CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 1.9 and Version 1.10  
ID

Differences between Version 1.9 and Version 1.10

Summary
Summary
Total (Version 1.10) 828
Total (Version 1.9) 821
Total new 7
Total deprecated 0
Total shared 821
Total important changes 57
Total major changes 91
Total minor changes 6
Total minor changes (no major) 3
Total unchanged 727

Summary of Entry Types

Type Version 1.9 Version 1.10
Category 119 119
Chain 3 3
Composite 6 6
Deprecated 11 11
View 24 24
Weakness 658 665

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 9 1
Description 15 2
Applicable_Platforms 1 0
Time_of_Introduction 0 0
Demonstrative_Examples 3 2
Detection_Factors 0 0
Likelihood_of_Exploit 0 0
Common_Consequences 2 0
Relationships 43 0
References 4 0
Potential_Mitigations 34 0
Observed_Examples 13 0
Terminology_Notes 1 0
Alternate_Terms 1 0
Related_Attack_Patterns 0 0
Relationship_Notes 3 0
Taxonomy_Mappings 2 0
Maintenance_Notes 1 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 1 1
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 5 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 821

Status Changes

From To Total
Unchanged 821

Relationship Changes

The "Version 1.10 Total" lists the total number of relationships in Version 1.10. The "Shared" value is the total number of relationships in entries that were in both Version 1.10 and Version 1.9. The "New" value is the total number of relationships involving entries that did not exist in Version 1.9. Thus, the total number of relationships in Version 1.10 would combine stats from Shared entries and New entries.

Relationship Version 1.10 Total Version 1.9 Total Version 1.10 Shared Unchanged Added to Version 1.10 Removed from Version 1.9 Version 1.10 New
ALL 4956 4874 4878 4846 32 28 78
ChildOf 2124 2096 2097 2083 14 13 27
ParentOf 2124 2096 2097 2083 14 13 27
MemberOf 119 119 119 119
HasMember 119 119 119 119
CanPrecede 103 90 91 90 1 12
CanFollow 103 90 91 90 1 12
StartsWith 3 3 3 3
Requires 19 19 19 19
RequiredBy 19 19 19 19
CanAlsoBe 35 37 35 35 2
PeerOf 188 186 188 186 2

Nodes Removed from Version 1.9

CWE-ID CWE Name
None.

Nodes Added to Version 1.10

CWE-ID CWE Name
820 Missing Synchronization
821 Incorrect Synchronization
822 Untrusted Pointer Dereference
823 Use of Out-of-range Pointer Offset
824 Access of Uninitialized Pointer
825 Expired Pointer Dereference
826 Premature Release of Resource During Expected Lifetime

