CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 2.12 and Version 3.0  
ID

Differences between Version 2.12 and Version 3.0

Summary
Summary
Total (Version 3.0) 1023
Total (Version 2.12) 1023
Total new 0
Total deprecated 0
Total shared 1023
Total important changes 1
Total major changes 193
Total minor changes 241
Total minor changes (no major) 158
Total unchanged 672

Summary of Entry Types

Type Version 2.12 Version 3.0
Category 237 237
Chain 3 3
Composite 5 5
Deprecated 41 41
View 31 31
Weakness 706 706

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 0 0
Description 1 2
Applicable_Platforms 63 9
Time_of_Introduction 21 0
Demonstrative_Examples 10 15
Detection_Factors 31 16
Likelihood_of_Exploit 0 0
Common_Consequences 0 0
Relationships 0 0
References 41 208
Potential_Mitigations 19 50
Observed_Examples 9 0
Terminology_Notes 0 0
Alternate_Terms 0 0
Related_Attack_Patterns 0 0
Relationship_Notes 0 0
Taxonomy_Mappings 0 0
Maintenance_Notes 0 0
Modes_of_Introduction 19 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 4 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 2 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 3 0
View_Filter 14 0
View_Audience 16 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1023

Status Changes

From To Total
Unchanged 1023

Relationship Changes

The "Version 3.0 Total" lists the total number of relationships in Version 3.0. The "Shared" value is the total number of relationships in entries that were in both Version 3.0 and Version 2.12. The "New" value is the total number of relationships involving entries that did not exist in Version 2.12. Thus, the total number of relationships in Version 3.0 would combine stats from Shared entries and New entries.

Relationship Version 3.0 Total Version 2.12 Total Version 3.0 Shared Unchanged Added to Version 3.0 Removed from Version 2.12 Version 3.0 New
ALL 8132 8132 8132 8132
ChildOf 3490 3490 3490 3490
ParentOf 3490 3490 3490 3490
MemberOf 349 349 349 349
HasMember 349 349 349 349
CanPrecede 130 130 130 130
CanFollow 130 130 130 130
StartsWith 3 3 3 3
Requires 17 17 17 17
RequiredBy 17 17 17 17
CanAlsoBe 29 29 29 29
PeerOf 128 128 128 128

Nodes Removed from Version 2.12

CWE-ID CWE Name
None.

Nodes Added to Version 3.0

CWE-ID CWE Name
None.

