CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 1.8 and Version 1.8.1  
ID

Differences between Version 1.8 and Version 1.8.1

Summary
Summary
Total (Version 1.8.1) 810
Total (Version 1.8) 810
Total new 0
Total deprecated 0
Total shared 810
Total important changes 31
Total major changes 105
Total minor changes 10
Total minor changes (no major) 8
Total unchanged 697

Summary of Entry Types

Type Version 1.8 Version 1.8.1
Category 109 109
Chain 3 3
Composite 6 6
Deprecated 11 11
View 23 23
Weakness 658 658

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 28 0
Description 30 0
Applicable_Platforms 8 1
Time_of_Introduction 1 0
Demonstrative_Examples 17 7
Detection_Factors 3 0
Likelihood_of_Exploit 0 0
Common_Consequences 2 0
Relationships 1 0
References 3 0
Potential_Mitigations 16 1
Observed_Examples 0 0
Terminology_Notes 0 0
Alternate_Terms 0 0
Related_Attack_Patterns 50 0
Relationship_Notes 0 0
Taxonomy_Mappings 0 0
Maintenance_Notes 0 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 0 1
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 0 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 810

Status Changes

From To Total
Unchanged 810

Relationship Changes

The "Version 1.8.1 Total" lists the total number of relationships in Version 1.8.1. The "Shared" value is the total number of relationships in entries that were in both Version 1.8.1 and Version 1.8. The "New" value is the total number of relationships involving entries that did not exist in Version 1.8. Thus, the total number of relationships in Version 1.8.1 would combine stats from Shared entries and New entries.

Relationship Version 1.8.1 Total Version 1.8 Total Version 1.8.1 Shared Unchanged Added to Version 1.8.1 Removed from Version 1.8 Version 1.8.1 New
ALL 4818 4819 4818 4818 1
ChildOf 2078 2078 2078 2078
ParentOf 2078 2078 2078 2078
MemberOf 109 109 109 109
HasMember 109 109 109 109
CanPrecede 90 90 90 90
CanFollow 90 91 90 90 1
StartsWith 3 3 3 3
Requires 19 19 19 19
RequiredBy 19 19 19 19
CanAlsoBe 37 37 37 37
PeerOf 186 186 186 186

Nodes Removed from Version 1.8

CWE-ID CWE Name
None.

Nodes Added to Version 1.8.1

CWE-ID CWE Name
None.

