CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 2.2 and Version 2.3  
ID

Differences between Version 2.2 and Version 2.3

Summary
Summary
Total (Version 2.3) 909
Total (Version 2.2) 909
Total new 0
Total deprecated 0
Total shared 909
Total important changes 4
Total major changes 394
Total minor changes 2
Total minor changes (no major) 1
Total unchanged 514

Summary of Entry Types

Type Version 2.2 Version 2.3
Category 177 177
Chain 3 3
Composite 6 6
Deprecated 12 12
View 29 29
Weakness 682 682

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 3 0
Description 1 1
Applicable_Platforms 0 0
Time_of_Introduction 0 0
Demonstrative_Examples 42 0
Detection_Factors 0 0
Likelihood_of_Exploit 0 0
Common_Consequences 0 0
Relationships 0 0
References 9 0
Potential_Mitigations 373 1
Observed_Examples 4 0
Terminology_Notes 1 0
Alternate_Terms 0 0
Related_Attack_Patterns 0 0
Relationship_Notes 0 0
Taxonomy_Mappings 0 0
Maintenance_Notes 0 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 0 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 909

Status Changes

From To Total
Unchanged 909

Relationship Changes

The "Version 2.3 Total" lists the total number of relationships in Version 2.3. The "Shared" value is the total number of relationships in entries that were in both Version 2.3 and Version 2.2. The "New" value is the total number of relationships involving entries that did not exist in Version 2.2. Thus, the total number of relationships in Version 2.3 would combine stats from Shared entries and New entries.

Relationship Version 2.3 Total Version 2.2 Total Version 2.3 Shared Unchanged Added to Version 2.3 Removed from Version 2.2 Version 2.3 New
ALL 7357 7357 7357 7357
ChildOf 3113 3113 3113 3113
ParentOf 3113 3113 3113 3113
MemberOf 334 334 334 334
HasMember 334 334 334 334
CanPrecede 113 113 113 113
CanFollow 113 113 113 113
StartsWith 3 3 3 3
Requires 19 19 19 19
RequiredBy 19 19 19 19
CanAlsoBe 34 34 34 34
PeerOf 162 162 162 162

Nodes Removed from Version 2.2

CWE-ID CWE Name
None.

Nodes Added to Version 2.3

CWE-ID CWE Name
None.

