CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 2.9 and Version 2.10  
ID

Differences between Version 2.9 and Version 2.10

Summary
Summary
Total (Version 2.10) 1005
Total (Version 2.9) 1004
Total new 1
Total deprecated 1
Total shared 1004
Total important changes 127
Total major changes 142
Total minor changes 5
Total minor changes (no major) 4
Total unchanged 858

Summary of Entry Types

Type Version 2.9 Version 2.10
Category 243 242
Chain 3 3
Composite 5 5
Deprecated 14 15
View 33 33
Weakness 706 707

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 1 0
Description 2 0
Applicable_Platforms 4 4
Time_of_Introduction 0 0
Demonstrative_Examples 0 1
Detection_Factors 0 0
Likelihood_of_Exploit 0 0
Common_Consequences 0 0
Relationships 126 0
References 0 0
Potential_Mitigations 0 0
Observed_Examples 0 0
Terminology_Notes 0 0
Alternate_Terms 0 0
Related_Attack_Patterns 16 0
Relationship_Notes 0 0
Taxonomy_Mappings 1 0
Maintenance_Notes 11 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 1 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 0 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 3 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 1001
Category Deprecated 1
Weakness/Base Weakness/Class 1
Weakness/Variant Weakness/Base 1

Status Changes

From To Total
Unchanged 1003
Draft Deprecated 1

Relationship Changes

The "Version 2.10 Total" lists the total number of relationships in Version 2.10. The "Shared" value is the total number of relationships in entries that were in both Version 2.10 and Version 2.9. The "New" value is the total number of relationships involving entries that did not exist in Version 2.9. Thus, the total number of relationships in Version 2.10 would combine stats from Shared entries and New entries.

Relationship Version 2.10 Total Version 2.9 Total Version 2.10 Shared Unchanged Added to Version 2.10 Removed from Version 2.9 Version 2.10 New
ALL 7953 7915 7947 7791 156 124 6
ChildOf 3384 3383 3381 3327 54 56 3
ParentOf 3384 3383 3381 3327 54 56 3
MemberOf 365 347 365 341 24 6
HasMember 365 347 365 341 24 6
CanPrecede 121 121 121 121
CanFollow 121 121 121 121
StartsWith 3 3 3 3
Requires 17 17 17 17
RequiredBy 17 17 17 17
CanAlsoBe 34 34 34 34
PeerOf 142 142 142 142

Nodes Removed from Version 2.9

CWE-ID CWE Name
None.

