CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 2.5 and Version 2.6  
ID

Differences between Version 2.5 and Version 2.6

Summary
Summary
Total (Version 2.6) 943
Total (Version 2.5) 940
Total new 3
Total deprecated 0
Total shared 940
Total important changes 19
Total major changes 73
Total minor changes 1
Total minor changes (no major)
Total unchanged 867

Summary of Entry Types

Type Version 2.5 Version 2.6
Category 186 186
Chain 3 3
Composite 5 5
Deprecated 14 14
View 31 31
Weakness 701 704

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 4 0
Description 8 0
Applicable_Platforms 7 0
Time_of_Introduction 0 0
Demonstrative_Examples 22 0
Detection_Factors 1 0
Likelihood_of_Exploit 0 0
Common_Consequences 2 0
Relationships 14 0
References 18 0
Potential_Mitigations 22 1
Observed_Examples 3 0
Terminology_Notes 3 0
Alternate_Terms 2 0
Related_Attack_Patterns 22 0
Relationship_Notes 1 0
Taxonomy_Mappings 0 0
Maintenance_Notes 3 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 1 0
Background_Details 1 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 3 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 940

Status Changes

From To Total
Unchanged 939
Draft Incomplete 1

Relationship Changes

The "Version 2.6 Total" lists the total number of relationships in Version 2.6. The "Shared" value is the total number of relationships in entries that were in both Version 2.6 and Version 2.5. The "New" value is the total number of relationships involving entries that did not exist in Version 2.5. Thus, the total number of relationships in Version 2.6 would combine stats from Shared entries and New entries.

Relationship Version 2.6 Total Version 2.5 Total Version 2.6 Shared Unchanged Added to Version 2.6 Removed from Version 2.5 Version 2.6 New
ALL 7509 7491 7497 7479 18 12 12
ChildOf 3183 3174 3178 3169 9 5 5
ParentOf 3183 3174 3178 3169 9 5 5
MemberOf 344 344 344 344
HasMember 344 344 344 344
CanPrecede 121 121 120 120 1 1
CanFollow 121 121 120 120 1 1
StartsWith 3 3 3 3
Requires 17 17 17 17
RequiredBy 17 17 17 17
CanAlsoBe 34 34 34 34
PeerOf 142 142 142 142

Nodes Removed from Version 2.5

CWE-ID CWE Name
None.

Nodes Added to Version 2.6

CWE-ID CWE Name
939 Improper Authorization in Handler for Custom URL Scheme
940 Improper Verification of Source of a Communication Channel
941 Incorrectly Specified Destination in a Communication Channel

