CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 2.10 and Version 2.11  
ID

Differences between Version 2.10 and Version 2.11

Summary
Summary
Total (Version 2.11) 1006
Total (Version 2.10) 1005
Total new 1
Total deprecated 2
Total shared 1005
Total important changes 30
Total major changes 116
Total minor changes 2
Total minor changes (no major) 2
Total unchanged 887

Summary of Entry Types

Type Version 2.10 Version 2.11
Category 242 243
Chain 3 3
Composite 5 5
Deprecated 15 17
View 33 33
Weakness 707 705

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 4 0
Description 4 0
Applicable_Platforms 2 0
Time_of_Introduction 2 0
Demonstrative_Examples 5 2
Detection_Factors 0 0
Likelihood_of_Exploit 0 0
Common_Consequences 2 0
Relationships 28 0
References 2 0
Potential_Mitigations 47 0
Observed_Examples 2 0
Terminology_Notes 0 0
Alternate_Terms 0 0
Related_Attack_Patterns 52 0
Relationship_Notes 0 0
Taxonomy_Mappings 2 0
Maintenance_Notes 1 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 1 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 2 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 1003
Weakness/Class Deprecated 1
Weakness/Variant Deprecated 1

Status Changes

From To Total
Unchanged 1003
Incomplete Deprecated 2

Relationship Changes

The "Version 2.11 Total" lists the total number of relationships in Version 2.11. The "Shared" value is the total number of relationships in entries that were in both Version 2.11 and Version 2.10. The "New" value is the total number of relationships involving entries that did not exist in Version 2.10. Thus, the total number of relationships in Version 2.11 would combine stats from Shared entries and New entries.

Relationship Version 2.11 Total Version 2.10 Total Version 2.11 Shared Unchanged Added to Version 2.11 Removed from Version 2.10 Version 2.11 New
ALL 7935 7953 7923 7889 34 64 12
ChildOf 3375 3384 3370 3355 15 29 5
ParentOf 3375 3384 3370 3355 15 29 5
MemberOf 365 365 364 363 1 2 1
HasMember 365 365 364 363 1 2 1
CanPrecede 122 121 122 121 1
CanFollow 122 121 122 121 1
StartsWith 3 3 3 3
Requires 17 17 17 17
RequiredBy 17 17 17 17
CanAlsoBe 34 34 34 34
PeerOf 140 142 140 140 2

Nodes Removed from Version 2.10

CWE-ID CWE Name
None.

Nodes Added to Version 2.11

CWE-ID CWE Name
1005 Input Validation and Representation

Nodes Deprecated in Version 2.11

CWE-ID CWE Name
545 DEPRECATED: Use of Dynamic Class Loading
592 DEPRECATED: Authentication Bypass Issues
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