Nodes Deprecated in Version 3.0

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Detailed Difference Report
Detailed Difference Report
11 ASP.NET Misconfiguration: Creating Debug Binary
Major Applicable_Platforms, Background_Details
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major Applicable_Platforms, Background_Details
Minor None
14 Compiler Removal of Code to Clear Buffers
Major None
Minor References
15 External Control of System or Configuration Setting
Major Modes_of_Introduction
Minor None
20 Improper Input Validation
Major Detection_Factors, Modes_of_Introduction, Potential_Mitigations
Minor References
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Detection_Factors
Minor Potential_Mitigations, References
23 Relative Path Traversal
Major None
Minor References
31 Path Traversal: 'dir\..\..\filename'
Major None
Minor References
34 Path Traversal: '....//'
Major None
Minor Detection_Factors
36 Absolute Path Traversal
Major None
Minor References
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major None
Minor References
41 Improper Resolution of Path Equivalence
Major Detection_Factors
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major None
Minor References
59 Improper Link Resolution Before File Access ('Link Following')
Major Detection_Factors
Minor Applicable_Platforms, References
61 UNIX Symbolic Link (Symlink) Following
Major None
Minor References
62 UNIX Hard Link
Major None
Minor Applicable_Platforms, References
65 Windows Hard Link
Major None
Minor References
66 Improper Handling of File Names that Identify Virtual Resources
Major Detection_Factors
Minor None
67 Improper Handling of Windows Device Names
Major None
Minor References
69 Improper Handling of Windows ::DATA Alternate Data Stream
Major None
Minor References
72 Improper Handling of Apple HFS+ Alternate Data Stream Path
Major None
Minor Applicable_Platforms
73 External Control of File Name or Path
Major None
Minor Applicable_Platforms, References
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major None
Minor References
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Potential_Mitigations
Minor Detection_Factors, References
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Applicable_Platforms, Background_Details, Description, References
Minor Detection_Factors, Potential_Mitigations
81 Improper Neutralization of Script in an Error Message Web Page
Major None
Minor References
88 Argument Injection or Modification
Major None
Minor References
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Modes_of_Introduction, References
Minor Detection_Factors, Potential_Mitigations
91 XML Injection (aka Blind XPath Injection)
Major None
Minor References
94 Improper Control of Generation of Code ('Code Injection')
Major Applicable_Platforms, Potential_Mitigations
Minor References
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Applicable_Platforms, Modes_of_Introduction
Minor References
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major None
Minor Potential_Mitigations, References
106 Struts: Plug-in Framework not in Use
Major Potential_Mitigations
Minor None
109 Struts: Validator Turned Off
Major Other_Notes
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Demonstrative_Examples
Minor References
116 Improper Encoding or Escaping of Output
Major None
Minor Potential_Mitigations, References
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Detection_Factors
Minor Potential_Mitigations, References
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Detection_Factors
Minor Potential_Mitigations, References
121 Stack-based Buffer Overflow
Major None
Minor References
122 Heap-based Buffer Overflow
Major None
Minor References
123 Write-what-where Condition
Major None
Minor References
124 Buffer Underwrite ('Buffer Underflow')
Major Observed_Examples
Minor References
125 Out-of-bounds Read
Major None
Minor References
128 Wrap-around Error
Major None
Minor References
129 Improper Validation of Array Index
Major Potential_Mitigations
Minor References
131 Incorrect Calculation of Buffer Size
Major Detection_Factors, Potential_Mitigations
Minor References
134 Use of Externally-Controlled Format String
Major Detection_Factors, Modes_of_Introduction
Minor Potential_Mitigations, References
135 Incorrect Calculation of Multi-Byte String Length
Major None
Minor References
141 Improper Neutralization of Parameter/Argument Delimiters
Major None
Minor References
142 Improper Neutralization of Value Delimiters
Major None
Minor References
143 Improper Neutralization of Record Delimiters
Major None
Minor References
144 Improper Neutralization of Line Delimiters
Major None
Minor References
145 Improper Neutralization of Section Delimiters
Major None
Minor References
146 Improper Neutralization of Expression/Command Delimiters
Major None
Minor References
158 Improper Neutralization of Null Byte or NUL Character
Major None
Minor References