Nodes Added to Version 2.10

CWE-ID CWE Name
1004 Sensitive Cookie Without 'HttpOnly' Flag

Nodes Deprecated in Version 2.10

CWE-ID CWE Name
445 DEPRECATED: User Interface Errors
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 1 Location
R 2 Environment
R 3 Technology-specific Environment Issues
R 4 J2EE Environment Issues
R 14 Compiler Removal of Code to Clear Buffers
R 15 External Control of System or Configuration Setting
R 16 Configuration
R 17 Code
R 18 Source Code
R 19 Data Handling
R 20 Improper Input Validation
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
R 100 Technology-Specific Input Validation Problems
R 112 Missing XML Validation
R 116 Improper Encoding or Escaping of Output
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 128 Wrap-around Error
R 136 Type Errors
R 138 Improper Neutralization of Special Elements
R 171 Cleansing, Canonicalization, and Comparison Errors
R 179 Incorrect Behavior Order: Early Validation
R 180 Incorrect Behavior Order: Validate Before Canonicalize
R 181 Incorrect Behavior Order: Validate Before Filter
R 189 Numeric Errors
R 190 Integer Overflow or Wraparound
R 195 Signed to Unsigned Conversion Error
R 227 Improper Fulfillment of API Contract ('API Abuse')
R 228 Improper Handling of Syntactically Invalid Structure
R 254 Security Features
R 287 Improper Authentication
R 295 Improper Certificate Validation
R 310 Cryptographic Issues
R 317 Cleartext Storage of Sensitive Information in GUI
R 347 Improper Verification of Cryptographic Signature
R 355 User Interface Security Issues
R 361 Time and State
R 388 Error Handling
R 398 Indicator of Poor Code Quality
R 399 Resource Management Errors
R 400 Uncontrolled Resource Consumption ('Resource Exhaustion')
R 404 Improper Resource Shutdown or Release
R 417 Channel and Path Errors
R 429 Handler Errors
R 435 Interaction Error
R 436 Interpretation Conflict
R 438 Behavioral Problems
R 441 Unintended Proxy or Intermediary ('Confused Deputy')
R 442 Web Problems
DNR 445 DEPRECATED: User Interface Errors
R 446 UI Discrepancy for Security Feature
R 450 Multiple Interpretations of UI Input
R 451 User Interface (UI) Misrepresentation of Critical Information
R 452 Initialization and Cleanup Errors
R 465 Pointer Issues
R 476 NULL Pointer Dereference
R 481 Assigning instead of Comparing
R 482 Comparing instead of Assigning
R 485 Insufficient Encapsulation
R 490 Mobile Code Issues
R 503 Byte/Object Code
R 504 Motivation/Intent
R 505 Intentionally Introduced Weakness
R 518 Inadvertently Introduced Weakness
R 519 .NET Environment Issues
R 533 Information Exposure Through Server Log Files
R 534 Information Exposure Through Debug Log Files
R 542 Information Exposure Through Cleanup Log Files
R 552 Files or Directories Accessible to External Parties
R 554 ASP.NET Misconfiguration: Not Using Input Validation Framework
R 569 Expression Issues
R 573 Improper Following of Specification by Caller
R 610 Externally Controlled Reference to a Resource in Another Sphere
R 614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
R 617 Reachable Assertion
R 629 Weaknesses in OWASP Top Ten (2007)
R 631 Resource-specific Weaknesses
D 635 Weaknesses Used by NVD
R 642 External Control of Critical State Data
R 650 Trusting HTTP Permission Methods on the Server Side
R 657 Violation of Secure Design Principles
R 664 Improper Control of a Resource Through its Lifetime
R 668 Exposure of Resource to Wrong Sphere
R 670 Always-Incorrect Control Flow Implementation
R 675 Duplicate Operations on Resource
R 680 Integer Overflow to Buffer Overflow
R 690 Unchecked Return Value to NULL Pointer Dereference
R 691 Insufficient Control Flow Management
R 692 Incomplete Blacklist to Cross-Site Scripting
R 693 Protection Mechanism Failure
R 699 Development Concepts
R 701 Weaknesses Introduced During Design
R 702 Weaknesses Introduced During Implementation
R 703 Improper Check or Handling of Exceptional Conditions
R 704 Incorrect Type Conversion or Cast
R 705 Incorrect Control Flow Scoping
R 706 Use of Incorrectly-Resolved Name or Reference
R 707 Improper Enforcement of Message or Data Structure
R 710 Coding Standards Violation
R 732 Incorrect Permission Assignment for Critical Resource
R 733 Compiler Optimization Removal or Modification of Security-critical Code
R 754 Improper Check for Unusual or Exceptional Conditions
R 755 Improper Handling of Exceptional Conditions
R 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
R 758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
R 759 Use of a One-Way Hash without a Salt
R 760 Use of a One-Way Hash with a Predictable Salt
R 771 Missing Reference to Active Allocated Resource
R 772 Missing Release of Resource after Effective Lifetime
R 784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
R 790 Improper Filtering of Special Elements
R 791 Incomplete Filtering of Special Elements
R 792 Incomplete Filtering of One or More Instances of Special Elements
R 793 Only Filtering One Instance of a Special Element
R 794 Incomplete Filtering of Multiple Instances of Special Elements
R 795 Only Filtering Special Elements at a Specified Location
R 796 Only Filtering Special Elements Relative to a Marker
R 797 Only Filtering Special Elements at an Absolute Position
R 829 Inclusion of Functionality from Untrusted Control Sphere
R 840 Business Logic Errors
R 862 Missing Authorization
R 913 Improper Control of Dynamically-Managed Code Resources