NR 19 Data Processing Errors
R 20 Improper Input Validation
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
NR 118 Incorrect Access of Indexable Resource ('Range Error')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 289 Authentication Bypass by Alternate Name
R 290 Authentication Bypass by Spoofing
R 294 Authentication Bypass by Capture-replay
R 302 Authentication Bypass by Assumed-Immutable Data
R 305 Authentication Bypass by Primary Weakness
R 398 Indicator of Poor Code Quality
R 485 Insufficient Encapsulation
D 502 Deserialization of Untrusted Data
DNR 545 DEPRECATED: Use of Dynamic Class Loading
R 569 Expression Issues
DNR 592 DEPRECATED: Authentication Bypass Issues
R 593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
R 603 Use of Client-Side Authentication
R 699 Development Concepts
R 700 Seven Pernicious Kingdoms
R 724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
D 788 Access of Memory Location After End of Buffer
R 884 CWE Cross-section
R 947 SFP Secondary Cluster: Authentication Bypass
R 991 SFP Secondary Cluster: Tainted Input to Environment
Detailed Difference Report
Detailed Difference Report
19 Data Processing Errors
Major Name, Relationships
Minor None
20 Improper Input Validation
Major Related_Attack_Patterns, Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Demonstrative_Examples
Minor None
71 Apple '.DS_Store'
Major Related_Attack_Patterns
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Potential_Mitigations
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Related_Attack_Patterns, Relationships
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Potential_Mitigations
Minor None
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major Related_Attack_Patterns
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
85 Doubled Character XSS Manipulations
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Related_Attack_Patterns
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Potential_Mitigations
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Relationships
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Related_Attack_Patterns
Minor None
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major Potential_Mitigations
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Related_Attack_Patterns, Relationships
Minor None
109 Struts: Validator Turned Off
Major None
Minor Demonstrative_Examples
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Related_Attack_Patterns
Minor None
116 Improper Encoding or Escaping of Output
Major Related_Attack_Patterns
Minor None
117 Improper Output Neutralization for Logs
Major Related_Attack_Patterns
Minor None
118 Incorrect Access of Indexable Resource ('Range Error')
Major Name, Relationships
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Relationships
Minor None
138 Improper Neutralization of Special Elements
Major Potential_Mitigations
Minor None
140 Improper Neutralization of Delimiters
Major Potential_Mitigations
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major Potential_Mitigations
Minor None
142 Improper Neutralization of Value Delimiters
Major Potential_Mitigations
Minor None
143 Improper Neutralization of Record Delimiters
Major Potential_Mitigations
Minor None
144 Improper Neutralization of Line Delimiters
Major Potential_Mitigations
Minor None
145 Improper Neutralization of Section Delimiters
Major Potential_Mitigations
Minor None
147 Improper Neutralization of Input Terminators
Major Potential_Mitigations
Minor None
148 Improper Neutralization of Input Leaders
Major Potential_Mitigations
Minor None
149 Improper Neutralization of Quoting Syntax
Major Potential_Mitigations
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Potential_Mitigations
Minor None
151 Improper Neutralization of Comment Delimiters
Major Potential_Mitigations
Minor None
152 Improper Neutralization of Macro Symbols
Major Potential_Mitigations
Minor None
153 Improper Neutralization of Substitution Characters
Major Potential_Mitigations
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Potential_Mitigations
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Potential_Mitigations
Minor None
156 Improper Neutralization of Whitespace
Major Potential_Mitigations
Minor None
157 Failure to Sanitize Paired Delimiters
Major Potential_Mitigations
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Potential_Mitigations
Minor None
159 Failure to Sanitize Special Element
Major Potential_Mitigations
Minor None
160 Improper Neutralization of Leading Special Elements
Major Potential_Mitigations
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Potential_Mitigations
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Potential_Mitigations
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Potential_Mitigations
Minor None
164 Improper Neutralization of Internal Special Elements
Major Potential_Mitigations
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Potential_Mitigations
Minor None
166 Improper Handling of Missing Special Element
Major Potential_Mitigations
Minor None
167 Improper Handling of Additional Special Element
Major Potential_Mitigations
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Potential_Mitigations
Minor None
184 Incomplete Blacklist
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
193 Off-by-one Error
Major Demonstrative_Examples
Minor None
200 Information Exposure
Major Related_Attack_Patterns
Minor None
202 Exposure of Sensitive Data Through Data Queries
Major Related_Attack_Patterns
Minor None
208 Information Exposure Through Timing Discrepancy
Major Related_Attack_Patterns
Minor None
227 Improper Fulfillment of API Contract ('API Abuse')
Major Observed_Examples, Related_Attack_Patterns
Minor None
232 Improper Handling of Undefined Values
Major Demonstrative_Examples
Minor None
259 Use of Hard-coded Password
Major Related_Attack_Patterns
Minor None
276 Incorrect Default Permissions
Major Related_Attack_Patterns
Minor None
279 Incorrect Execution-Assigned Permissions
Major Related_Attack_Patterns
Minor None
287 Improper Authentication
Major Related_Attack_Patterns, Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Related_Attack_Patterns, Relationships
Minor None
289 Authentication Bypass by Alternate Name
Major Relationships
Minor None
290 Authentication Bypass by Spoofing
Major Relationships
Minor None
294 Authentication Bypass by Capture-replay
Major Relationships
Minor None
302 Authentication Bypass by Assumed-Immutable Data
Major Relationships
Minor None
305 Authentication Bypass by Primary Weakness
Major Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Related_Attack_Patterns
Minor None
312 Cleartext Storage of Sensitive Information
Major Related_Attack_Patterns
Minor None
319 Cleartext Transmission of Sensitive Information
Major Related_Attack_Patterns
Minor None
345 Insufficient Verification of Data Authenticity
Major Related_Attack_Patterns
Minor None
348 Use of Less Trusted Source
Major Related_Attack_Patterns
Minor None
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
Major Related_Attack_Patterns
Minor None
372 Incomplete Internal State Distinction
Major Related_Attack_Patterns
Minor None
398 Indicator of Poor Code Quality
Major Relationships
Minor None
404 Improper Resource Shutdown or Release
Major Related_Attack_Patterns
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Related_Attack_Patterns
Minor None
485 Insufficient Encapsulation
Major Relationships
Minor None
497 Exposure of System Data to an Unauthorized Control Sphere
Major Related_Attack_Patterns
Minor None
502 Deserialization of Untrusted Data
Major Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References
Minor None
505 Intentionally Introduced Weakness
Major Maintenance_Notes
Minor None
510 Trapdoor
Major Related_Attack_Patterns
Minor None
522 Insufficiently Protected Credentials
Major Related_Attack_Patterns
Minor None
538 File and Directory Information Exposure
Major Related_Attack_Patterns
Minor None
545 DEPRECATED: Use of Dynamic Class Loading
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
564 SQL Injection: Hibernate
Major Potential_Mitigations
Minor None
569 Expression Issues
Major Relationships
Minor None
592 DEPRECATED: Authentication Bypass Issues
Major Common_Consequences, Description, Name, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Potential_Mitigations, Relationships
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Related_Attack_Patterns
Minor None
603 Use of Client-Side Authentication
Major Relationships
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Potential_Mitigations
Minor None
667 Improper Locking
Major Related_Attack_Patterns
Minor None
676 Use of Potentially Dangerous Function
Major Related_Attack_Patterns
Minor None
692 Incomplete Blacklist to Cross-Site Scripting
Major Related_Attack_Patterns
Minor None
693 Protection Mechanism Failure
Major Related_Attack_Patterns
Minor None
696 Incorrect Behavior Order
Major Observed_Examples
Minor None
697 Insufficient Comparison
Major Related_Attack_Patterns
Minor None
699 Development Concepts
Major Relationships
Minor None
700 Seven Pernicious Kingdoms
Major Relationships
Minor None
713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Major Related_Attack_Patterns
Minor None
721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
Major Related_Attack_Patterns
Minor None
724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Major Relationships
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Related_Attack_Patterns
Minor None
788 Access of Memory Location After End of Buffer
Major Description
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Related_Attack_Patterns
Minor None
833 Deadlock
Major Related_Attack_Patterns
Minor None
839 Numeric Range Comparison Without Minimum Check
Major None
Minor Demonstrative_Examples
884 CWE Cross-section
Major Relationships
Minor None
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Major Potential_Mitigations
Minor None
947 SFP Secondary Cluster: Authentication Bypass
Major Relationships
Minor None
991 SFP Secondary Cluster: Tainted Input to Environment
Major Relationships
Minor None

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017