Nodes Deprecated in Version 2.3

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

N 210 Information Exposure Through Self-generated Error Message
N 211 Information Exposure Through Externally-generated Error Message
D 500 Public Static Field Not Marked Final
N 622 Improper Validation of Function Hook Arguments
Detailed Difference Report
Detailed Difference Report
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major Potential_Mitigations
Minor None
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Potential_Mitigations
Minor None
7 J2EE Misconfiguration: Missing Custom Error Page
Major Potential_Mitigations
Minor None
8 J2EE Misconfiguration: Entity Bean Declared Remote
Major Potential_Mitigations
Minor None
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Major Potential_Mitigations
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major Potential_Mitigations
Minor None
13 ASP.NET Misconfiguration: Password in Configuration File
Major Demonstrative_Examples
Minor None
15 External Control of System or Configuration Setting
Major Potential_Mitigations
Minor None
20 Improper Input Validation
Major Potential_Mitigations
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Potential_Mitigations
Minor None
36 Absolute Path Traversal
Major Potential_Mitigations
Minor None
41 Improper Resolution of Path Equivalence
Major Potential_Mitigations
Minor None
42 Path Equivalence: 'filename.' (Trailing Dot)
Major Potential_Mitigations
Minor None
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Potential_Mitigations
Minor None
44 Path Equivalence: 'file.name' (Internal Dot)
Major Potential_Mitigations
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Potential_Mitigations
Minor None
46 Path Equivalence: 'filename ' (Trailing Space)
Major Potential_Mitigations
Minor None
47 Path Equivalence: ' filename' (Leading Space)
Major Potential_Mitigations
Minor None
48 Path Equivalence: 'file name' (Internal Whitespace)
Major Potential_Mitigations
Minor None
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Potential_Mitigations
Minor None
50 Path Equivalence: '//multiple/leading/slash'
Major Potential_Mitigations
Minor None
51 Path Equivalence: '/multiple//internal/slash'
Major Potential_Mitigations
Minor None
52 Path Equivalence: '/multiple/trailing/slash//'
Major Potential_Mitigations
Minor None
53 Path Equivalence: '\multiple\\internal\backslash'
Major Potential_Mitigations
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Potential_Mitigations
Minor None
55 Path Equivalence: '/./' (Single Dot Directory)
Major Potential_Mitigations
Minor None
56 Path Equivalence: 'filedir*' (Wildcard)
Major Potential_Mitigations
Minor None
57 Path Equivalence: 'fakedir/../realdir/filename'
Major Potential_Mitigations
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major Potential_Mitigations
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Potential_Mitigations
Minor None
61 UNIX Symbolic Link (Symlink) Following
Major Potential_Mitigations
Minor None
62 UNIX Hard Link
Major Potential_Mitigations
Minor None
64 Windows Shortcut Following (.LNK)
Major Potential_Mitigations
Minor None
65 Windows Hard Link
Major Potential_Mitigations
Minor None
67 Improper Handling of Windows Device Names
Major Potential_Mitigations
Minor None
69 Improper Handling of Windows ::DATA Alternate Data Stream
Major Potential_Mitigations
Minor None
73 External Control of File Name or Path
Major Potential_Mitigations
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Potential_Mitigations
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Potential_Mitigations
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Potential_Mitigations
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Potential_Mitigations
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Observed_Examples, Potential_Mitigations
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Potential_Mitigations
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Potential_Mitigations
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Potential_Mitigations
Minor None
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major Potential_Mitigations
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Potential_Mitigations
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Potential_Mitigations
Minor None
85 Doubled Character XSS Manipulations
Major Potential_Mitigations
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Potential_Mitigations
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Potential_Mitigations
Minor None
88 Argument Injection or Modification
Major Potential_Mitigations
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Potential_Mitigations
