CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between 2.8 and 2.9  
ID

Differences between 2.8 and 2.9

Summary
Summary
Total (2.9) 1004
Total (2.8) 1003
Total new 1
Total deprecated 0
Total shared 1003
Total important changes 115
Total major changes 119
Total minor changes 0
Total minor changes (no major)
Total unchanged 884

Summary of Entry Types

Type 2.8 2.9
Category 243 243
Chain 3 3
Composite 5 5
Deprecated 14 14
View 32 33
Weakness 706 706

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 1 0
Description 2 0
Applicable_Platforms 1 0
Time_of_Introduction 0 0
Demonstrative_Examples 4 0
Detection_Factors 0 0
Likelihood_of_Exploit 0 0
Common_Consequences 0 0
Relationships 114 0
References 1 0
Potential_Mitigations 0 0
Observed_Examples 1 0
Terminology_Notes 0 0
Alternate_Terms 0 0
Related_Attack_Patterns 3 0
Relationship_Notes 0 0
Taxonomy_Mappings 0 0
Maintenance_Notes 0 0
Modes_of_Introduction 1 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 0 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 1003

Status Changes

From To Total
Unchanged 1003

Relationship Changes

The "2.9 Total" lists the total number of relationships in 2.9. The "Shared" value is the total number of relationships in entries that were in both 2.9 and 2.8. The "New" value is the total number of relationships involving entries that did not exist in 2.8. Thus, the total number of relationships in 2.9 would combine stats from Shared entries and New entries.

Relationship 2.9 Total 2.8 Total 2.9 Shared Unchanged Added to 2.9 Removed from 2.8 2.9 New
ALL 7915 7687 7909 7687 222 6
ChildOf 3383 3272 3383 3272 111
ParentOf 3383 3272 3383 3272 111
MemberOf 347 344 344 344 3
HasMember 347 344 344 344 3
CanPrecede 121 121 121 121
CanFollow 121 121 121 121
StartsWith 3 3 3 3
Requires 17 17 17 17
RequiredBy 17 17 17 17
CanAlsoBe 34 34 34 34
PeerOf 142 142 142 142

Nodes Removed from 2.8

CWE-ID CWE Name
None.

Nodes Added to 2.9

CWE-ID CWE Name
1003 Weaknesses for Simplified Mapping of Published Vulnerabilities