R 914 Improper Control of Dynamically-Identified Variables
R 916 Use of Password Hash With Insufficient Computational Effort
R 918 Server-Side Request Forgery (SSRF)
R 939 Improper Authorization in Handler for Custom URL Scheme
Detailed Difference Report
Detailed Difference Report
1 Location
Major Maintenance_Notes, Relationships
Minor None
2 Environment
Major Maintenance_Notes, Relationships
Minor None
3 Technology-specific Environment Issues
Major Maintenance_Notes, Relationships
Minor None
4 J2EE Environment Issues
Major Relationships
Minor None
14 Compiler Removal of Code to Clear Buffers
Major Relationships
Minor None
15 External Control of System or Configuration Setting
Major Relationships
Minor None
16 Configuration
Major Maintenance_Notes, Relationships
Minor None
17 Code
Major Maintenance_Notes, Relationships
Minor None
18 Source Code
Major Maintenance_Notes, Relationships
Minor None
19 Data Handling
Major Relationships
Minor None
20 Improper Input Validation
Major Related_Attack_Patterns, Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Related_Attack_Patterns
Minor None
23 Relative Path Traversal
Major Related_Attack_Patterns
Minor None
36 Absolute Path Traversal
Major Related_Attack_Patterns
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Related_Attack_Patterns
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major None
Minor Demonstrative_Examples
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Relationships
Minor None
100 Technology-Specific Input Validation Problems
Major Relationships
Minor None
112 Missing XML Validation
Major Relationships
Minor None
116 Improper Encoding or Escaping of Output
Major Relationships
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Relationships
Minor None
128 Wrap-around Error
Major Relationships
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Type
Minor None
136 Type Errors
Major Relationships
Minor None
138 Improper Neutralization of Special Elements
Major Relationships
Minor None
171 Cleansing, Canonicalization, and Comparison Errors
Major Relationships
Minor None
179 Incorrect Behavior Order: Early Validation
Major Relationships
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Relationships
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Relationships
Minor None
189 Numeric Errors
Major Applicable_Platforms, Relationships
Minor None
190 Integer Overflow or Wraparound
Major Relationships
Minor None
195 Signed to Unsigned Conversion Error
Major Relationships
Minor None
201 Information Exposure Through Sent Data
Major Related_Attack_Patterns
Minor None
227 Improper Fulfillment of API Contract ('API Abuse')
Major Relationships
Minor None
228 Improper Handling of Syntactically Invalid Structure
Major Relationships
Minor None
254 Security Features
Major Relationships
Minor None
259 Use of Hard-coded Password
Major Related_Attack_Patterns
Minor None
287 Improper Authentication
Major Relationships
Minor None
295 Improper Certificate Validation
Major Relationships
Minor None
310 Cryptographic Issues
Major Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Related_Attack_Patterns
Minor None
317 Cleartext Storage of Sensitive Information in GUI
Major Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Related_Attack_Patterns
Minor None
347 Improper Verification of Cryptographic Signature
Major Relationships
Minor None
355 User Interface Security Issues
Major Applicable_Platforms, Relationships
Minor None
361 Time and State
Major Relationships
Minor None
388 Error Handling
Major Relationships
Minor None
398 Indicator of Poor Code Quality
Major Relationships
Minor None
399 Resource Management Errors
Major Relationships
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Relationships
Minor None
404 Improper Resource Shutdown or Release
Major Relationships
Minor None
417 Channel and Path Errors
Major Relationships
Minor None
429 Handler Errors
Major Relationships
Minor None
435 Interaction Error
Major Relationships
Minor None
436 Interpretation Conflict
Major Relationships
Minor None
438 Behavioral Problems
Major Relationships
Minor None
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Relationships
Minor None
442 Web Problems
Major Relationships
Minor None
445 DEPRECATED: User Interface Errors
Major Applicable_Platforms, Description, Name, Relationships, Research_Gaps, Taxonomy_Mappings, Type
Minor None
446 UI Discrepancy for Security Feature
Major Relationships
Minor None
450 Multiple Interpretations of UI Input
Major Relationships
Minor None
451 User Interface (UI) Misrepresentation of Critical Information
Major Relationships
Minor None
452 Initialization and Cleanup Errors
Major Relationships
Minor None
465 Pointer Issues
Major Relationships
Minor None
476 NULL Pointer Dereference
Major Relationships
Minor None
481 Assigning instead of Comparing
Major Relationships
Minor None
482 Comparing instead of Assigning
Major Relationships
Minor None
485 Insufficient Encapsulation
Major Relationships
Minor None
490 Mobile Code Issues
Major Relationships
Minor None
503 Byte/Object Code
Major Maintenance_Notes, Relationships
Minor None
504 Motivation/Intent
Major Maintenance_Notes, Relationships
Minor None
505 Intentionally Introduced Weakness
Major Relationships
Minor None
518 Inadvertently Introduced Weakness
Major Maintenance_Notes, Relationships
Minor None
519 .NET Environment Issues
Major Relationships
Minor None