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Demonstrative_Examples, Potential_Mitigations
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Potential_Mitigations
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Potential_Mitigations
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Potential_Mitigations
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Potential_Mitigations
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Potential_Mitigations
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Major Potential_Mitigations, References
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Potential_Mitigations
Minor None
103 Struts: Incomplete validate() Method Definition
Major Potential_Mitigations
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major Potential_Mitigations
Minor None
105 Struts: Form Field Without Validator
Major Potential_Mitigations
Minor None
107 Struts: Unused Validation Form
Major Potential_Mitigations
Minor None
108 Struts: Unvalidated Action Form
Major Potential_Mitigations
Minor None
109 Struts: Validator Turned Off
Major Potential_Mitigations
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Potential_Mitigations
Minor None
116 Improper Encoding or Escaping of Output
Major Potential_Mitigations
Minor None
117 Improper Output Neutralization for Logs
Major Potential_Mitigations
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Potential_Mitigations
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Potential_Mitigations
Minor None
121 Stack-based Buffer Overflow
Major Demonstrative_Examples, Potential_Mitigations
Minor None
122 Heap-based Buffer Overflow
Major Demonstrative_Examples
Minor None
123 Write-what-where Condition
Major Demonstrative_Examples
Minor None
129 Improper Validation of Array Index
Major Potential_Mitigations
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Potential_Mitigations
Minor None
131 Incorrect Calculation of Buffer Size
Major Potential_Mitigations
Minor None
135 Incorrect Calculation of Multi-Byte String Length
Major Potential_Mitigations
Minor None
140 Improper Neutralization of Delimiters
Major Potential_Mitigations
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major Potential_Mitigations
Minor None
142 Improper Neutralization of Value Delimiters
Major Potential_Mitigations
Minor None
143 Improper Neutralization of Record Delimiters
Major Potential_Mitigations
Minor None
144 Improper Neutralization of Line Delimiters
Major Potential_Mitigations
Minor None
145 Improper Neutralization of Section Delimiters
Major Potential_Mitigations
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major Potential_Mitigations
Minor None
147 Improper Neutralization of Input Terminators
Major Potential_Mitigations
Minor None
148 Improper Neutralization of Input Leaders
Major Potential_Mitigations
Minor None
149 Improper Neutralization of Quoting Syntax
Major Potential_Mitigations
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Potential_Mitigations
Minor None
151 Improper Neutralization of Comment Delimiters
Major Potential_Mitigations
Minor None
152 Improper Neutralization of Macro Symbols
Major Potential_Mitigations
Minor None
153 Improper Neutralization of Substitution Characters
Major Potential_Mitigations
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Potential_Mitigations
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Potential_Mitigations
Minor None
156 Improper Neutralization of Whitespace
Major Potential_Mitigations
Minor None
157 Failure to Sanitize Paired Delimiters
Major Potential_Mitigations
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Potential_Mitigations
Minor None
159 Failure to Sanitize Special Element
Major Potential_Mitigations
Minor None
160 Improper Neutralization of Leading Special Elements
Major Potential_Mitigations
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Potential_Mitigations
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Potential_Mitigations
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Potential_Mitigations
Minor None
164 Improper Neutralization of Internal Special Elements
Major Potential_Mitigations
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Potential_Mitigations
Minor None
166 Improper Handling of Missing Special Element
Major Potential_Mitigations
Minor None
167 Improper Handling of Additional Special Element
Major Potential_Mitigations
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Potential_Mitigations
Minor None
171 Cleansing, Canonicalization, and Comparison Errors
Major Potential_Mitigations
Minor None
172 Encoding Error
Major Potential_Mitigations
Minor None
173 Improper Handling of Alternate Encoding
Major Potential_Mitigations