Nodes Deprecated in 2.9

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 2 Environment
R 16 Configuration
R 17 Code
R 18 Source Code
R 19 Data Handling
R 20 Improper Input Validation
R 21 Pathname Traversal and Equivalence Errors
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 59 Improper Link Resolution Before File Access ('Link Following')
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 88 Argument Injection or Modification
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
R 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
R 116 Improper Encoding or Escaping of Output
R 118 Improper Access of Indexable Resource ('Range Error')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 123 Write-what-where Condition
R 125 Out-of-bounds Read
R 129 Improper Validation of Array Index
DNR 134 Use of Externally-Controlled Format String
R 137 Representation Errors
R 171 Cleansing, Canonicalization, and Comparison Errors
R 172 Encoding Error
R 184 Incomplete Blacklist
R 185 Incorrect Regular Expression
R 189 Numeric Errors
R 190 Integer Overflow or Wraparound
R 191 Integer Underflow (Wrap or Wraparound)
R 200 Information Exposure
R 220 Sensitive Data Under FTP Root
R 254 Security Features
R 255 Credentials Management
R 264 Permissions, Privileges, and Access Controls
R 284 Improper Access Control
R 285 Improper Authorization
R 287 Improper Authentication
R 295 Improper Certificate Validation
R 297 Improper Validation of Certificate with Host Mismatch
R 306 Missing Authentication for Critical Function
R 310 Cryptographic Issues
R 320 Key Management Errors
R 326 Inadequate Encryption Strength
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 330 Use of Insufficiently Random Values
R 331 Insufficient Entropy
R 332 Insufficient Entropy in PRNG
R 338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
R 345 Insufficient Verification of Data Authenticity
R 347 Improper Verification of Cryptographic Signature
R 352 Cross-Site Request Forgery (CSRF)
R 358 Improperly Implemented Security Check for Standard
R 361 Time and State
R 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
R 369 Divide By Zero
R 371 State Issues
R 384 Session Fixation
R 388 Error Handling
R 398 Indicator of Poor Code Quality
R 399 Resource Management Errors
R 400 Uncontrolled Resource Consumption ('Resource Exhaustion')
R 404 Improper Resource Shutdown or Release
R 405 Asymmetric Resource Consumption (Amplification)
R 407 Algorithmic Complexity
R 415 Double Free
R 416 Use After Free
R 417 Channel and Path Errors
R 426 Untrusted Search Path
R 427 Uncontrolled Search Path Element
R 428 Unquoted Search Path or Element
R 434 Unrestricted Upload of File with Dangerous Type
R 435 Interaction Error
R 436 Interpretation Conflict
R 441 Unintended Proxy or Intermediary ('Confused Deputy')
R 444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
R 472 External Control of Assumed-Immutable Web Parameter
R 476 NULL Pointer Dereference
R 485 Insufficient Encapsulation
R 502 Deserialization of Untrusted Data
R 532 Information Exposure Through Log Files
R 534 Information Exposure Through Debug Log Files
R 538 File and Directory Information Exposure
R 552 Files or Directories Accessible to External Parties
R 601 URL Redirection to Untrusted Site ('Open Redirect')
R 610 Externally Controlled Reference to a Resource in Another Sphere
R 611 Improper Restriction of XML External Entity Reference ('XXE')
R 640 Weak Password Recovery Mechanism for Forgotten Password
R 664 Improper Control of a Resource Through its Lifetime
R 665 Improper Initialization
R 668 Exposure of Resource to Wrong Sphere
R 669 Incorrect Resource Transfer Between Spheres
R 682 Incorrect Calculation
R 693 Protection Mechanism Failure
R 694 Use of Multiple Resources with Duplicate Identifier
R 704 Incorrect Type Conversion or Cast
R 707 Improper Enforcement of Message or Data Structure
R 749 Exposed Dangerous Method or Function
R 754 Improper Check for Unusual or Exceptional Conditions
R 769 File Descriptor Exhaustion
R 774 Allocation of File Descriptors or Handles Without Limits or Throttling
R 775 Missing Release of File Descriptor or Handle after Effective Lifetime
R 787 Out-of-bounds Write
D 788 Access of Memory Location After End of Buffer
R 798 Use of Hard-coded Credentials
R 824 Access of Uninitialized Pointer
R 913 Improper Control of Dynamically-Managed Code Resources
R 918 Server-Side Request Forgery (SSRF)
R 943 Improper Neutralization of Special Elements in Data Query Logic
Detailed Difference Report
Detailed Difference Report
2 Environment
Major Relationships
Minor None
16 Configuration
Major Relationships
Minor None
17 Code
Major Relationships
Minor None
18 Source Code
Major Relationships
Minor None
19 Data Handling
Major Relationships
Minor None
20 Improper Input Validation
Major Relationships
Minor None
21 Pathname Traversal and Equivalence Errors
Major Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Relationships
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Relationships
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Demonstrative_Examples, Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Relationships
Minor None
88 Argument Injection or Modification
Major Demonstrative_Examples, Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Relationships
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Relationships
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Relationships
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Relationships
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Relationships
Minor None
116 Improper Encoding or Escaping of Output
Major Relationships
Minor None
118 Improper Access of Indexable Resource ('Range Error')
Major Relationships
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Relationships
Minor None
123 Write-what-where Condition
Major Relationships
Minor None
125 Out-of-bounds Read
Major Relationships
Minor None
129 Improper Validation of Array Index
Major Relationships
Minor None
134 Use of Externally-Controlled Format String