Nodes Deprecated in Version 1.10

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 20 Improper Input Validation
D 67 Improper Handling of Windows Device Names
R 88 Argument Injection or Modification
R 119 Failure to Constrain Operations within the Bounds of a Memory Buffer
R 125 Out-of-bounds Read
R 129 Improper Validation of Array Index
DN 201 Information Exposure Through Sent Data
DN 204 Response Discrepancy Information Exposure
R 208 Timing Discrepancy Information Leak
R 209 Information Exposure Through an Error Message
DN 215 Information Exposure Through Debug Information
R 226 Sensitive Information Uncleared Before Release
R 259 Use of Hard-coded Password
D 285 Improper Access Control (Authorization)
R 321 Use of Hard-coded Cryptographic Key
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 362 Race Condition
R 365 Race Condition in Switch
R 366 Race Condition within a Thread
D R 367 Time-of-check Time-of-use (TOCTOU) Race Condition
N 375 Returning a Mutable Object to an Untrusted Caller
D 385 Covert Timing Channel
DN 413 Improper Resource Locking
R 415 Double Free
R 416 Use After Free
D R 426 Untrusted Search Path
D R 427 Uncontrolled Search Path Element
D 433 Unparsed Raw Web Content Delivery
R 465 Pointer Issues
R 476 NULL Pointer Dereference
R 479 Unsafe Function Call from a Signal Handler
R 538 File and Directory Information Exposure
D 539 Information Leak Through Persistent Cookies
N 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
R 552 Files or Directories Accessible to External Parties
R 562 Return of Stack Variable Address
R 572 Call to Thread run() instead of start()
R 574 EJB Bad Practices: Use of Synchronization Primitives
R 622 Unvalidated Function Hook Arguments
DN 651 Information Exposure through WSDL File
NR 662 Improper Synchronization
NR 663 Use of a Non-reentrant Function in a Multithreaded Context
R 666 Operation on Resource in Wrong Phase of Lifetime
R 667 Insufficient Locking
R 668 Exposure of Resource to Wrong Sphere
R 671 Lack of Administrator Control over Security
R 672 Operation on a Resource after Expiration or Release
R 689 Permission Race Condition During Resource Copy
R 691 Insufficient Control Flow Management
R 732 Incorrect Permission Assignment for Critical Resource
D 756 Missing Custom Error Page
R 761 Free of Pointer not at Start of Buffer
R 763 Release of Invalid Pointer or Reference
D 768 Incorrect Short Circuit Evaluation
R 781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
R 787 Out-of-bounds Write
R 815 OWASP Top Ten 2010 Category A6 - Security Misconfiguration
Detailed Difference Report
Detailed Difference Report
20 Improper Input Validation
Major Potential_Mitigations, Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Potential_Mitigations
Minor None
29 Path Traversal: '\..\filename'
Major None
Minor Description
47 Path Equivalence: ' filename' (Leading Space)
Major None
Minor Name
67 Improper Handling of Windows Device Names
Major Description
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Potential_Mitigations
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Potential_Mitigations
Minor Background_Details
88 Argument Injection or Modification
Major Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Potential_Mitigations
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Major Potential_Mitigations
Minor None
119 Failure to Constrain Operations within the Bounds of a Memory Buffer
Major Potential_Mitigations, Relationships
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Potential_Mitigations
Minor None
125 Out-of-bounds Read
Major Relationships
Minor None
129 Improper Validation of Array Index
Major Potential_Mitigations, Relationship_Notes, Relationships
Minor None
131 Incorrect Calculation of Buffer Size
Major Potential_Mitigations
Minor None
190 Integer Overflow or Wraparound
Major Observed_Examples, Potential_Mitigations
Minor None
201 Information Exposure Through Sent Data
Major Common_Consequences, Description, Name
Minor None
204 Response Discrepancy Information Exposure
Major Description, Name, Observed_Examples
Minor None
208 Timing Discrepancy Information Leak
Major Relationships
Minor None
209 Information Exposure Through an Error Message
Major Potential_Mitigations, Relationships
Minor None
212 Improper Cross-boundary Removal of Sensitive Data
Major Potential_Mitigations
Minor None
215 Information Exposure Through Debug Information
Major Description, Name, Observed_Examples
Minor None
226 Sensitive Information Uncleared Before Release
Major Relationships
Minor None
247 Reliance on DNS Lookups in a Security Decision
Major Potential_Mitigations
Minor None
252 Unchecked Return Value
Major Observed_Examples
Minor None
259 Use of Hard-coded Password
Major Relationships
Minor None
285 Improper Access Control (Authorization)
Major Description
Minor None
292 Trusting Self-reported DNS Name
Major Potential_Mitigations
Minor None
311 Missing Encryption of Sensitive Data
Major Potential_Mitigations
Minor None
321 Use of Hard-coded Cryptographic Key
Major Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Potential_Mitigations, Relationships
