CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 2.3 and Version 2.4  
ID

Differences between Version 2.3 and Version 2.4

Summary
Summary
Total (Version 2.4) 920
Total (Version 2.3) 909
Total new 11
Total deprecated 0
Total shared 909
Total important changes 49
Total major changes 96
Total minor changes 1
Total minor changes (no major)
Total unchanged 813

Summary of Entry Types

Type Version 2.3 Version 2.4
Category 177 176
Chain 3 3
Composite 6 6
Deprecated 12 12
View 29 29
Weakness 682 694

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 11 0
Description 15 1
Applicable_Platforms 19 0
Time_of_Introduction 2 0
Demonstrative_Examples 13 0
Detection_Factors 0 0
Likelihood_of_Exploit 0 0
Common_Consequences 5 0
Relationships 44 0
References 17 0
Potential_Mitigations 36 0
Observed_Examples 16 0
Terminology_Notes 0 0
Alternate_Terms 11 0
Related_Attack_Patterns 0 0
Relationship_Notes 3 0
Taxonomy_Mappings 1 0
Maintenance_Notes 5 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 2 0
Theoretical_Notes 2 0
Weakness_Ordinalities 1 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 5 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 7 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 902
Category Weakness/Base 1
Weakness/Base Weakness/Class 1
Weakness/Base Weakness/Variant 3
Weakness/Class Weakness/Base 2

Status Changes

From To Total
Unchanged 909

Relationship Changes

The "Version 2.4 Total" lists the total number of relationships in Version 2.4. The "Shared" value is the total number of relationships in entries that were in both Version 2.4 and Version 2.3. The "New" value is the total number of relationships involving entries that did not exist in Version 2.3. Thus, the total number of relationships in Version 2.4 would combine stats from Shared entries and New entries.

Relationship Version 2.4 Total Version 2.3 Total Version 2.4 Shared Unchanged Added to Version 2.4 Removed from Version 2.3 Version 2.4 New
ALL 7419 7357 7341 7297 44 60 78
ChildOf 3141 3113 3106 3090 16 23 35
ParentOf 3141 3113 3106 3090 16 23 35
MemberOf 334 334 334 334
HasMember 334 334 334 334
CanPrecede 120 113 117 113 4 3
CanFollow 120 113 117 113 4 3
StartsWith 3 3 3 3
Requires 19 19 19 19
RequiredBy 19 19 19 19
CanAlsoBe 34 34 34 34
PeerOf 154 162 152 148 4 14 2

Nodes Removed from Version 2.3

CWE-ID CWE Name
None.

Nodes Added to Version 2.4

CWE-ID CWE Name
908 Use of Uninitialized Resource
909 Missing Initialization of Resource
910 Use of Expired File Descriptor
911 Improper Update of Reference Count
912 Hidden Functionality
913 Improper Control of Dynamically-Managed Code Resources
914 Improper Control of Dynamically-Identified Variables
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
916 Use of Password Hash With Insufficient Computational Effort
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
918 Server-Side Request Forgery (SSRF)

