential_Mitigations
Minor None
35 Path Traversal: '.../...//'
Major Description, Potential_Mitigations
Minor None
36 Absolute Path Traversal
Major Demonstrative_Examples, Description
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Potential_Mitigations
Minor None
39 Path Traversal: 'C:dirname'
Major Potential_Mitigations
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Potential_Mitigations
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Description, Name
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Description, Name
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Description, Name
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Common_Consequences, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, References, Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Demonstrative_Examples, Description, Name, Potential_Mitigations
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Description, Name, Potential_Mitigations
Minor None
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major Description, Name, Potential_Mitigations
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Potential_Mitigations
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Description, Name, Potential_Mitigations
Minor None
85 Doubled Character XSS Manipulations
Major Potential_Mitigations
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Potential_Mitigations
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Demonstrative_Examples, Description, Name, Potential_Mitigations
Minor None
88 Argument Injection or Modification
Major Observed_Examples, Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, References, Relationships
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Description, Relationships
Minor None
92 DEPRECATED: Improper Sanitization of Custom Special Characters
Major Description, Maintenance_Notes
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Description, Name
Minor None
94 Failure to Control Generation of Code ('Code Injection')
Major Description, Potential_Mitigations
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Description, Name
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Potential_Mitigations
Minor None
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major Description, Name, Type
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Major Potential_Mitigations, References
Minor None
103 Struts: Incomplete validate() Method Definition
Major Demonstrative_Examples
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major Demonstrative_Examples
Minor None
105 Struts: Form Field Without Validator
Major Demonstrative_Examples
Minor None
106 Struts: Plug-in Framework not in Use
Major Demonstrative_Examples
Minor None
107 Struts: Unused Validation Form
Major Demonstrative_Examples
Minor None
109 Struts: Validator Turned Off
Major Other_Notes
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Description, Name
Minor None
116 Improper Encoding or Escaping of Output
Major Potential_Mitigations
Minor None
117 Improper Output Neutralization for Logs
Major Description, Name
Minor None
119 Failure to Constrain Operations within the Bounds of a Memory Buffer
Major Potential_Mitigations
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Common_Consequences, Potential_Mitigations, References
Minor Demonstrative_Examples
129 Improper Validation of Array Index
Major Common_Consequences, Potential_Mitigations, References
Minor None
131 Incorrect Calculation of Buffer Size
Major Common_Consequences, Detection_Factors, Potential_Mitigations, References
Minor None
139 DEPRECATED: General Special Element Problems
Major Description
Minor None
140 Improper Neutralization of Delimiters
Major Description, Name
Minor None
145 Improper Neutralization of Section Delimiters
Major Description
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major Applicable_Platforms, Description, Relationship_Notes
Minor None
148 Improper Neutralization of Input Leaders
Major Name
Minor None
149 Improper Neutralization of Quoting Syntax
Major Name
Minor None
178 Failure to Resolve Case Sensitivity
Major Demonstrative_Examples
Minor None
179 Incorrect Behavior Order: Early Validation
Major Research_Gaps
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Description, Observed_Examples
Minor Potential_Mitigations
182 Collapse of Data into Unsafe Value
Major Description, Observed_Examples
Minor Name
184 Incomplete Blacklist
Major Demonstrative_Examples
Minor None
190 Integer Overflow or Wraparound
Major Common_Consequences, Potential_Mitigations, References
Minor None
209 Information Exposure Through an Error Message
Major Common_Consequences, Detection_Factors, Potential_Mitigations, References
Minor None
210 Product-Generated Error Message Information Leak
Major Potential_Mitigations
Minor None
211 Product-External Error Message Information Leak
Major Potential_Mitigations
Minor None
212 Improper Cross-boundary Removal of Sensitive Data
Major Potential_Mitigations
Minor None
219 Sensitive Data Under Web Root
Major Relationships
Minor None
250 Execution with Unnecessary Privileges
Major Detection_Factors, Potential_Mitigations
Minor None
252 Unchecked Return Value
Major Demonstrative_Examples, References
Minor None
259 Use of Hard-coded Password
Major Detection_Factors, Potential_Mitigations
Minor None
265 Privilege / Sandbox Issues
Major Potential_Mitigations
Minor None
266 Incorrect Privilege Assignment
Major Potential_Mitigations
Minor None
267 Privilege Defined With Unsafe Actions
Major Potential_Mitigations
Minor None
268 Privilege Chaining
Major Potential_Mitigations
Minor None
269 Improper Privilege Management
Major Potential_Mitigations
Minor None
270 Privilege Context Switching Error
Major Potential_Mitigations
Minor None
271 Privilege Dropping / Lowering Errors
Major Potential_Mitigations
Minor None
272 Least Privilege Violation
Major Potential_Mitigations
Minor Demonstrative_Examples
282 Improper Ownership Management
Major Potential_Mitigations