Major Description, Modes_of_Introduction, Name, Relationships
Minor None
137 Representation Errors
Major Relationships
Minor None
171 Cleansing, Canonicalization, and Comparison Errors
Major Relationships
Minor None
172 Encoding Error
Major Relationships
Minor None
184 Incomplete Blacklist
Major Relationships
Minor None
185 Incorrect Regular Expression
Major Relationships
Minor None
189 Numeric Errors
Major Relationships
Minor None
190 Integer Overflow or Wraparound
Major Relationships
Minor None
191 Integer Underflow (Wrap or Wraparound)
Major Relationships
Minor None
200 Information Exposure
Major Relationships
Minor None
220 Sensitive Data Under FTP Root
Major Relationships
Minor None
254 Security Features
Major Relationships
Minor None
255 Credentials Management
Major Relationships
Minor None
259 Use of Hard-coded Password
Major Demonstrative_Examples
Minor None
261 Weak Cryptography for Passwords
Major Demonstrative_Examples
Minor None
264 Permissions, Privileges, and Access Controls
Major Relationships
Minor None
284 Improper Access Control
Major Relationships
Minor None
285 Improper Authorization
Major Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
295 Improper Certificate Validation
Major Relationships
Minor None
297 Improper Validation of Certificate with Host Mismatch
Major Relationships
Minor None
306 Missing Authentication for Critical Function
Major Relationships
Minor None
310 Cryptographic Issues
Major Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Related_Attack_Patterns
Minor None
320 Key Management Errors
Major Relationships
Minor None
326 Inadequate Encryption Strength
Major Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Relationships
Minor None
330 Use of Insufficiently Random Values
Major Relationships
Minor None
331 Insufficient Entropy
Major Relationships
Minor None
332 Insufficient Entropy in PRNG
Major Relationships
Minor None
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major Relationships
Minor None
345 Insufficient Verification of Data Authenticity
Major Relationships
Minor None
347 Improper Verification of Cryptographic Signature
Major Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Relationships
Minor None
358 Improperly Implemented Security Check for Standard
Major Relationships
Minor None
361 Time and State
Major Relationships
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Relationships
Minor None
369 Divide By Zero
Major Relationships
Minor None
371 State Issues
Major Relationships
Minor None
384 Session Fixation
Major Relationships
Minor None
388 Error Handling
Major Relationships
Minor None
398 Indicator of Poor Code Quality
Major Relationships
Minor None
399 Resource Management Errors
Major Relationships
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Related_Attack_Patterns, Relationships
Minor None
404 Improper Resource Shutdown or Release
Major Relationships
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Relationships
Minor None
407 Algorithmic Complexity
Major Relationships
Minor None
415 Double Free
Major Relationships
Minor None
416 Use After Free
Major Relationships
Minor None
417 Channel and Path Errors
Major Relationships
Minor None
426 Untrusted Search Path
Major Relationships
Minor None
427 Uncontrolled Search Path Element
Major Relationships
Minor None
428 Unquoted Search Path or Element
Major Relationships
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Relationships
Minor None
435 Interaction Error
Major Relationships
Minor None
436 Interpretation Conflict
Major Relationships
Minor None
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Relationships
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Relationships
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Relationships
Minor None
476 NULL Pointer Dereference
Major Relationships
Minor None
485 Insufficient Encapsulation
Major Relationships
Minor None
502 Deserialization of Untrusted Data
Major Observed_Examples, References, Relationships
Minor None
532 Information Exposure Through Log Files
Major Relationships
Minor None
534 Information Exposure Through Debug Log Files
Major Relationships
Minor None
538 File and Directory Information Exposure
Major Relationships
Minor None
552 Files or Directories Accessible to External Parties
Major Relationships
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Relationships
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Relationships
Minor None
611 Improper Restriction of XML External Entity Reference ('XXE')
Major Relationships
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor None
665 Improper Initialization
Major Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Relationships
Minor None
682 Incorrect Calculation
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Relationships
Minor None
694 Use of Multiple Resources with Duplicate Identifier
Major Relationships
Minor None
704 Incorrect Type Conversion or Cast
Major Relationships
Minor None
707 Improper Enforcement of Message or Data Structure
Major Applicable_Platforms, Relationships
Minor None
749 Exposed Dangerous Method or Function
Major Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Relationships
Minor None
769 File Descriptor Exhaustion
Major Relationships
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Related_Attack_Patterns
Minor None
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major Relationships
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Relationships
Minor None
787 Out-of-bounds Write
Major Relationships
Minor None
788 Access of Memory Location After End of Buffer
Major Description
Minor None
798 Use of Hard-coded Credentials
Major Relationships
Minor None
824 Access of Uninitialized Pointer
Major Relationships
Minor None
913 Improper Control of Dynamically-Managed Code Resources
Major Relationships
Minor None
918 Server-Side Request Forgery (SSRF)
Major Relationships
Minor None
943 Improper Neutralization of Special Elements in Data Query Logic
Major Relationships
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017