171 Cleansing, Canonicalization, and Comparison Errors
Major None
Minor References
176 Improper Handling of Unicode Encoding
Major None
Minor References
179 Incorrect Behavior Order: Early Validation
Major None
Minor References
182 Collapse of Data into Unsafe Value
Major None
Minor References
183 Permissive Whitelist
Major None
Minor References
184 Incomplete Blacklist
Major Observed_Examples
Minor References
185 Incorrect Regular Expression
Major None
Minor References
188 Reliance on Data/Memory Layout
Major None
Minor References
190 Integer Overflow or Wraparound
Major References
Minor Detection_Factors, Potential_Mitigations
191 Integer Underflow (Wrap or Wraparound)
Major Applicable_Platforms
Minor References
192 Integer Coercion Error
Major Applicable_Platforms
Minor References
193 Off-by-one Error
Major None
Minor References
195 Signed to Unsigned Conversion Error
Major None
Minor References
196 Unsigned to Signed Conversion Error
Major None
Minor References
197 Numeric Truncation Error
Major Applicable_Platforms
Minor References
200 Information Exposure
Major Applicable_Platforms
Minor Detection_Factors, References
204 Response Discrepancy Information Exposure
Major None
Minor References
209 Information Exposure Through an Error Message
Major Potential_Mitigations
Minor References
210 Information Exposure Through Self-generated Error Message
Major Potential_Mitigations
Minor References
211 Information Exposure Through Externally-Generated Error Message
Major Modes_of_Introduction, Potential_Mitigations
Minor None
219 Sensitive Data Under Web Root
Major Modes_of_Introduction
Minor None
223 Omission of Security-relevant Information
Major None
Minor References
224 Obscured Security-relevant Information by Alternate Name
Major None
Minor References
242 Use of Inherently Dangerous Function
Major None
Minor References
243 Creation of chroot Jail Without Changing Working Directory
Major None
Minor Applicable_Platforms
248 Uncaught Exception
Major Applicable_Platforms
Minor None
250 Execution with Unnecessary Privileges
Major Applicable_Platforms, Detection_Factors, Modes_of_Introduction, Potential_Mitigations, References, Time_of_Introduction
Minor None
252 Unchecked Return Value
Major None
Minor References
253 Incorrect Check of Function Return Value
Major None
Minor References
256 Plaintext Storage of a Password
Major Modes_of_Introduction
Minor References
258 Empty Password in Configuration File
Major None
Minor References
259 Use of Hard-coded Password
Major None
Minor References
260 Password in Configuration File
Major None
Minor References
261 Weak Cryptography for Passwords
Major None
Minor References
262 Not Using Password Aging
Major None
Minor References
263 Password Aging with Long Expiration
Major None
Minor References
264 Permissions, Privileges, and Access Controls
Major None
Minor References
266 Incorrect Privilege Assignment
Major None
Minor Potential_Mitigations, References
267 Privilege Defined With Unsafe Actions
Major None
Minor Potential_Mitigations, References
268 Privilege Chaining
Major None
Minor Potential_Mitigations, References
269 Improper Privilege Management
Major None
Minor References
270 Privilege Context Switching Error
Major None
Minor Potential_Mitigations, References
271 Privilege Dropping / Lowering Errors
Major None
Minor References
272 Least Privilege Violation
Major None
Minor Detection_Factors
273 Improper Check for Dropped Privileges
Major Modes_of_Introduction
Minor None
275 Permission Issues
Major None
Minor References
276 Incorrect Default Permissions
Major Detection_Factors
Minor References
279 Incorrect Execution-Assigned Permissions
Major Time_of_Introduction
Minor None
284 Improper Access Control
Major None
Minor References
285 Improper Authorization
Major Detection_Factors, Modes_of_Introduction, Time_of_Introduction
Minor Potential_Mitigations, References
287 Improper Authentication
Major Demonstrative_Examples, Detection_Factors, References
Minor None
290 Authentication Bypass by Spoofing
Major None
Minor References
293 Using Referer Field for Authentication
Major None
Minor References
295 Improper Certificate Validation
Major Applicable_Platforms, Detection_Factors
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major None
Minor References
297 Improper Validation of Certificate with Host Mismatch
Major Applicable_Platforms
Minor References
298 Improper Validation of Certificate Expiration
Major None
Minor References
299 Improper Check for Certificate Revocation
Major None
Minor References
301 Reflection Attack in an Authentication Protocol
Major None
Minor References
306 Missing Authentication for Critical Function
Major Detection_Factors
Minor Potential_Mitigations, References
307 Improper Restriction of Excessive Authentication Attempts
Major Demonstrative_Examples, References
Minor Detection_Factors, Potential_Mitigations
310 Cryptographic Issues
Major None
Minor References
311 Missing Encryption of Sensitive Data
