CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 2.6 and Version 2.7  
ID

Differences between Version 2.6 and Version 2.7

Summary
Summary
Total (Version 2.7) 945
Total (Version 2.6) 943
Total new 2
Total deprecated 0
Total shared 943
Total important changes 75
Total major changes 141
Total minor changes 3
Total minor changes (no major) 1
Total unchanged 801

Summary of Entry Types

Type Version 2.6 Version 2.7
Category 186 186
Chain 3 3
Composite 5 5
Deprecated 14 14
View 31 31
Weakness 704 706

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 2 0
Description 42 0
Applicable_Platforms 11 0
Time_of_Introduction 2 0
Demonstrative_Examples 14 1
Detection_Factors 1 0
Likelihood_of_Exploit 0 0
Common_Consequences 10 0
Relationships 35 0
References 7 0
Potential_Mitigations 20 0
Observed_Examples 12 2
Terminology_Notes 1 0
Alternate_Terms 1 0
Related_Attack_Patterns 8 0
Relationship_Notes 10 0
Taxonomy_Mappings 0 0
Maintenance_Notes 0 0
Modes_of_Introduction 11 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 3 0
Background_Details 1 0
Theoretical_Notes 3 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 3 0
Other_Notes 76 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 943

Status Changes

From To Total
Unchanged 943

Relationship Changes

The "Version 2.7 Total" lists the total number of relationships in Version 2.7. The "Shared" value is the total number of relationships in entries that were in both Version 2.7 and Version 2.6. The "New" value is the total number of relationships involving entries that did not exist in Version 2.6. Thus, the total number of relationships in Version 2.7 would combine stats from Shared entries and New entries.

Relationship Version 2.7 Total Version 2.6 Total Version 2.7 Shared Unchanged Added to Version 2.7 Removed from Version 2.6 Version 2.7 New
ALL 7573 7509 7545 7501 44 8 28
ChildOf 3215 3183 3201 3179 22 4 14
ParentOf 3215 3183 3201 3179 22 4 14
MemberOf 344 344 344 344
HasMember 344 344 344 344
CanPrecede 121 121 121 121
CanFollow 121 121 121 121
StartsWith 3 3 3 3
Requires 17 17 17 17
RequiredBy 17 17 17 17
CanAlsoBe 34 34 34 34
PeerOf 142 142 142 142

Nodes Removed from Version 2.6

CWE-ID CWE Name
None.

Nodes Added to Version 2.7

CWE-ID CWE Name
942 Overly Permissive Cross-domain Whitelist
943 Improper Neutralization of Special Elements in Data Query Logic