Minor None
174 Double Decoding of the Same Data
Major Potential_Mitigations
Minor None
175 Improper Handling of Mixed Encoding
Major Potential_Mitigations
Minor None
176 Improper Handling of Unicode Encoding
Major Potential_Mitigations
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Potential_Mitigations
Minor None
178 Improper Handling of Case Sensitivity
Major Demonstrative_Examples, Potential_Mitigations
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Potential_Mitigations
Minor None
182 Collapse of Data into Unsafe Value
Major Potential_Mitigations
Minor None
185 Incorrect Regular Expression
Major Potential_Mitigations
Minor None
187 Partial Comparison
Major Potential_Mitigations
Minor None
188 Reliance on Data/Memory Layout
Major Potential_Mitigations
Minor None
190 Integer Overflow or Wraparound
Major Potential_Mitigations
Minor None
192 Integer Coercion Error
Major Potential_Mitigations
Minor None
196 Unsigned to Signed Conversion Error
Major Potential_Mitigations
Minor None
200 Information Exposure
Major Potential_Mitigations
Minor None
201 Information Exposure Through Sent Data
Major Potential_Mitigations
Minor None
203 Information Exposure Through Discrepancy
Major Potential_Mitigations
Minor None
204 Response Discrepancy Information Exposure
Major Potential_Mitigations
Minor None
205 Information Exposure Through Behavioral Discrepancy
Major Potential_Mitigations
Minor None
206 Information Exposure of Internal State Through Behavioral Inconsistency
Major Potential_Mitigations
Minor None
207 Information Exposure Through an External Behavioral Inconsistency
Major Potential_Mitigations
Minor None
210 Information Exposure Through Self-generated Error Message
Major Name, Potential_Mitigations
Minor None
211 Information Exposure Through Externally-generated Error Message
Major Name
Minor None
212 Improper Cross-boundary Removal of Sensitive Data
Major Potential_Mitigations
Minor None
213 Intentional Information Exposure
Major Potential_Mitigations
Minor None
214 Information Exposure Through Process Environment
Major Potential_Mitigations
Minor None
215 Information Exposure Through Debug Information
Major Potential_Mitigations
Minor None
216 Containment Errors (Container Errors)
Major Potential_Mitigations
Minor None
219 Sensitive Data Under Web Root
Major Potential_Mitigations
Minor None
220 Sensitive Data Under FTP Root
Major Potential_Mitigations
Minor None
224 Obscured Security-relevant Information by Alternate Name
Major Potential_Mitigations
Minor None
227 Improper Fulfillment of API Contract ('API Abuse')
Major Observed_Examples, Potential_Mitigations
Minor None
241 Improper Handling of Unexpected Data Type
Major Potential_Mitigations
Minor None
242 Use of Inherently Dangerous Function
Major Potential_Mitigations
Minor None
246 J2EE Bad Practices: Direct Use of Sockets
Major Potential_Mitigations
Minor None
250 Execution with Unnecessary Privileges
Major Potential_Mitigations
Minor None
253 Incorrect Check of Function Return Value
Major Potential_Mitigations
Minor None
256 Plaintext Storage of a Password
Major Demonstrative_Examples, Potential_Mitigations
Minor None
257 Storing Passwords in a Recoverable Format
Major Demonstrative_Examples
Minor None
259 Use of Hard-coded Password
Major Demonstrative_Examples
Minor None
260 Password in Configuration File
Major Demonstrative_Examples, Potential_Mitigations
Minor None
264 Permissions, Privileges, and Access Controls
Major Potential_Mitigations
Minor None
265 Privilege / Sandbox Issues
Major Potential_Mitigations
Minor None
266 Incorrect Privilege Assignment
Major Potential_Mitigations, References
Minor None
267 Privilege Defined With Unsafe Actions
Major Potential_Mitigations, References
Minor None
268 Privilege Chaining
Major Potential_Mitigations, References
Minor None
269 Improper Privilege Management
Major Potential_Mitigations
Minor None
270 Privilege Context Switching Error
Major Potential_Mitigations, References
Minor None
271 Privilege Dropping / Lowering Errors
Major Potential_Mitigations
Minor None
272 Least Privilege Violation
Major Potential_Mitigations
Minor None
273 Improper Check for Dropped Privileges
Major Demonstrative_Examples, Potential_Mitigations
Minor None
276 Incorrect Default Permissions
Major Potential_Mitigations
Minor None
277 Insecure Inherited Permissions
Major Potential_Mitigations
Minor None
278 Insecure Preserved Inherited Permissions
Major Potential_Mitigations
Minor None
279 Incorrect Execution-Assigned Permissions
Major Potential_Mitigations
Minor None
280 Improper Handling of Insufficient Permissions or Privileges
Major Potential_Mitigations
Minor None
283 Unverified Ownership
Major Potential_Mitigations