Major Detection_Factors
Minor Potential_Mitigations, References
312 Cleartext Storage of Sensitive Information
Major Applicable_Platforms
Minor References
319 Cleartext Transmission of Sensitive Information
Major Applicable_Platforms
Minor References
322 Key Exchange without Entity Authentication
Major None
Minor References
324 Use of a Key Past its Expiration Date
Major None
Minor References
325 Missing Required Cryptographic Step
Major Observed_Examples, Time_of_Introduction
Minor None
326 Inadequate Encryption Strength
Major None
Minor References
327 Use of a Broken or Risky Cryptographic Algorithm
Major Detection_Factors, References
Minor Potential_Mitigations
328 Reversible One-Way Hash
Major None
Minor Potential_Mitigations, References
329 Not Using a Random IV with CBC Mode
Major None
Minor References
330 Use of Insufficiently Random Values
Major Detection_Factors, References
Minor Potential_Mitigations
331 Insufficient Entropy
Major None
Minor References
332 Insufficient Entropy in PRNG
Major None
Minor Potential_Mitigations, References
334 Small Space of Random Values
Major None
Minor Potential_Mitigations, References
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Major None
Minor References
336 Same Seed in Pseudo-Random Number Generator (PRNG)
Major None
Minor Potential_Mitigations, References
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
Major None
Minor Potential_Mitigations, References
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major None
Minor References
339 Small Seed Space in PRNG
Major None
Minor Potential_Mitigations, References
340 Predictability Problems
Major None
Minor References
341 Predictable from Observable State
Major None
Minor Potential_Mitigations, References
342 Predictable Exact Value from Previous Values
Major None
Minor Potential_Mitigations, References
343 Predictable Value Range from Previous Values
Major None
Minor Potential_Mitigations, References
344 Use of Invariant Value in Dynamically Changing Context
Major None
Minor References
345 Insufficient Verification of Data Authenticity
Major None
Minor References
346 Origin Validation Error
Major None
Minor Demonstrative_Examples
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
Major None
Minor References
352 Cross-Site Request Forgery (CSRF)
Major Detection_Factors
Minor Potential_Mitigations, References
353 Missing Support for Integrity Check
Major None
Minor References
359 Exposure of Private Information ('Privacy Violation')
Major Applicable_Platforms, References
Minor Demonstrative_Examples, Description
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Demonstrative_Examples, References
Minor Detection_Factors, Potential_Mitigations
363 Race Condition Enabling Link Following
Major None
Minor References
364 Signal Handler Race Condition
Major None
Minor Demonstrative_Examples, References
365 Race Condition in Switch
Major Applicable_Platforms
Minor References
366 Race Condition within a Thread
Major Applicable_Platforms
Minor References
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major None
Minor References
368 Context Switching Race Condition
Major None
Minor References
369 Divide By Zero
Major Demonstrative_Examples, References
Minor None
370 Missing Check for Certificate Revocation after Initial Check
Major None
Minor References
374 Passing Mutable Objects to an Untrusted Method
Major Applicable_Platforms
Minor Demonstrative_Examples
375 Returning a Mutable Object to an Untrusted Caller
Major Applicable_Platforms
Minor None
377 Insecure Temporary File
Major References
Minor None
379 Creation of Temporary File in Directory with Incorrect Permissions
Major None
Minor References
384 Session Fixation
Major Modes_of_Introduction
Minor None
388 7PK - Errors
Major References
Minor None
389 Error Conditions, Return Values, Status Codes
Major None
Minor References
390 Detection of Error Condition Without Action
Major None
Minor References
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major None
Minor Detection_Factors
396 Declaration of Catch for Generic Exception
Major Applicable_Platforms
Minor References
397 Declaration of Throws for Generic Exception
Major Applicable_Platforms
Minor None
398 7PK - Code Quality
Major References
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major References
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major None
Minor Potential_Mitigations, References
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
Major None
Minor Applicable_Platforms
404 Improper Resource Shutdown or Release
Major None
Minor References
410 Insufficient Resource Pool
Major None
Minor References
415 Double Free
Major None
Minor References
416 Use After Free
Major None
Minor References
421 Race Condition During Access to Alternate Channel
Major References
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major References
Minor None
426 Untrusted Search Path
Major Modes_of_Introduction, References