Nodes Deprecated in Version 2.7

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 7 J2EE Misconfiguration: Missing Custom Error Page
D 9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 88 Argument Injection or Modification
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
D R 99 Improper Control of Resource Identifiers ('Resource Injection')
D 105 Struts: Form Field Without Validator
D 106 Struts: Plug-in Framework not in Use
D 110 Struts: Validator Without Form Field
D 157 Failure to Sanitize Paired Delimiters
R 183 Permissive Whitelist
D 188 Reliance on Data/Memory Layout
D 195 Signed to Unsigned Conversion Error
D 196 Unsigned to Signed Conversion Error
R 209 Information Exposure Through an Error Message
R 215 Information Exposure Through Debug Information
D 245 J2EE Bad Practices: Direct Management of Connections
D 246 J2EE Bad Practices: Direct Use of Sockets
D 253 Incorrect Check of Function Return Value
D R 256 Plaintext Storage of a Password
D 257 Storing Passwords in a Recoverable Format
R 284 Improper Access Control
R 287 Improper Authentication
R 311 Missing Encryption of Sensitive Data
R 319 Cleartext Transmission of Sensitive Information
R 320 Key Management Errors
R 325 Missing Required Cryptographic Step
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 328 Reversible One-Way Hash
DN 338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
D 365 Race Condition in Switch
D 374 Passing Mutable Objects to an Untrusted Method
D 375 Returning a Mutable Object to an Untrusted Caller
D 382 J2EE Bad Practices: Use of System.exit()
D 395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
D 436 Interpretation Conflict
D 460 Improper Cleanup on Thrown Exception
D 467 Use of sizeof() on a Pointer Type
D 471 Modification of Assumed-Immutable Data (MAID)
D 474 Use of Function with Inconsistent Implementations
D 477 Use of Obsolete Functions
D 478 Missing Default Case in Switch Statement
D 480 Use of Incorrect Operator
D 487 Reliance on Package-level Scope
D 489 Leftover Debug Code
D 492 Use of Inner Class Containing Sensitive Data
D 501 Trust Boundary Violation
D 520 .NET Misconfiguration: Use of Impersonation
R 522 Insufficiently Protected Credentials
R 523 Unprotected Transport of Credentials
R 548 Information Exposure Through Directory Listing
D 562 Return of Stack Variable Address
DN 563 Assignment to Variable without Use ('Unused Variable')
D 579 J2EE Bad Practices: Non-serializable Object Stored in Session
D 594 J2EE Framework: Saving Unserializable Objects to Disk
R 613 Insufficient Session Expiration
D 617 Reachable Assertion
R 620 Unverified Password Change
D 621 Variable Extraction Error
D 626 Null Byte Interaction Error (Poison Null Byte)
R 640 Weak Password Recovery Mechanism for Forgotten Password
R 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
R 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
R 668 Exposure of Resource to Wrong Sphere
D 692 Incomplete Blacklist to Cross-Site Scripting
R 929 OWASP Top Ten 2013 Category A1 - Injection
R 930 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
R 932 OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
R 933 OWASP Top Ten 2013 Category A5 - Security Misconfiguration
R 934 OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
R 935 OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control
Detailed Difference Report
Detailed Difference Report
7 J2EE Misconfiguration: Missing Custom Error Page
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations
Minor None
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Major Description, Other_Notes
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Other_Notes, Research_Gaps
Minor Observed_Examples
44 Path Equivalence: 'file.name' (Internal Dot)
Major Other_Notes, Relationship_Notes
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Other_Notes, Relationship_Notes
Minor None
48 Path Equivalence: 'file name' (Internal Whitespace)
Major Applicable_Platforms, Other_Notes, Relationship_Notes
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Common_Consequences, Other_Notes
Minor None
61 UNIX Symbolic Link (Symlink) Following
Major Modes_of_Introduction, Other_Notes
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Relationships
Minor None
88 Argument Injection or Modification
Major Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Relationships
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Relationships
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Relationships
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Enabling_Factors_for_Exploitation, Other_Notes, Relationship_Notes
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Alternate_Terms, Description, Relationship_Notes, Relationships
Minor None
105 Struts: Form Field Without Validator
Major Common_Consequences, Description, Modes_of_Introduction, Other_Notes
Minor None
106 Struts: Plug-in Framework not in Use
Major Description, Other_Notes, Potential_Mitigations
Minor None
108 Struts: Unvalidated Action Form
Major Other_Notes, Potential_Mitigations
Minor None
110 Struts: Validator Without Form Field
Major Description, Other_Notes
Minor None
112 Missing XML Validation
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Demonstrative_Examples