Nodes Deprecated in Version 2.4

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 20 Improper Input Validation
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
N 98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
DNR 295 Improper Certificate Validation
DNR 296 Improper Following of a Certificate's Chain of Trust
DNR 297 Improper Validation of Certificate with Host Mismatch
R 298 Improper Validation of Certificate Expiration
D R 299 Improper Check for Certificate Revocation
R 322 Key Exchange without Entity Authentication
D 324 Use of a Key Past its Expiration Date
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 352 Cross-Site Request Forgery (CSRF)
DN 403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
R 418 Channel Errors
DNR 441 Unintended Proxy or Intermediary ('Confused Deputy')
R 442 Web Problems
R 452 Initialization and Cleanup Errors
NR 456 Missing Initialization of a Variable
D R 457 Use of Uninitialized Variable
R 470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
R 471 Modification of Assumed-Immutable Data (MAID)
R 485 Insufficient Encapsulation
R 502 Deserialization of Untrusted Data
R 505 Intentionally Introduced Weakness
R 506 Embedded Malicious Code
D R 514 Covert Channel
R 538 File and Directory Information Exposure
DNR 599 Missing Validation of OpenSSL Certificate
DNR 611 Improper Restriction of XML External Entity Reference ('XXE')
R 621 Variable Extraction Error
R 627 Dynamic Variable Evaluation
R 664 Improper Control of a Resource Through its Lifetime
R 665 Improper Initialization
R 668 Exposure of Resource to Wrong Sphere
R 672 Operation on a Resource after Expiration or Release
R 673 External Influence of Sphere Definition
R 674 Uncontrolled Recursion
R 693 Protection Mechanism Failure
N 698 Execution After Redirect (EAR)
R 710 Coding Standards Violation
R 754 Improper Check for Unusual or Exceptional Conditions
D R 759 Use of a One-Way Hash without a Salt
D R 760 Use of a One-Way Hash with a Predictable Salt
R 772 Missing Release of Resource after Effective Lifetime
DNR 776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
R 813 OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
D 863 Incorrect Authorization
Detailed Difference Report
Detailed Difference Report
11 ASP.NET Misconfiguration: Creating Debug Binary
Major Potential_Mitigations
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major Potential_Mitigations
Minor None
13 ASP.NET Misconfiguration: Password in Configuration File
Major Potential_Mitigations
Minor None
15 External Control of System or Configuration Setting
Major Potential_Mitigations
Minor None
20 Improper Input Validation
Major Relationships
Minor None
21 Pathname Traversal and Equivalence Errors
Major Potential_Mitigations
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Observed_Examples
Minor None
37 Path Traversal: '/absolute/pathname/here'
Major Potential_Mitigations
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Relationships
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Potential_Mitigations
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Potential_Mitigations
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Relationships
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Observed_Examples
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Observed_Examples
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major Alternate_Terms, Name, Observed_Examples
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Alternate_Terms, Maintenance_Notes, Other_Notes, Relationships
Minor None
106 Struts: Plug-in Framework not in Use
Major Potential_Mitigations
Minor None
110 Struts: Validator Without Form Field
Major Potential_Mitigations
Minor None
111 Direct Use of Unsafe JNI
Major Potential_Mitigations
Minor None
112 Missing XML Validation
Major Potential_Mitigations
Minor None
114 Process Control
Major Potential_Mitigations
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Demonstrative_Examples
Minor None
122 Heap-based Buffer Overflow
Major Demonstrative_Examples, Potential_Mitigations
Minor None
123 Write-what-where Condition
Major Potential_Mitigations
Minor None
131 Incorrect Calculation of Buffer Size
Major Demonstrative_Examples
Minor None
140 Improper Neutralization of Delimiters
Major Potential_Mitigations
Minor None
171 Cleansing, Canonicalization, and Comparison Errors
Major Potential_Mitigations
Minor None
172 Encoding Error
Major Potential_Mitigations
Minor None
183 Permissive Whitelist
Major Potential_Mitigations
Minor None
184 Incomplete Blacklist
Major Potential_Mitigations
Minor None
200 Information Exposure
Major Alternate_Terms, Applicable_Platforms, References
Minor None
201 Information Exposure Through Sent Data
Major Potential_Mitigations
Minor None
202 Exposure of Sensitive Data Through Data Queries
Major Potential_Mitigations
Minor None
258 Empty Password in Configuration File
Major Potential_Mitigations
Minor None
269 Improper Privilege Management
Major Potential_Mitigations
Minor None
295 Improper Certificate Validation
Major Applicable_Platforms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction, Type
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, References, Relationships
Minor None
297 Improper Validation of Certificate with Host Mismatch
Major Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, References, Relationships, Type
Minor None
298 Improper Validation of Certificate Expiration
Major Applicable_Platforms, Demonstrative_Examples, Relationships, Type
Minor Description
299 Improper Check for Certificate Revocation
Major Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Relationships, Type
Minor None
312 Cleartext Storage of Sensitive Information
Major Applicable_Platforms, References
Minor None
319 Cleartext Transmission of Sensitive Information
Major Applicable_Platforms, References
Minor None
322 Key Exchange without Entity Authentication
Major Relationships
Minor None
324 Use of a Key Past its Expiration Date
Major Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Relationships
Minor None
359 Privacy Violation
Major Applicable_Platforms, References
Minor None
360 Trust of System Event Data
Major Potential_Mitigations
Minor None
370 Missing Check for Certificate Revocation after Initial Check
Major Applicable_Platforms, Demonstrative_Examples
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major Observed_Examples
Minor None
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
Major Alternate_Terms, Description, Name, Observed_Examples, References
Minor None
418 Channel Errors
Major Relationships
Minor None
431 Missing Handler
Major Potential_Mitigations
Minor None
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, References, Relationship_Notes, Relationships, Theoretical_Notes, Type
Minor None
442 Web Problems
Major Relationships
Minor None
452 Initialization and Cleanup Errors
Major Relationships
Minor None
456 Missing Initialization of a Variable
Major Name, Relationships
Minor None
457 Use of Uninitialized Variable
Major Applicable_Platforms, Description, Other_Notes, Potential_Mitigations, Relationships
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Relationships
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Relationships
Minor None
485 Insufficient Encapsulation
Major Relationships
Minor None
502 Deserialization of Untrusted Data
Major Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships
Minor None
505 Intentionally Introduced Weakness
Major Relationships
Minor None
506 Embedded Malicious Code
Major Relationships
Minor None
511 Logic/Time Bomb
Major Applicable_Platforms, Potential_Mitigations, References, Time_of_Introduction
Minor None
514 Covert Channel
Major Description, Relationships, Theoretical_Notes
Minor None
538 File and Directory Information Exposure
Major Relationships
Minor None
599 Missing Validation of OpenSSL Certificate
Major Demonstrative_Examples, Description, Name, Relationship_Notes, Relationships
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Maintenance_Notes
Minor None
611 Improper Restriction of XML External Entity Reference ('XXE')
Major Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
621 Variable Extraction Error
Major Demonstrative_Examples, Relationships
Minor None
627 Dynamic Variable Evaluation
Major Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Alternate_Terms, Common_Consequences
Minor None
651 Information Exposure Through WSDL File
Major Potential_Mitigations
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Potential_Mitigations
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor None
665 Improper Initialization
Major Demonstrative_Examples, Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
672 Operation on a Resource after Expiration or Release
Major Relationships
Minor None
673 External Influence of Sphere Definition
Major Relationships
Minor None
674 Uncontrolled Recursion
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Relationships
Minor None
698 Execution After Redirect (EAR)
Major Alternate_Terms, Name, Observed_Examples, References
Minor None
710 Coding Standards Violation
Major Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Relationships
Minor None
759 Use of a One-Way Hash without a Salt
Major Description, Potential_Mitigations, References, Relationships, Type
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Description, Potential_Mitigations, References, Relationships, Type
Minor None
769 File Descriptor Exhaustion
Major Maintenance_Notes
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Relationships
Minor None
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Major Alternate_Terms, Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships
Minor None
788 Access of Memory Location After End of Buffer
Major Demonstrative_Examples
Minor None
798 Use of Hard-coded Credentials
Major Applicable_Platforms, References
Minor None
813 OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
Major Relationships
Minor None
825 Expired Pointer Dereference
Major Alternate_Terms
Minor None
827 Improper Control of Document Type Definition
Major Applicable_Platforms
Minor None
863 Incorrect Authorization
Major Description
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017