Minor Applicable_Platforms
427 Uncontrolled Search Path Element
Major None
Minor Applicable_Platforms
428 Unquoted Search Path or Element
Major Applicable_Platforms
Minor References
430 Deployment of Wrong Handler
Major None
Minor References
431 Missing Handler
Major None
Minor References
433 Unparsed Raw Web Content Delivery
Major None
Minor References
434 Unrestricted Upload of File with Dangerous Type
Major Applicable_Platforms, Observed_Examples
Minor Detection_Factors, Potential_Mitigations, References
436 Interpretation Conflict
Major References
Minor Demonstrative_Examples
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major None
Minor Potential_Mitigations
456 Missing Initialization of a Variable
Major None
Minor References
457 Use of Uninitialized Variable
Major References
Minor None
460 Improper Cleanup on Thrown Exception
Major Applicable_Platforms
Minor None
462 Duplicate Key in Associative List (Alist)
Major Applicable_Platforms
Minor None
463 Deletion of Data Structure Sentinel
Major None
Minor References
466 Return of Pointer Value Outside of Expected Range
Major None
Minor References
468 Incorrect Pointer Scaling
Major None
Minor References
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Applicable_Platforms
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major None
Minor References
476 NULL Pointer Dereference
Major Applicable_Platforms
Minor None
477 Use of Obsolete Function
Major Detection_Factors
Minor None
478 Missing Default Case in Switch Statement
Major Applicable_Platforms
Minor References
479 Signal Handler Use of a Non-reentrant Function
Major Demonstrative_Examples
Minor References
480 Use of Incorrect Operator
Major None
Minor References
481 Assigning instead of Comparing
Major Applicable_Platforms
Minor References
482 Comparing instead of Assigning
Major None
Minor References
484 Omitted Break Statement in Switch
Major Applicable_Platforms
Minor References
494 Download of Code Without Integrity Check
Major None
Minor Potential_Mitigations, References
495 Private Array-Typed Field Returned From A Public Method
Major Applicable_Platforms
Minor None
496 Public Data Assigned to Private Array-Typed Field
Major Applicable_Platforms
Minor None
498 Cloneable Class Containing Sensitive Information
Major Applicable_Platforms
Minor None
502 Deserialization of Untrusted Data
Major None
Minor Applicable_Platforms
506 Embedded Malicious Code
Major Detection_Factors
Minor None
507 Trojan Horse
Major None
Minor References
510 Trapdoor
Major Detection_Factors
Minor None
511 Logic/Time Bomb
Major Applicable_Platforms
Minor References
521 Weak Password Requirements
Major None
Minor References
522 Insufficiently Protected Credentials
Major None
Minor References
538 File and Directory Information Exposure
Major Modes_of_Introduction
Minor References
549 Missing Password Field Masking
Major None
Minor References
552 Files or Directories Accessible to External Parties
Major Modes_of_Introduction
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Applicable_Platforms
Minor None
560 Use of umask() with chmod-style Argument
Major Other_Notes
Minor None
561 Dead Code
Major None
Minor Detection_Factors
597 Use of Wrong Operator in String Comparison
Major None
Minor References
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Applicable_Platforms, Observed_Examples, References
Minor Detection_Factors, Potential_Mitigations
602 Client-Side Enforcement of Server-Side Security
Major Applicable_Platforms, Observed_Examples
Minor References
603 Use of Client-Side Authentication
Major Observed_Examples
Minor References
604 Deprecated Entries
Major View_Filter
Minor None
606 Unchecked Input for Loop Condition
Major None
Minor References
609 Double-Checked Locking
Major None
Minor References
611 Improper Restriction of XML External Entity Reference ('XXE')
Major Applicable_Platforms, References
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Observed_Examples
Minor None
618 Exposed Unsafe ActiveX Method
Major None
Minor References
620 Unverified Password Change
Major None
Minor References
623 Unsafe ActiveX Control Marked Safe For Scripting
Major None
Minor References
625 Permissive Regular Expression
Major None
Minor References
629 Weaknesses in OWASP Top Ten (2007)
Major View_Audience
Minor None
630 DEPRECATED: Weaknesses Examined by SAMATE
Major View_Structure
Minor None
635 Weaknesses Originally Used by NVD from 2008 to 2016
Major View_Structure
Minor None
636 Not Failing Securely ('Failing Open')
Major References
Minor None
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major References
Minor None
638 Not Using Complete Mediation
Major References
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major None
Minor References
642 External Control of Critical State Data
Major None
Minor Potential_Mitigations, References
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major None
Minor References