Minor None
350 Improperly Trusted Reverse DNS
Major Potential_Mitigations
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Potential_Mitigations
Minor None
362 Race Condition
Major Observed_Examples, Potential_Mitigations, Relationships
Minor Description
364 Signal Handler Race Condition
Major Observed_Examples, References
Minor None
365 Race Condition in Switch
Major Relationships
Minor None
366 Race Condition within a Thread
Major Potential_Mitigations, Relationships
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Description, Relationships
Minor None
375 Returning a Mutable Object to an Untrusted Caller
Major Name, Taxonomy_Mappings
Minor Demonstrative_Examples
385 Covert Timing Channel
Major Common_Consequences, Description
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Demonstrative_Examples
Minor None
413 Improper Resource Locking
Major Description, Name
Minor None
415 Double Free
Major Relationships
Minor None
416 Use After Free
Major Observed_Examples, Relationships
Minor None
426 Untrusted Search Path
Major Description, Relationships
Minor None
427 Uncontrolled Search Path Element
Major Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Observed_Examples, References, Relationship_Notes, Relationships
Minor None
433 Unparsed Raw Web Content Delivery
Major Description, Potential_Mitigations
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Potential_Mitigations
Minor None
465 Pointer Issues
Major Relationships
Minor None
476 NULL Pointer Dereference
Major Demonstrative_Examples, Observed_Examples, Relationships
Minor None
479 Unsafe Function Call from a Signal Handler
Major Relationships
Minor None
488 Data Leak Between Sessions
Major Potential_Mitigations
Minor None
494 Download of Code Without Integrity Check
Major Potential_Mitigations, References
Minor None
506 Embedded Malicious Code
Major Other_Notes, Terminology_Notes
Minor None
538 File and Directory Information Exposure
Major Relationships
Minor None
539 Information Leak Through Persistent Cookies
Major Description, Other_Notes
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Name
Minor None
552 Files or Directories Accessible to External Parties
Major Relationships
Minor None
559 Often Misused: Arguments and Parameters
Major Other_Notes, Relationship_Notes
Minor None
562 Return of Stack Variable Address
Major Relationships
Minor None
567 Unsynchronized Access to Shared Data
Major Other_Notes
Minor None
572 Call to Thread run() instead of start()
Major Relationships
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Relationships
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Potential_Mitigations
Minor None
611 Information Leak Through XML External Entity File Disclosure
Major Background_Details, Other_Notes
Minor None
613 Insufficient Session Expiration
Major Taxonomy_Mappings
Minor None
622 Unvalidated Function Hook Arguments
Major Relationships
Minor None
651 Information Exposure through WSDL File
Major Description, Name
Minor None
662 Improper Synchronization
Major Name, Relationships
Minor None
663 Use of a Non-reentrant Function in a Multithreaded Context
Major Name, Observed_Examples, Potential_Mitigations, References, Relationships
Minor None
665 Improper Initialization
Major Observed_Examples
Minor None
666 Operation on Resource in Wrong Phase of Lifetime
Major Relationships
Minor None
667 Insufficient Locking
Major Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
671 Lack of Administrator Control over Security
Major Relationships
Minor None
672 Operation on a Resource after Expiration or Release
Major Observed_Examples, Relationships
Minor None
682 Incorrect Calculation
Major Potential_Mitigations
Minor None
689 Permission Race Condition During Resource Copy
Major Relationships
Minor None
690 Unchecked Return Value to NULL Pointer Dereference
Major Observed_Examples
Minor None
691 Insufficient Control Flow Management
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Potential_Mitigations, Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Potential_Mitigations
Minor None
756 Missing Custom Error Page
Major Description
Minor None
761 Free of Pointer not at Start of Buffer
Major Relationships
Minor None
763 Release of Invalid Pointer or Reference
Major Relationships
Minor None
768 Incorrect Short Circuit Evaluation
Major Description
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Demonstrative_Examples, Potential_Mitigations
Minor None
772 Missing Release of Resource after Effective Lifetime
Major None
Minor Demonstrative_Examples
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Major Relationships
Minor None
787 Out-of-bounds Write
Major Relationships
Minor None
798 Use of Hard-coded Credentials
Major Potential_Mitigations
Minor None
805 Buffer Access with Incorrect Length Value
Major Potential_Mitigations
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Potential_Mitigations
Minor None
815 OWASP Top Ten 2010 Category A6 - Security Misconfiguration
Major Relationships
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017