Minor None
284 Improper Access Control
Major Potential_Mitigations
Minor None
285 Improper Authorization
Major Potential_Mitigations
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Potential_Mitigations
Minor None
289 Authentication Bypass by Alternate Name
Major Potential_Mitigations
Minor None
293 Using Referer Field for Authentication
Major Demonstrative_Examples
Minor None
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Major Potential_Mitigations
Minor None
306 Missing Authentication for Critical Function
Major Potential_Mitigations
Minor None
308 Use of Single-factor Authentication
Major Demonstrative_Examples
Minor None
309 Use of Password System for Primary Authentication
Major Demonstrative_Examples
Minor None
311 Missing Encryption of Sensitive Data
Major Potential_Mitigations, References
Minor None
323 Reusing a Nonce, Key Pair in Encryption
Major Demonstrative_Examples, Potential_Mitigations
Minor None
324 Use of a Key Past its Expiration Date
Major Potential_Mitigations
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Potential_Mitigations
Minor None
328 Reversible One-Way Hash
Major Demonstrative_Examples, Potential_Mitigations, References
Minor None
329 Not Using a Random IV with CBC Mode
Major Demonstrative_Examples, Potential_Mitigations
Minor None
331 Insufficient Entropy
Major Potential_Mitigations
Minor None
333 Improper Handling of Insufficient Entropy in TRNG
Major Demonstrative_Examples
Minor None
334 Small Space of Random Values
Major Potential_Mitigations
Minor None
337 Predictable Seed in PRNG
Major Demonstrative_Examples, Potential_Mitigations
Minor None
338 Use of Cryptographically Weak PRNG
Major Demonstrative_Examples, Potential_Mitigations
Minor None
339 Small Seed Space in PRNG
Major Potential_Mitigations
Minor None
341 Predictable from Observable State
Major Potential_Mitigations
Minor None
342 Predictable Exact Value from Previous Values
Major Potential_Mitigations
Minor None
343 Predictable Value Range from Previous Values
Major Potential_Mitigations
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Potential_Mitigations
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Potential_Mitigations
Minor None
353 Missing Support for Integrity Check
Major Demonstrative_Examples
Minor None
360 Trust of System Event Data
Major Demonstrative_Examples
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Potential_Mitigations
Minor None
375 Returning a Mutable Object to an Untrusted Caller
Major Demonstrative_Examples
Minor None
378 Creation of Temporary File With Insecure Permissions
Major Demonstrative_Examples, Potential_Mitigations
Minor None
379 Creation of Temporary File in Directory with Incorrect Permissions
Major Demonstrative_Examples
Minor None
383 J2EE Bad Practices: Direct Use of Threads
Major Potential_Mitigations
Minor None
384 Session Fixation
Major Potential_Mitigations
Minor Description
391 Unchecked Error Condition
Major Potential_Mitigations
Minor None
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Potential_Mitigations
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major Potential_Mitigations
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Potential_Mitigations
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Potential_Mitigations
Minor None
410 Insufficient Resource Pool
Major Potential_Mitigations
Minor None
413 Improper Resource Locking
Major Potential_Mitigations
Minor None
414 Missing Lock Check
Major Potential_Mitigations
Minor None
419 Unprotected Primary Channel
Major Potential_Mitigations
Minor None
420 Unprotected Alternate Channel
Major Potential_Mitigations
Minor None
421 Race Condition During Access to Alternate Channel
Major Potential_Mitigations
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major Potential_Mitigations
Minor None
424 Improper Protection of Alternate Path
Major Potential_Mitigations
Minor None
425 Direct Request ('Forced Browsing')
Major Potential_Mitigations
Minor None
428 Unquoted Search Path or Element
Major Potential_Mitigations
Minor None
430 Deployment of Wrong Handler
Major Potential_Mitigations
Minor None
433 Unparsed Raw Web Content Delivery
Major Demonstrative_Examples, Potential_Mitigations
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Potential_Mitigations
Minor None
441 Unintended Proxy/Intermediary
Major Potential_Mitigations
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Demonstrative_Examples, Potential_Mitigations
Minor None
447 Unimplemented or Unsupported Feature in UI
Major Potential_Mitigations
Minor None
448 Obsolete Feature in UI
Major Potential_Mitigations
Minor None
449 The UI Performs the Wrong Action
Major Potential_Mitigations
Minor None