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Applicable_Platforms
Minor None
653 Insufficient Compartmentalization
Major References
Minor Detection_Factors
654 Reliance on a Single Factor in a Security Decision
Major References
Minor None
655 Insufficient Psychological Acceptability
Major References
Minor Demonstrative_Examples
656 Reliance on Security Through Obscurity
Major Demonstrative_Examples, References
Minor None
657 Violation of Secure Design Principles
Major References
Minor None
658 Weaknesses in Software Written in C
Major View_Filter
Minor None
659 Weaknesses in Software Written in C++
Major View_Filter
Minor None
660 Weaknesses in Software Written in Java
Major View_Filter
Minor None
661 Weaknesses in Software Written in PHP
Major View_Filter
Minor None
665 Improper Initialization
Major References
Minor None
672 Operation on a Resource after Expiration or Release
Major Applicable_Platforms
Minor None
676 Use of Potentially Dangerous Function
Major Detection_Factors
Minor Potential_Mitigations, References
677 Weakness Base Elements
Major View_Filter
Minor None
678 Composites
Major View_Filter
Minor None
679 DEPRECATED: Chain Elements
Major View_Filter
Minor None
681 Incorrect Conversion between Numeric Types
Major None
Minor References
682 Incorrect Calculation
Major Potential_Mitigations
Minor References
689 Permission Race Condition During Resource Copy
Major None
Minor References
692 Incomplete Blacklist to Cross-Site Scripting
Major References
Minor Description
699 Development Concepts
Major View_Audience
Minor None
700 Seven Pernicious Kingdoms
Major View_Audience
Minor None
701 Weaknesses Introduced During Design
Major View_Filter
Minor None
702 Weaknesses Introduced During Implementation
Major View_Filter
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major None
Minor Detection_Factors, References
709 Named Chains
Major View_Filter
Minor None
711 Weaknesses in OWASP Top Ten (2004)
Major View_Audience
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Detection_Factors, Modes_of_Introduction
Minor Potential_Mitigations, References
733 Compiler Optimization Removal or Modification of Security-critical Code
Major Applicable_Platforms
Minor References
734 Weaknesses Addressed by the CERT C Secure Coding Standard (2008 Version)
Major View_Audience
Minor None
749 Exposed Dangerous Method or Function
Major None
Minor Demonstrative_Examples
750 Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
Major View_Audience
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Demonstrative_Examples
Minor References
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Time_of_Introduction
Minor None
759 Use of a One-Way Hash without a Salt
Major Detection_Factors, Time_of_Introduction
Minor Potential_Mitigations, References
760 Use of a One-Way Hash with a Predictable Salt
Major Time_of_Introduction
Minor Potential_Mitigations, References
762 Mismatched Memory Management Routines
Major None
Minor Potential_Mitigations, References
770 Allocation of Resources Without Limits or Throttling
Major Demonstrative_Examples, Potential_Mitigations, References
Minor None
771 Missing Reference to Active Allocated Resource
Major Potential_Mitigations
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Applicable_Platforms, Potential_Mitigations
Minor None
773 Missing Reference to Active File Descriptor or Handle
Major Potential_Mitigations
Minor None
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major Potential_Mitigations
Minor References
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Potential_Mitigations
Minor References
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Major Applicable_Platforms, References
Minor None
778 Insufficient Logging
Major None
Minor References
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Major Applicable_Platforms, References
Minor None
782 Exposed IOCTL with Insufficient Access Control
Major Applicable_Platforms
Minor None
783 Operator Precedence Logic Error
Major Applicable_Platforms
Minor References
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Major Applicable_Platforms
Minor References
789 Uncontrolled Memory Allocation
Major None
Minor References
790 Improper Filtering of Special Elements
Major Time_of_Introduction
Minor None
791 Incomplete Filtering of Special Elements
Major Time_of_Introduction
Minor None
792 Incomplete Filtering of One or More Instances of Special Elements
Major Time_of_Introduction
Minor None
793 Only Filtering One Instance of a Special Element
Major Time_of_Introduction
Minor None
794 Incomplete Filtering of Multiple Instances of Special Elements
Major Time_of_Introduction
Minor None
795 Only Filtering Special Elements at a Specified Location
Major Time_of_Introduction
Minor None
796 Only Filtering Special Elements Relative to a Marker
Major Time_of_Introduction
Minor None
797 Only Filtering Special Elements at an Absolute Position
Major Time_of_Introduction
Minor None
798 Use of Hard-coded Credentials