Nodes Deprecated in Version 1.8.1

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
DN 83 Improper Neutralization of Script in Attributes in a Web Page
DN 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
DN 96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
DN 138 Improper Neutralization of Special Elements
DN 141 Improper Neutralization of Parameter/Argument Delimiters
DN 142 Improper Neutralization of Value Delimiters
DN 143 Improper Neutralization of Record Delimiters
DN 144 Improper Neutralization of Line Delimiters
DN 145 Improper Neutralization of Section Delimiters
DN 146 Improper Neutralization of Expression/Command Delimiters
DN 147 Improper Neutralization of Input Terminators
DN 150 Improper Neutralization of Escape, Meta, or Control Sequences
DN 151 Improper Neutralization of Comment Delimiters
DN 152 Improper Neutralization of Macro Symbols
DN 153 Improper Neutralization of Substitution Characters
DN 154 Improper Neutralization of Variable Name Delimiters
DN 155 Improper Neutralization of Wildcards or Matching Symbols
DN 156 Improper Neutralization of Whitespace
DN 158 Improper Neutralization of Null Byte or NUL Character
DN 160 Improper Neutralization of Leading Special Elements
DN 161 Improper Neutralization of Multiple Leading Special Elements
DN 162 Improper Neutralization of Trailing Special Elements
DN 163 Improper Neutralization of Multiple Trailing Special Elements
DN 164 Improper Neutralization of Internal Special Elements
DN 165 Improper Neutralization of Multiple Internal Special Elements
D 185 Incorrect Regular Expression
R 242 Use of Inherently Dangerous Function
DN 643 Improper Neutralization of Data within XPath Expressions ('XPath injection')
DN 644 Improper Neutralization of HTTP Headers for Scripting Syntax
DN 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Detailed Difference Report
Detailed Difference Report
15 External Control of System or Configuration Setting
Major Related_Attack_Patterns
Minor None
20 Improper Input Validation
Major Related_Attack_Patterns
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Related_Attack_Patterns
Minor Background_Details
69 Failure to Handle Windows ::DATA Alternate Data Stream
Major Related_Attack_Patterns
Minor None
74 Failure to Sanitize Data into a Different Plane ('Injection')
Major Related_Attack_Patterns
Minor None
78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
Major Potential_Mitigations
Minor None
79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
Major Description, Potential_Mitigations, Related_Attack_Patterns
Minor None
81 Improper Sanitization of Script in an Error Message Web Page
Major Related_Attack_Patterns
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Description, Name, Related_Attack_Patterns
Minor None
84 Failure to Resolve Encoded URI Schemes in a Web Page
Major Related_Attack_Patterns
Minor None
85 Doubled Character XSS Manipulations
Major Related_Attack_Patterns
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Description, Name, Related_Attack_Patterns
Minor None
88 Argument Injection or Modification
Major Related_Attack_Patterns
Minor None
89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
Major Demonstrative_Examples, Potential_Mitigations
Minor None
93 Failure to Sanitize CRLF Sequences ('CRLF Injection')
Major Related_Attack_Patterns
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Description, Name
Minor None
100 Technology-Specific Input Validation Problems
Major Related_Attack_Patterns
Minor None
116 Improper Encoding or Escaping of Output
Major Potential_Mitigations
Minor None
119 Failure to Constrain Operations within the Bounds of a Memory Buffer
Major None
Minor Demonstrative_Examples
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Demonstrative_Examples, Related_Attack_Patterns
Minor None
129 Improper Validation of Array Index
Major Related_Attack_Patterns
Minor None
131 Incorrect Calculation of Buffer Size
Major Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns
Minor None
138 Improper Neutralization of Special Elements
Major Description, Name
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major Description, Name
Minor None
142 Improper Neutralization of Value Delimiters
Major Description, Name
Minor None
143 Improper Neutralization of Record Delimiters
Major Description, Name
Minor None
144 Improper Neutralization of Line Delimiters
Major Description, Name
Minor None
145 Improper Neutralization of Section Delimiters
Major Description, Name
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major Description, Name
Minor None
147 Improper Neutralization of Input Terminators
Major Description, Name
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Description, Name
Minor None
151 Improper Neutralization of Comment Delimiters
Major Description, Name
Minor None
152 Improper Neutralization of Macro Symbols
Major Description, Name
Minor None
153 Improper Neutralization of Substitution Characters
Major Description, Name
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Description, Name
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Description, Name
Minor None
156 Improper Neutralization of Whitespace
Major Description, Name
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Description, Name
Minor None
160 Improper Neutralization of Leading Special Elements
Major Description, Name
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Description, Name
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Description, Name
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Description, Name
Minor None
164 Improper Neutralization of Internal Special Elements
Major Description, Name
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Description, Name
Minor None
170 Improper Null Termination
Major None