Minor None
116 Improper Encoding or Escaping of Output
Major References
Minor None
122 Heap-based Buffer Overflow
Major Observed_Examples
Minor None
125 Out-of-bounds Read
Major Related_Attack_Patterns
Minor None
126 Buffer Over-read
Major Observed_Examples
Minor None
129 Improper Validation of Array Index
Major None
Minor Demonstrative_Examples
130 Improper Handling of Length Parameter Inconsistency
Major Observed_Examples
Minor None
135 Incorrect Calculation of Multi-Byte String Length
Major Enabling_Factors_for_Exploitation, Other_Notes
Minor None
157 Failure to Sanitize Paired Delimiters
Major Applicable_Platforms, Demonstrative_Examples, Description
Minor None
159 Failure to Sanitize Special Element
Major Other_Notes
Minor None
169 Technology-Specific Special Elements
Major Applicable_Platforms, Modes_of_Introduction, Other_Notes, Potential_Mitigations
Minor None
170 Improper Null Termination
Major Observed_Examples
Minor None
183 Permissive Whitelist
Major Relationships
Minor None
185 Incorrect Regular Expression
Major Applicable_Platforms, Common_Consequences, Other_Notes, Relationship_Notes
Minor None
188 Reliance on Data/Memory Layout
Major Description, Other_Notes
Minor None
193 Off-by-one Error
Major References
Minor None
195 Signed to Unsigned Conversion Error
Major Demonstrative_Examples, Description
Minor None
196 Unsigned to Signed Conversion Error
Major Demonstrative_Examples, Description, Other_Notes
Minor None
200 Information Exposure
Major Related_Attack_Patterns
Minor None
208 Information Exposure Through Timing Discrepancy
Major Other_Notes, Related_Attack_Patterns
Minor None
209 Information Exposure Through an Error Message
Major Relationships
Minor None
210 Information Exposure Through Self-generated Error Message
Major Other_Notes
Minor None
213 Intentional Information Exposure
Major Other_Notes, Relationship_Notes, Theoretical_Notes
Minor None
215 Information Exposure Through Debug Information
Major Relationships
Minor None
245 J2EE Bad Practices: Direct Management of Connections
Major Description, Other_Notes
Minor None
246 J2EE Bad Practices: Direct Use of Sockets
Major Description, Other_Notes
Minor None
252 Unchecked Return Value
Major Demonstrative_Examples, Potential_Mitigations
Minor None
253 Incorrect Check of Function Return Value
Major Description, Other_Notes
Minor None
256 Plaintext Storage of a Password
Major Description, Modes_of_Introduction, Other_Notes, Potential_Mitigations, Relationships
Minor None
257 Storing Passwords in a Recoverable Format
Major Description, Other_Notes
Minor None
262 Not Using Password Aging
Major Other_Notes, Potential_Mitigations
Minor None
273 Improper Check for Dropped Privileges
Major Background_Details, Other_Notes, Potential_Mitigations
Minor None
284 Improper Access Control
Major Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
295 Improper Certificate Validation
Major Observed_Examples
Minor None
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Major Observed_Examples
Minor None
311 Missing Encryption of Sensitive Data
Major Relationships
Minor None
319 Cleartext Transmission of Sensitive Information
Major Relationships
Minor None
320 Key Management Errors
Major Relationships
Minor None
325 Missing Required Cryptographic Step
Major Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Relationships
Minor None
328 Reversible One-Way Hash
Major Relationships
Minor None
330 Use of Insufficiently Random Values
Major Related_Attack_Patterns
Minor None
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major Applicable_Platforms, Description, Name, Other_Notes
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Other_Notes
Minor None
346 Origin Validation Error
Major Related_Attack_Patterns
Minor None
364 Signal Handler Race Condition
Major Demonstrative_Examples, References
Minor None
365 Race Condition in Switch
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations
Minor None
374 Passing Mutable Objects to an Untrusted Method
Major Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References
Minor None
375 Returning a Mutable Object to an Untrusted Caller
Major Description, Other_Notes, Potential_Mitigations
Minor None
378 Creation of Temporary File With Insecure Permissions
Major Potential_Mitigations
Minor None
382 J2EE Bad Practices: Use of System.exit()
Major Description, Modes_of_Introduction, Other_Notes, Potential_Mitigations
Minor None
391 Unchecked Error Condition
Major Other_Notes
Minor None
393 Return of Wrong Status Code
Major Observed_Examples
Minor None
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Description, Other_Notes
Minor None
399 Resource Management Errors
Major Other_Notes
Minor None
404 Improper Resource Shutdown or Release
Major Related_Attack_Patterns
Minor None
410 Insufficient Resource Pool
Major Other_Notes, Potential_Mitigations
Minor None
421 Race Condition During Access to Alternate Channel
Major Other_Notes
Minor None
436 Interpretation Conflict
Major Applicable_Platforms, Description, Observed_Examples, Other_Notes, References
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Other_Notes, Potential_Mitigations, Theoretical_Notes
Minor None
452 Initialization and Cleanup Errors