Nodes Deprecated in Version 2.6

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 284 Improper Access Control
R 287 Improper Authentication
R 291 Reliance on IP Address for Authentication
R 300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
R 304 Missing Critical Step in Authentication
R 346 Origin Validation Error
D R 350 Reliance on Reverse DNS Resolution for a Security-Critical Action
DN 359 Exposure of Private Information ('Privacy Violation')
R 406 Insufficient Control of Network Message Volume (Network Amplification)
DNR 451 User Interface (UI) Misrepresentation of Critical Information
R 682 Incorrect Calculation
R 684 Incorrect Provision of Specified Functionality
R 839 Numeric Range Comparison Without Minimum Check
R 862 Missing Authorization
DNR 923 Improper Restriction of Communication Channel to Intended Endpoints
D 925 Improper Verification of Intent by Broadcast Receiver
DN 926 Improper Export of Android Application Components
D 927 Use of Implicit Intent for Sensitive Communication
Detailed Difference Report
Detailed Difference Report
19 Data Handling
Major Related_Attack_Patterns
Minor None
20 Improper Input Validation
Major Demonstrative_Examples, Related_Attack_Patterns
Minor None
21 Pathname Traversal and Equivalence Errors
Major Potential_Mitigations
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Related_Attack_Patterns
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes, Terminology_Notes
Minor Potential_Mitigations
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Applicable_Platforms, Demonstrative_Examples, Terminology_Notes
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Related_Attack_Patterns
Minor None
112 Missing XML Validation
Major Related_Attack_Patterns
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Potential_Mitigations, References
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Potential_Mitigations, References
Minor None
129 Improper Validation of Array Index
Major Potential_Mitigations, References
Minor None
131 Incorrect Calculation of Buffer Size
Major Potential_Mitigations, References
Minor None
201 Information Exposure Through Sent Data
Major Related_Attack_Patterns
Minor None
216 Containment Errors (Container Errors)
Major Related_Attack_Patterns
Minor None
228 Improper Handling of Syntactically Invalid Structure
Major Demonstrative_Examples
Minor None
230 Improper Handling of Missing Values
Major Demonstrative_Examples
Minor None
233 Improper Handling of Parameters
Major Demonstrative_Examples
Minor None
250 Execution with Unnecessary Privileges
Major Demonstrative_Examples
Minor None
266 Incorrect Privilege Assignment
Major Applicable_Platforms, Demonstrative_Examples
Minor None
270 Privilege Context Switching Error
Major Related_Attack_Patterns
Minor None
284 Improper Access Control
Major Related_Attack_Patterns, Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
290 Authentication Bypass by Spoofing
Major Related_Attack_Patterns
Minor None
291 Reliance on IP Address for Authentication
Major Relationships
Minor None
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Major Relationships
Minor None
304 Missing Critical Step in Authentication
Major Relationships
Minor None
310 Cryptographic Issues
Major Related_Attack_Patterns
Minor None
311 Missing Encryption of Sensitive Data
Major Related_Attack_Patterns
Minor None
319 Cleartext Transmission of Sensitive Information
Major Related_Attack_Patterns
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Related_Attack_Patterns
Minor None
328 Reversible One-Way Hash
Major Potential_Mitigations, References
Minor None
330 Use of Insufficiently Random Values
Major Related_Attack_Patterns
Minor None
346 Origin Validation Error
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Maintenance_Notes, References, Relationship_Notes, Relationships, Terminology_Notes
Minor None
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
Major Description, Relationships
Minor None
359 Exposure of Private Information ('Privacy Violation')
Major Alternate_Terms, Demonstrative_Examples, Description, Name, Other_Notes, References
Minor None
390 Detection of Error Condition Without Action
Major Related_Attack_Patterns
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major Potential_Mitigations, References
Minor None
404 Improper Resource Shutdown or Release
Major Demonstrative_Examples
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Demonstrative_Examples, Observed_Examples, Relationships
Minor None
426 Untrusted Search Path
Major Demonstrative_Examples, Detection_Factors, Potential_Mitigations
Minor None
427 Uncontrolled Search Path Element
Major Demonstrative_Examples, Observed_Examples, Potential_Mitigations
Minor None
451 User Interface (UI) Misrepresentation of Critical Information
Major Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, Other_Notes, References, Relationships, Research_Gaps
Minor None
469 Use of Pointer Subtraction to Determine Size
Major Potential_Mitigations
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Related_Attack_Patterns
Minor None
476 NULL Pointer Dereference
Major Demonstrative_Examples
Minor None
532 Information Exposure Through Log Files
Major Demonstrative_Examples
Minor None
590 Free of Memory not on the Heap
Major Potential_Mitigations
Minor None
642 External Control of Critical State Data
Major Potential_Mitigations
Minor None
672 Operation on a Resource after Expiration or Release
Major Applicable_Platforms
Minor None
674 Uncontrolled Recursion
Major Related_Attack_Patterns
Minor None
682 Incorrect Calculation
Major Relationships
Minor None
684 Incorrect Provision of Specified Functionality
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Related_Attack_Patterns
Minor None
707 Improper Enforcement of Message or Data Structure
Major Related_Attack_Patterns
Minor None
713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Major Related_Attack_Patterns
Minor None
749 Exposed Dangerous Method or Function
Major Demonstrative_Examples
Minor None
759 Use of a One-Way Hash without a Salt
Major Potential_Mitigations, References
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Potential_Mitigations, References
Minor None
761 Free of Pointer not at Start of Buffer
Major Potential_Mitigations
Minor None
762 Mismatched Memory Management Routines
Major Demonstrative_Examples, Potential_Mitigations, References
Minor None
763 Release of Invalid Pointer or Reference
Major Potential_Mitigations
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Related_Attack_Patterns
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Applicable_Platforms, Demonstrative_Examples
Minor None
805 Buffer Access with Incorrect Length Value
Major Potential_Mitigations, References
Minor None
806 Buffer Access Using Size of Source Buffer
Major Potential_Mitigations, References
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Potential_Mitigations
Minor None
839 Numeric Range Comparison Without Minimum Check
Major Relationships
Minor None
862 Missing Authorization
Major Relationships
Minor None
916 Use of Password Hash With Insufficient Computational Effort
Major Potential_Mitigations, References
Minor None
923 Improper Restriction of Communication Channel to Intended Endpoints
Major Description, Name, Relationships
Minor None
925 Improper Verification of Intent by Broadcast Receiver
Major Alternate_Terms, Demonstrative_Examples, Description, References
Minor None
926 Improper Export of Android Application Components
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References
Minor None
927 Use of Implicit Intent for Sensitive Communication
Major Demonstrative_Examples, Description, References
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017