Minor Potential_Mitigations
184 Incomplete Blacklist
Major Related_Attack_Patterns
Minor None
185 Incorrect Regular Expression
Major Description
Minor None
190 Integer Overflow or Wraparound
Major Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns
Minor None
192 Integer Coercion Error
Major Demonstrative_Examples
Minor None
194 Unexpected Sign Extension
Major Demonstrative_Examples
Minor None
195 Signed to Unsigned Conversion Error
Major Demonstrative_Examples
Minor None
200 Information Exposure
Major Related_Attack_Patterns
Minor None
209 Information Exposure Through an Error Message
Major Related_Attack_Patterns
Minor None
212 Improper Cross-boundary Removal of Sensitive Data
Major Related_Attack_Patterns
Minor None
242 Use of Inherently Dangerous Function
Major Relationships
Minor None
245 J2EE Bad Practices: Direct Management of Connections
Major Demonstrative_Examples
Minor None
247 Reliance on DNS Lookups in a Security Decision
Major Related_Attack_Patterns
Minor None
252 Unchecked Return Value
Major Demonstrative_Examples
Minor None
259 Use of Hard-coded Password
Major Applicable_Platforms
Minor None
285 Improper Access Control (Authorization)
Major Potential_Mitigations
Minor None
302 Authentication Bypass by Assumed-Immutable Data
Major Related_Attack_Patterns
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Demonstrative_Examples
Minor None
311 Missing Encryption of Sensitive Data
Major Related_Attack_Patterns
Minor None
319 Cleartext Transmission of Sensitive Information
Major Applicable_Platforms, Common_Consequences, Time_of_Introduction
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Applicable_Platforms, Potential_Mitigations, Related_Attack_Patterns
Minor None
330 Use of Insufficiently Random Values
Major Related_Attack_Patterns
Minor None
345 Insufficient Verification of Data Authenticity
Major Related_Attack_Patterns
Minor None
352 Cross-Site Request Forgery (CSRF)
Major None
Minor Demonstrative_Examples
357 Insufficient UI Warning of Dangerous Operations
Major Related_Attack_Patterns
Minor None
388 Error Handling
Major Related_Attack_Patterns
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Related_Attack_Patterns
Minor None
407 Algorithmic Complexity
Major None
Minor Applicable_Platforms
426 Untrusted Search Path
Major Applicable_Platforms
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Related_Attack_Patterns
Minor None
436 Interpretation Conflict
Major Related_Attack_Patterns
Minor None
441 Unintended Proxy/Intermediary
Major Related_Attack_Patterns
Minor None
454 External Initialization of Trusted Variables or Data Stores
Major Applicable_Platforms, Demonstrative_Examples
Minor None
456 Missing Initialization
Major Applicable_Platforms, Demonstrative_Examples
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Related_Attack_Patterns
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Related_Attack_Patterns
Minor None
476 NULL Pointer Dereference
Major None
Minor Demonstrative_Examples
494 Download of Code Without Integrity Check
Major Applicable_Platforms
Minor None
514 Covert Channel
Major Related_Attack_Patterns
Minor None
559 Often Misused: Arguments and Parameters
Major Related_Attack_Patterns
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Demonstrative_Examples
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Demonstrative_Examples
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Related_Attack_Patterns
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Related_Attack_Patterns
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath injection')
Major Description, Name
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Description, Name
Minor None
648 Incorrect Use of Privileged APIs
Major Related_Attack_Patterns
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Description, Name
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Related_Attack_Patterns
Minor None
656 Reliance on Security through Obscurity
Major Related_Attack_Patterns
Minor None
665 Improper Initialization
Major Applicable_Platforms
Minor None
672 Operation on a Resource after Expiration or Release
Major None
Minor Demonstrative_Examples
681 Incorrect Conversion between Numeric Types
Major None
Minor Demonstrative_Examples
682 Incorrect Calculation
Major Detection_Factors, Potential_Mitigations, References
Minor None
690 Unchecked Return Value to NULL Pointer Dereference
Major None
Minor Demonstrative_Examples
732 Incorrect Permission Assignment for Critical Resource
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
749 Exposed Dangerous Method or Function
Major Demonstrative_Examples, Related_Attack_Patterns
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Demonstrative_Examples, Related_Attack_Patterns
Minor None
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Related_Attack_Patterns
Minor None
769 File Descriptor Exhaustion
Major Potential_Mitigations
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Common_Consequences, Demonstrative_Examples, Related_Attack_Patterns
Minor None
771 Missing Reference to Active Allocated Resource
Major Potential_Mitigations
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Potential_Mitigations
Minor None
773 Missing Reference to Active File Descriptor or Handle
Major Potential_Mitigations
Minor None
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major Potential_Mitigations
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Potential_Mitigations
Minor None
798 Use of Hard-coded Credentials
Major Related_Attack_Patterns
Minor None
799 Improper Control of Interaction Frequency
Major Demonstrative_Examples
Minor None
805 Buffer Access with Incorrect Length Value
Major Related_Attack_Patterns
Minor Demonstrative_Examples

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017