451 UI Misrepresentation of Critical Information
Major Potential_Mitigations
Minor None
453 Insecure Default Variable Initialization
Major Potential_Mitigations
Minor None
454 External Initialization of Trusted Variables or Data Stores
Major Potential_Mitigations
Minor None
455 Non-exit on Failed Initialization
Major Potential_Mitigations
Minor None
456 Missing Initialization
Major Potential_Mitigations
Minor None
457 Use of Uninitialized Variable
Major Demonstrative_Examples
Minor None
459 Incomplete Cleanup
Major Potential_Mitigations
Minor None
463 Deletion of Data Structure Sentinel
Major Potential_Mitigations
Minor None
464 Addition of Data Structure Sentinel
Major Potential_Mitigations
Minor None
466 Return of Pointer Value Outside of Expected Range
Major Potential_Mitigations
Minor None
468 Incorrect Pointer Scaling
Major Potential_Mitigations
Minor None
469 Use of Pointer Subtraction to Determine Size
Major Demonstrative_Examples, Potential_Mitigations
Minor None
473 PHP External Variable Modification
Major Potential_Mitigations
Minor None
474 Use of Function with Inconsistent Implementations
Major Potential_Mitigations
Minor None
477 Use of Obsolete Functions
Major Potential_Mitigations
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major Demonstrative_Examples
Minor None
480 Use of Incorrect Operator
Major Demonstrative_Examples, Potential_Mitigations
Minor None
481 Assigning instead of Comparing
Major Demonstrative_Examples, Potential_Mitigations
Minor None
482 Comparing instead of Assigning
Major Demonstrative_Examples, Potential_Mitigations
Minor None
484 Omitted Break Statement in Switch
Major Demonstrative_Examples
Minor None
485 Insufficient Encapsulation
Major Potential_Mitigations, Terminology_Notes
Minor None
487 Reliance on Package-level Scope
Major Potential_Mitigations
Minor None
488 Exposure of Data Element to Wrong Session
Major Potential_Mitigations
Minor None
489 Leftover Debug Code
Major Potential_Mitigations
Minor None
491 Public cloneable() Method Without Final ('Object Hijack')
Major Potential_Mitigations
Minor None
494 Download of Code Without Integrity Check
Major Potential_Mitigations
Minor None
495 Private Array-Typed Field Returned From A Public Method
Major Potential_Mitigations
Minor None
496 Public Data Assigned to Private Array-Typed Field
Major Potential_Mitigations
Minor None
497 Exposure of System Data to an Unauthorized Control Sphere
Major Potential_Mitigations
Minor None
499 Serializable Class Containing Sensitive Data
Major Demonstrative_Examples
Minor None
500 Public Static Field Not Marked Final
Major Demonstrative_Examples, Description, Potential_Mitigations
Minor None
502 Deserialization of Untrusted Data
Major Demonstrative_Examples
Minor None
506 Embedded Malicious Code
Major Potential_Mitigations
Minor None
507 Trojan Horse
Major Potential_Mitigations
Minor None
508 Non-Replicating Malicious Code
Major Potential_Mitigations
Minor None
509 Replicating Malicious Code (Virus or Worm)
Major Potential_Mitigations
Minor None
510 Trapdoor
Major Potential_Mitigations
Minor None
511 Logic/Time Bomb
Major Potential_Mitigations
Minor None
512 Spyware
Major Potential_Mitigations
Minor None
520 .NET Misconfiguration: Use of Impersonation
Major Potential_Mitigations
Minor None
522 Insufficiently Protected Credentials
Major Demonstrative_Examples, Potential_Mitigations
Minor None
523 Unprotected Transport of Credentials
Major Potential_Mitigations
Minor None
524 Information Exposure Through Caching
Major Potential_Mitigations
Minor None
525 Information Exposure Through Browser Caching
Major Potential_Mitigations
Minor None
526 Information Exposure Through Environmental Variables
Major Potential_Mitigations
Minor None
527 Exposure of CVS Repository to an Unauthorized Control Sphere
Major Potential_Mitigations
Minor None
528 Exposure of Core Dump File to an Unauthorized Control Sphere
Major Potential_Mitigations
Minor None
529 Exposure of Access Control List Files to an Unauthorized Control Sphere
Major Potential_Mitigations
Minor None
530 Exposure of Backup File to an Unauthorized Control Sphere
Major Potential_Mitigations
Minor None
531 Information Exposure Through Test Code
Major Potential_Mitigations
Minor None
533 Information Exposure Through Server Log Files
Major Potential_Mitigations
Minor None
534 Information Exposure Through Debug Log Files
Major Potential_Mitigations
Minor None
535 Information Exposure Through Shell Error Message
Major Potential_Mitigations
Minor None
536 Information Exposure Through Servlet Runtime Error Message
Major Potential_Mitigations
Minor None
538 File and Directory Information Exposure
Major Potential_Mitigations
Minor None
539 Information Exposure Through Persistent Cookies