524 Information Exposure Through Caching
Major Related_Attack_Patterns
Minor None
533 Information Exposure Through Server Log Files
Major Relationships
Minor None
534 Information Exposure Through Debug Log Files
Major Relationships
Minor None
542 Information Exposure Through Cleanup Log Files
Major Relationships
Minor None
552 Files or Directories Accessible to External Parties
Major Relationships
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Relationships
Minor None
569 Expression Issues
Major Relationships
Minor None
573 Improper Following of Specification by Caller
Major Relationships
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Relationships
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Relationships
Minor None
617 Reachable Assertion
Major Relationships
Minor None
629 Weaknesses in OWASP Top Ten (2007)
Major Relationships
Minor None
631 Resource-specific Weaknesses
Major Relationships
Minor None
635 Weaknesses Used by NVD
Major Description, Maintenance_Notes
Minor None
642 External Control of Critical State Data
Major Related_Attack_Patterns, Relationships
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Relationships
Minor None
657 Violation of Secure Design Principles
Major Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor None
665 Improper Initialization
Major Type
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
670 Always-Incorrect Control Flow Implementation
Major Relationships
Minor None
675 Duplicate Operations on Resource
Major Relationships
Minor None
680 Integer Overflow to Buffer Overflow
Major Relationships
Minor None
681 Incorrect Conversion between Numeric Types
Major None
Minor Applicable_Platforms
682 Incorrect Calculation
Major Applicable_Platforms
Minor None
690 Unchecked Return Value to NULL Pointer Dereference
Major Relationships
Minor None
691 Insufficient Control Flow Management
Major Relationships
Minor None
692 Incomplete Blacklist to Cross-Site Scripting
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Relationships
Minor None
699 Development Concepts
Major Maintenance_Notes, Relationships
Minor None
701 Weaknesses Introduced During Design
Major Relationships
Minor None
702 Weaknesses Introduced During Implementation
Major Relationships
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Relationships
Minor None
704 Incorrect Type Conversion or Cast
Major Relationships
Minor None
705 Incorrect Control Flow Scoping
Major Relationships
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Relationships
Minor None
707 Improper Enforcement of Message or Data Structure
Major Relationships
Minor None
710 Coding Standards Violation
Major Relationships
Minor None
728 OWASP Top Ten 2004 Category A7 - Improper Error Handling
Major Related_Attack_Patterns
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Related_Attack_Patterns, Relationships
Minor None
733 Compiler Optimization Removal or Modification of Security-critical Code
Major Relationships
Minor None
749 Exposed Dangerous Method or Function
Major None
Minor Applicable_Platforms
754 Improper Check for Unusual or Exceptional Conditions
Major Relationships
Minor None
755 Improper Handling of Exceptional Conditions
Major Relationships
Minor Applicable_Platforms
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Related_Attack_Patterns, Relationships
Minor None
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Major Relationships
Minor None
759 Use of a One-Way Hash without a Salt
Major Relationships
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Relationships
Minor None
770 Allocation of Resources Without Limits or Throttling
Major None
Minor Applicable_Platforms
771 Missing Reference to Active Allocated Resource
Major Relationships
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Relationships
Minor None
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Major Relationships
Minor None
790 Improper Filtering of Special Elements
Major Relationships
Minor None
791 Incomplete Filtering of Special Elements
Major Relationships
Minor None
792 Incomplete Filtering of One or More Instances of Special Elements
Major Relationships
Minor None
793 Only Filtering One Instance of a Special Element
Major Relationships
Minor None
794 Incomplete Filtering of Multiple Instances of Special Elements
Major Relationships
Minor None
795 Only Filtering Special Elements at a Specified Location
Major Relationships
Minor None
796 Only Filtering Special Elements Relative to a Marker
Major Relationships
Minor None
797 Only Filtering Special Elements at an Absolute Position
Major Relationships
Minor None
798 Use of Hard-coded Credentials
Major Related_Attack_Patterns
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Related_Attack_Patterns
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Relationships
Minor None
840 Business Logic Errors
Major Relationships
Minor None
862 Missing Authorization
Major Relationships
Minor None
913 Improper Control of Dynamically-Managed Code Resources
Major Relationships
Minor None
914 Improper Control of Dynamically-Identified Variables
Major Relationships
Minor None
916 Use of Password Hash With Insufficient Computational Effort
Major Relationships
Minor None
918 Server-Side Request Forgery (SSRF)
Major Relationships
Minor None
939 Improper Authorization in Handler for Custom URL Scheme
Major Relationships
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 19, 2017