Major Other_Notes, Research_Gaps
Minor None
457 Use of Uninitialized Variable
Major Modes_of_Introduction, Other_Notes
Minor None
459 Incomplete Cleanup
Major Common_Consequences, Other_Notes, Relationship_Notes
Minor None
460 Improper Cleanup on Thrown Exception
Major Description, Other_Notes
Minor None
467 Use of sizeof() on a Pointer Type
Major Description, Other_Notes
Minor None
468 Incorrect Pointer Scaling
Major Modes_of_Introduction, Other_Notes
Minor None
469 Use of Pointer Subtraction to Determine Size
Major Other_Notes
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Applicable_Platforms, Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationship_Notes, Theoretical_Notes, Time_of_Introduction
Minor None
474 Use of Function with Inconsistent Implementations
Major Applicable_Platforms, Description, Other_Notes
Minor None
477 Use of Obsolete Functions
Major Description, Other_Notes, Potential_Mitigations
Minor None
478 Missing Default Case in Switch Statement
Major Description, Other_Notes, Potential_Mitigations
Minor None
480 Use of Incorrect Operator
Major Applicable_Platforms, Description, Detection_Factors, Other_Notes
Minor None
483 Incorrect Block Delimitation
Major Observed_Examples
Minor None
487 Reliance on Package-level Scope
Major Description, Other_Notes, Potential_Mitigations
Minor None
489 Leftover Debug Code
Major Description, Modes_of_Introduction, Other_Notes, Time_of_Introduction
Minor None
492 Use of Inner Class Containing Sensitive Data
Major Description, Other_Notes
Minor None
501 Trust Boundary Violation
Major Description, Other_Notes
Minor None
514 Covert Channel
Major Related_Attack_Patterns
Minor None
520 .NET Misconfiguration: Use of Impersonation
Major Description, Other_Notes
Minor None
522 Insufficiently Protected Credentials
Major Other_Notes, Relationships
Minor None
523 Unprotected Transport of Credentials
Major Other_Notes, Relationships
Minor None
548 Information Exposure Through Directory Listing
Major Relationships
Minor None
549 Missing Password Field Masking
Major Other_Notes
Minor None
561 Dead Code
Major Observed_Examples
Minor None
562 Return of Stack Variable Address
Major Description, Other_Notes
Minor None
563 Assignment to Variable without Use ('Unused Variable')
Major Common_Consequences, Description, Name, Other_Notes
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Description, Other_Notes
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Description, Other_Notes
Minor None
595 Comparison of Object References Instead of Object Contents
Major Applicable_Platforms, Common_Consequences
Minor None
605 Multiple Binds to the Same Port
Major Enabling_Factors_for_Exploitation, Other_Notes
Minor None
613 Insufficient Session Expiration
Major Relationships
Minor None
617 Reachable Assertion
Major Common_Consequences, Description, Other_Notes
Minor None
620 Unverified Password Change
Major Relationships
Minor None
621 Variable Extraction Error
Major Description, Other_Notes
Minor None
624 Executable Regular Expression Error
Major Observed_Examples
Minor None
625 Permissive Regular Expression
Major Modes_of_Introduction, Other_Notes
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Description, Other_Notes, Research_Gaps, Terminology_Notes
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major Relationships
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Relationships
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Relationships
Minor None
655 Insufficient Psychological Acceptability
Major Demonstrative_Examples
Minor None
656 Reliance on Security Through Obscurity
Major Other_Notes, Relationship_Notes
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
689 Permission Race Condition During Resource Copy
Major Modes_of_Introduction, Other_Notes
Minor Observed_Examples
690 Unchecked Return Value to NULL Pointer Dereference
Major Modes_of_Introduction, Other_Notes
Minor None
692 Incomplete Blacklist to Cross-Site Scripting
Major Applicable_Platforms, Description, Other_Notes
Minor None
705 Incorrect Control Flow Scoping
Major Observed_Examples
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Related_Attack_Patterns
Minor None
787 Out-of-bounds Write
Major Demonstrative_Examples
Minor None
788 Access of Memory Location After End of Buffer
Major Demonstrative_Examples
Minor None
805 Buffer Access with Incorrect Length Value
Major Demonstrative_Examples
Minor None
828 Signal Handler with Functionality that is not Asynchronous-Safe
Major Demonstrative_Examples, References
Minor None
831 Signal Handler Function Associated with Multiple Signals
Major Demonstrative_Examples, References
Minor None
929 OWASP Top Ten 2013 Category A1 - Injection
Major Relationships
Minor None
930 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
Major Relationships
Minor None
932 OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
Major Relationships
Minor None
933 OWASP Top Ten 2013 Category A5 - Security Misconfiguration
Major Relationships
Minor None
934 OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
Major Relationships
Minor None
935 OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control
Major Relationships
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017