Major Applicable_Platforms, Detection_Factors
Minor Potential_Mitigations, References
800 Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
Major View_Audience
Minor None
805 Buffer Access with Incorrect Length Value
Major None
Minor Potential_Mitigations, References
806 Buffer Access Using Size of Source Buffer
Major None
Minor Potential_Mitigations, References
807 Reliance on Untrusted Inputs in a Security Decision
Major Detection_Factors
Minor Potential_Mitigations, References
809 Weaknesses in OWASP Top Ten (2010)
Major View_Audience
Minor None
823 Use of Out-of-range Pointer Offset
Major None
Minor References
824 Access of Uninitialized Pointer
Major None
Minor References
827 Improper Control of Document Type Definition
Major Applicable_Platforms, Time_of_Introduction
Minor None
828 Signal Handler with Functionality that is not Asynchronous-Safe
Major None
Minor Demonstrative_Examples, References
829 Inclusion of Functionality from Untrusted Control Sphere
Major Detection_Factors, Time_of_Introduction
Minor Demonstrative_Examples, Potential_Mitigations, References
830 Inclusion of Web Functionality from an Untrusted Source
Major Time_of_Introduction
Minor Demonstrative_Examples
831 Signal Handler Function Associated with Multiple Signals
Major None
Minor Demonstrative_Examples, References
833 Deadlock
Major None
Minor References
834 Excessive Iteration
Major None
Minor Detection_Factors, References
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major None
Minor References
836 Use of Password Hash Instead of Password for Authentication
Major Time_of_Introduction
Minor None
838 Inappropriate Encoding for Output Context
Major None
Minor Potential_Mitigations, References
839 Numeric Range Comparison Without Minimum Check
Major None
Minor References
840 Business Logic Errors
Major References
Minor None
841 Improper Enforcement of Behavioral Workflow
Major References, Time_of_Introduction
Minor None
843 Access of Resource Using Incompatible Type ('Type Confusion')
Major None
Minor References
844 Weaknesses Addressed by the CERT Java Secure Coding Standard
Major View_Audience
Minor None
862 Missing Authorization
Major Detection_Factors, Modes_of_Introduction
Minor Potential_Mitigations, References
863 Incorrect Authorization
Major Detection_Factors, Modes_of_Introduction
Minor Potential_Mitigations, References
868 Weaknesses Addressed by the CERT C++ Secure Coding Standard
Major View_Audience
Minor None
884 CWE Cross-section
Major View_Structure
Minor None
888 Software Fault Pattern (SFP) Clusters
Major View_Audience
Minor None
900 Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors
Major View_Audience
Minor None
908 Use of Uninitialized Resource
Major References
Minor None
911 Improper Update of Reference Count
Major References
Minor None
916 Use of Password Hash With Insufficient Computational Effort
Major Detection_Factors, References
Minor Potential_Mitigations
918 Server-Side Request Forgery (SSRF)
Major Applicable_Platforms, References
Minor None
919 Weaknesses in Mobile Applications
Major View_Filter
Minor None
920 Improper Restriction of Power Consumption
Major Applicable_Platforms
Minor None
921 Storage of Sensitive Data in a Mechanism without Access Control
Major Applicable_Platforms
Minor None
925 Improper Verification of Intent by Broadcast Receiver
Major Applicable_Platforms
Minor References
926 Improper Export of Android Application Components
Major Applicable_Platforms, Background_Details, Potential_Mitigations
Minor References
927 Use of Implicit Intent for Sensitive Communication
Major Applicable_Platforms
Minor References
928 Weaknesses in OWASP Top Ten (2013)
Major View_Audience
Minor None
939 Improper Authorization in Handler for Custom URL Scheme
Major Applicable_Platforms, Time_of_Introduction
Minor Demonstrative_Examples
940 Improper Verification of Source of a Communication Channel
Major Applicable_Platforms
Minor Demonstrative_Examples
941 Incorrectly Specified Destination in a Communication Channel
Major Applicable_Platforms
Minor None
942 Overly Permissive Cross-domain Whitelist
Major Applicable_Platforms, Potential_Mitigations
Minor None
999 Weaknesses without Software Fault Patterns
Major View_Audience, View_Filter
Minor None
1000 Research Concepts
Major View_Audience
Minor None
1004 Sensitive Cookie Without 'HttpOnly' Flag
Major Applicable_Platforms, Observed_Examples
Minor Demonstrative_Examples
1007 Insufficient Visual Distinction of Homoglyphs Presented to User
Major Applicable_Platforms, Demonstrative_Examples
Minor References
1008 Architectural Concepts
Major View_Audience
Minor None
1022 Improper Restriction of Cross-Origin Permission to window.opener.location
Major Applicable_Platforms, Modes_of_Introduction
Minor Demonstrative_Examples
2000 Comprehensive CWE Dictionary
Major View_Filter
Minor None

More information is available — Please select a different filter.
Page Last Updated: November 09, 2017