Minor None
283 Unverified Ownership
Major Potential_Mitigations
Minor None
284 Access Control (Authorization) Issues
Major Potential_Mitigations
Minor None
285 Improper Access Control (Authorization)
Major Common_Consequences, References, Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
306 Missing Authentication for Critical Function
Major Common_Consequences, Potential_Mitigations, References
Minor None
311 Missing Encryption of Sensitive Data
Major Common_Consequences, Potential_Mitigations, References
Minor None
312 Cleartext Storage of Sensitive Information
Major Relationships
Minor None
319 Cleartext Transmission of Sensitive Information
Major Detection_Factors, Relationships
Minor None
326 Inadequate Encryption Strength
Major Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships
Minor None
330 Use of Insufficiently Random Values
Major Detection_Factors, Potential_Mitigations
Minor None
332 Insufficient Entropy in PRNG
Major Potential_Mitigations
Minor None
334 Small Space of Random Values
Major Potential_Mitigations
Minor None
336 Same Seed in PRNG
Major Potential_Mitigations
Minor None
337 Predictable Seed in PRNG
Major Potential_Mitigations
Minor None
339 Small Seed Space in PRNG
Major Observed_Examples, Potential_Mitigations
Minor None
341 Predictable from Observable State
Major Potential_Mitigations
Minor None
342 Predictable Exact Value from Previous Values
Major Potential_Mitigations
Minor None
343 Predictable Value Range from Previous Values
Major Potential_Mitigations
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Potential_Mitigations
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships
Minor None
362 Race Condition
Major Common_Consequences, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References
Minor None
374 Passing Mutable Objects to an Untrusted Method
Major Name, Taxonomy_Mappings
Minor Demonstrative_Examples
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Description
Minor None
401 Failure to Release Memory Before Removing Last Reference ('Memory Leak')
Major Other_Notes, Potential_Mitigations
Minor None
404 Improper Resource Shutdown or Release
Major Detection_Factors, Potential_Mitigations
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Other_Notes, Relationship_Notes
Minor None
408 Incorrect Behavior Order: Early Amplification
Major Other_Notes, Relationship_Notes
Minor None
413 Insufficient Resource Locking
Major Demonstrative_Examples
Minor None
416 Use After Free
Major Potential_Mitigations
Minor None
426 Untrusted Search Path
Major Detection_Factors, Potential_Mitigations
Minor None
428 Unquoted Search Path or Element
Major Other_Notes
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major References, Relationship_Notes
Minor None
441 Unintended Proxy/Intermediary
Major Other_Notes
Minor None
453 Insecure Default Variable Initialization
Major Maintenance_Notes, Other_Notes
Minor None
456 Missing Initialization
Major Other_Notes, Relationship_Notes
Minor None
476 NULL Pointer Dereference
Major Demonstrative_Examples, Description, Detection_Factors, Potential_Mitigations
Minor None
478 Missing Default Case in Switch Statement
Major Demonstrative_Examples
Minor None
483 Incorrect Block Delimitation
Major Demonstrative_Examples, Description, Other_Notes
Minor None
494 Download of Code Without Integrity Check
Major Common_Consequences, Detection_Factors, Potential_Mitigations, References
Minor None
546 Suspicious Comment
Major Demonstrative_Examples
Minor None
564 SQL Injection: Hibernate
Major Potential_Mitigations
Minor None
566 Access Control Bypass Through User-Controlled SQL Primary Key
Major Description
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Common_Consequences, Potential_Mitigations, References, Relationships
Minor None
608 Struts: Non-private Field in ActionForm Class
Major Demonstrative_Examples
Minor None
628 Function Call with Incorrectly Specified Arguments
Major Description
Minor None
639 Access Control Bypass Through User-Controlled Key
Major Relationships
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Description, Name, Type
Minor None
642 External Control of Critical State Data
Major Potential_Mitigations
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Enabling_Factors_for_Exploitation
Minor Name
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Demonstrative_Examples, Description, Observed_Examples
Minor None
665 Improper Initialization
Major Detection_Factors, Potential_Mitigations
Minor None
682 Incorrect Calculation
Major Potential_Mitigations
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships
Minor None
749 Exposed Dangerous Method or Function
Major Common_Consequences
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Common_Consequences, Detection_Factors, Potential_Mitigations, References
Minor None
762 Mismatched Memory Management Routines
Major Description, Potential_Mitigations
Minor None
763 Release of Invalid Pointer or Reference
Major Description
Minor None
769 File Descriptor Exhaustion
Major Description
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Common_Consequences, Potential_Mitigations, References
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Potential_Mitigations
Minor None
777 Regular Expression without Anchors
Major Description
Minor None
792 Incomplete Filtering of One or More Instances of Special Elements
Major Description
Minor None
794 Incomplete Filtering of Multiple Instances of Special Elements
Major Description
Minor None
795 Only Filtering Special Elements at a Specified Location
Major Description
Minor None
798 Use of Hard-coded Credentials
Major Common_Consequences, References
Minor None
804 Guessable CAPTCHA
Major Common_Consequences
Minor None
805 Buffer Access with Incorrect Length Value
Major Common_Consequences, Potential_Mitigations, References
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Common_Consequences, Potential_Mitigations, References
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017