Major Potential_Mitigations
Minor None
540 Information Exposure Through Source Code
Major Potential_Mitigations
Minor None
541 Information Exposure Through Include Source Code
Major Demonstrative_Examples, Potential_Mitigations
Minor None
542 Information Exposure Through Cleanup Log Files
Major Potential_Mitigations
Minor None
545 Use of Dynamic Class Loading
Major Potential_Mitigations
Minor None
546 Suspicious Comment
Major Potential_Mitigations
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Potential_Mitigations
Minor None
548 Information Exposure Through Directory Listing
Major Potential_Mitigations
Minor None
549 Missing Password Field Masking
Major Potential_Mitigations
Minor None
550 Information Exposure Through Server Error Message
Major Potential_Mitigations
Minor None
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Potential_Mitigations
Minor None
553 Command Shell in Externally Accessible Directory
Major Potential_Mitigations
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Potential_Mitigations
Minor None
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Potential_Mitigations
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Potential_Mitigations
Minor None
558 Use of getlogin() in Multithreaded Application
Major Potential_Mitigations
Minor None
560 Use of umask() with chmod-style Argument
Major Potential_Mitigations
Minor None
561 Dead Code
Major Potential_Mitigations
Minor None
562 Return of Stack Variable Address
Major Potential_Mitigations
Minor None
563 Unused Variable
Major Potential_Mitigations
Minor None
564 SQL Injection: Hibernate
Major Potential_Mitigations
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Potential_Mitigations
Minor None
568 finalize() Method Without super.finalize()
Major Potential_Mitigations
Minor None
572 Call to Thread run() instead of start()
Major Potential_Mitigations
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Potential_Mitigations
Minor None
576 EJB Bad Practices: Use of Java I/O
Major Potential_Mitigations
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Potential_Mitigations
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Potential_Mitigations
Minor None
582 Array Declared Public, Final, and Static
Major Potential_Mitigations
Minor None
583 finalize() Method Declared Public
Major Potential_Mitigations
Minor None
584 Return Inside Finally Block
Major Potential_Mitigations
Minor None
586 Explicit Call to Finalize()
Major Potential_Mitigations
Minor None
588 Attempt to Access Child of a Non-structure Pointer
Major Potential_Mitigations
Minor None
589 Call to Non-ubiquitous API
Major Potential_Mitigations
Minor None
590 Free of Memory not on the Heap
Major Potential_Mitigations
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Potential_Mitigations
Minor None
595 Comparison of Object References Instead of Object Contents
Major Potential_Mitigations
Minor None
598 Information Exposure Through Query Strings in GET Request
Major Potential_Mitigations
Minor None
600 Uncaught Exception in Servlet
Major Potential_Mitigations
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Potential_Mitigations
Minor None
603 Use of Client-Side Authentication
Major Potential_Mitigations
Minor None
605 Multiple Binds to the Same Port
Major Potential_Mitigations
Minor None
606 Unchecked Input for Loop Condition
Major Potential_Mitigations
Minor None
607 Public Static Final Field References Mutable Object
Major Potential_Mitigations
Minor None
608 Struts: Non-private Field in ActionForm Class
Major Potential_Mitigations
Minor None
609 Double-Checked Locking
Major Potential_Mitigations
Minor None
613 Insufficient Session Expiration
Major Potential_Mitigations
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Potential_Mitigations
Minor None
615 Information Exposure Through Comments
Major Potential_Mitigations
Minor None
616 Incomplete Identification of Uploaded File Variables (PHP)
Major Potential_Mitigations
Minor None
617 Reachable Assertion
Major Potential_Mitigations
Minor None
618 Exposed Unsafe ActiveX Method
Major Potential_Mitigations
Minor None
619 Dangling Database Cursor ('Cursor Injection')
Major Potential_Mitigations
Minor None
620 Unverified Password Change
Major Potential_Mitigations
Minor None
621 Variable Extraction Error
Major Potential_Mitigations
Minor None
622 Improper Validation of Function Hook Arguments
Major Name, Potential_Mitigations
Minor None
623 Unsafe ActiveX Control Marked Safe For Scripting
Major Potential_Mitigations
Minor None
624 Executable Regular Expression Error
Major Potential_Mitigations
Minor None
625 Permissive Regular Expression
Major Potential_Mitigations
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Potential_Mitigations
Minor None
627 Dynamic Variable Evaluation
Major Potential_Mitigations
Minor None
628 Function Call with Incorrectly Specified Arguments
Major Potential_Mitigations
Minor None
636 Not Failing Securely ('Failing Open')
Major Potential_Mitigations
Minor None
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major Potential_Mitigations
Minor None
638 Not Using Complete Mediation
Major Potential_Mitigations
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major Potential_Mitigations
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Potential_Mitigations
Minor None
642 External Control of Critical State Data
Major Potential_Mitigations
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Potential_Mitigations
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Potential_Mitigations
Minor None
645 Overly Restrictive Account Lockout Mechanism
Major Potential_Mitigations
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Potential_Mitigations
Minor None
648 Incorrect Use of Privileged APIs
Major Potential_Mitigations
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Potential_Mitigations
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Potential_Mitigations
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Potential_Mitigations
Minor None
653 Insufficient Compartmentalization
Major Potential_Mitigations
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Potential_Mitigations
Minor None
655 Insufficient Psychological Acceptability
Major Potential_Mitigations
Minor None
656 Reliance on Security Through Obscurity
Major Potential_Mitigations
Minor None
662 Improper Synchronization
Major Potential_Mitigations
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Potential_Mitigations
Minor None
666 Operation on Resource in Wrong Phase of Lifetime
Major Potential_Mitigations
Minor None
667 Improper Locking
Major Potential_Mitigations
Minor None
674 Uncontrolled Recursion
Major Potential_Mitigations
Minor None
683 Function Call With Incorrect Order of Arguments
Major Potential_Mitigations
Minor None
685 Function Call With Incorrect Number of Arguments
Major Potential_Mitigations
Minor None
686 Function Call With Incorrect Argument Type
Major Potential_Mitigations
Minor None
687 Function Call With Incorrectly Specified Argument Value
Major Potential_Mitigations
Minor None
688 Function Call With Incorrect Variable or Reference as Argument
Major Potential_Mitigations
Minor None
694 Use of Multiple Resources with Duplicate Identifier
Major Potential_Mitigations
Minor None
695 Use of Low-Level Functionality
Major Potential_Mitigations
Minor None
698 Redirect Without Exit
Major Demonstrative_Examples
Minor None
708 Incorrect Ownership Assignment
Major Observed_Examples, Potential_Mitigations
Minor None
710 Coding Standards Violation
Major Potential_Mitigations
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Potential_Mitigations
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Potential_Mitigations
Minor None
759 Use of a One-Way Hash without a Salt
Major Demonstrative_Examples, Potential_Mitigations, References
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Potential_Mitigations, References
Minor None
761 Free of Pointer not at Start of Buffer
Major Potential_Mitigations
Minor None
762 Mismatched Memory Management Routines
Major Potential_Mitigations
Minor None
763 Release of Invalid Pointer or Reference
Major Potential_Mitigations
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Potential_Mitigations
Minor None
771 Missing Reference to Active Allocated Resource
Major Potential_Mitigations
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Potential_Mitigations
Minor None
773 Missing Reference to Active File Descriptor or Handle
Major Potential_Mitigations
Minor None
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major Potential_Mitigations
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Potential_Mitigations
Minor None
798 Use of Hard-coded Credentials
Major Demonstrative_Examples, Potential_Mitigations
Minor None
805 Buffer Access with Incorrect Length Value
Major Potential_Mitigations
Minor None
806 Buffer Access Using Size of Source Buffer
Major None
Minor Potential_Mitigations
807 Reliance on Untrusted Inputs in a Security Decision
Major Potential_Mitigations
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Potential_Mitigations
Minor None
836 Use of Password Hash Instead of Password for Authentication
Major Observed_Examples
Minor None
862 Missing Authorization
Major Potential_Mitigations
Minor None
863 Incorrect Authorization
Major Potential_Mitigations
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017