CWE - Differences between Version 3.0 and Version 3.1

Home > CWE List > Reports > Differences between Version 3.0 and Version 3.1

Differences between Version 3.0 and Version 3.1

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total entries (Version 3.1)	1040
Total weaknesses/chains/composites (Version 3.1)	716
Total entries (Version 3.0)	1023
Total weaknesses/chains/composites (Version 3.0)	714
Total new	17
Total deprecated	4
Total shared	1023
Total important changes	94
Total major changes	145
Total minor changes	96
Total minor changes (no major)	78
Total unchanged	800

Summary of Entry Types

Type	Version 3.0	Version 3.1
Category	237	247
Chain	3	3
Composite	5	4
Deprecated	41	45
View	31	32
Weakness	706	709

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	9	0
Description	18	3
Applicable_Platforms	1	1
Time_of_Introduction	8	0
Demonstrative_Examples	10	0
Detection_Factors	2	0
Likelihood_of_Exploit	0	0
Common_Consequences	8	0
Relationships	85	0
References	63	89
Potential_Mitigations	11	3
Observed_Examples	6	0
Terminology_Notes	0	0
Alternate_Terms	3	0
Related_Attack_Patterns	0	0
Relationship_Notes	3	0
Taxonomy_Mappings	3	0
Maintenance_Notes	2	0
Modes_of_Introduction	6	0
Affected_Resources	1	0
Functional_Areas	0	0
Research_Gaps	1	0
Background_Details	1	0
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	3	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	3	0
Common_Methods_of_Exploitation	0	0
Type	11	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged		1012
Composite	Weakness/Base	1	426
Weakness/Base	Deprecated	1	596
Weakness/Base	Weakness/Class	1	400
Weakness/Base	Weakness/Variant	5	14, 187, 312, 319, 595
Weakness/Variant	Deprecated	3	533, 534, 542

Status Changes

From	To	Total
Unchanged		1018
Draft	Deprecated	1
Draft	Incomplete	1
Incomplete	Deprecated	3

Relationship Changes

The "Version 3.1 Total" lists the total number of relationships in Version 3.1. The "Shared" value is the total number of relationships in entries that were in both Version 3.1 and Version 3.0. The "New" value is the total number of relationships involving entries that did not exist in Version 3.0. Thus, the total number of relationships in Version 3.1 would combine stats from Shared entries and New entries.

Relationship	Version 3.1 Total	Version 3.0 Total	Version 3.1 Shared	Unchanged	Added to Version 3.1	Removed from Version 3.0	Version 3.1 New
ALL	8227	8132	8079	8062	17	70	148
ChildOf	3528	3490	3464	3458	6	32	64
ParentOf	3528	3490	3464	3458	6	32	64
MemberOf	359	349	349	349			10
HasMember	359	349	349	349			10
CanPrecede	130	130	130	130
CanFollow	130	130	130	130
StartsWith	3	3	3	3
Requires	14	17	14	14		3
RequiredBy	14	17	14	14		3
CanAlsoBe	32	29	32	29	3
PeerOf	130	128	130	128	2

Nodes Removed from Version 3.0

CWE-ID	CWE Name
None.

Nodes Added to Version 3.1

CWE-ID	CWE Name
1023	Incomplete Comparison with Missing Factors
1024	Comparison of Incompatible Types
1025	Comparison Using Wrong Factors
1026	Weaknesses in OWASP Top Ten (2017)
1027	OWASP Top Ten 2017 Category A1 - Injection
1028	OWASP Top Ten 2017 Category A2 - Broken Authentication
1029	OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure
1030	OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)
1031	OWASP Top Ten 2017 Category A5 - Broken Access Control
1032	OWASP Top Ten 2017 Category A6 - Security Misconfiguration
1033	OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)
1034	OWASP Top Ten 2017 Category A8 - Insecure Deserialization
1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
1036	OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring
1037	Processor Optimization Removal or Modification of Security-critical Code
1038	Insecure Automated Optimizations
1039	Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations

Nodes Deprecated in Version 3.1

CWE-ID	CWE Name
533	DEPRECATED: Information Exposure Through Server Log Files
534	DEPRECATED: Information Exposure Through Debug Log Files
542	DEPRECATED: Information Exposure Through Cleanup Log Files
596	DEPRECATED: Incorrect Semantic Object Comparison

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	16	Configuration
		R	19	Data Processing Errors
		R	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
		R	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
D		R	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
		R	88	Argument Injection or Modification
		R	89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
		R	90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
		R	91	XML Injection (aka Blind XPath Injection)
D			125	Out-of-bounds Read
		R	171	Cleansing, Canonicalization, and Comparison Errors
		R	184	Incomplete Blacklist
	N	R	187	Partial String Comparison
		R	209	Information Exposure Through an Error Message
		R	216	Containment Errors (Container Errors)
		R	220	Sensitive Data Under FTP Root
		R	223	Omission of Security-relevant Information
	N	R	256	Unprotected Storage of Credentials
		R	275	Permission Issues
		R	284	Improper Access Control
		R	285	Improper Authorization
		R	287	Improper Authentication
		R	295	Improper Certificate Validation
D			297	Improper Validation of Certificate with Host Mismatch
		R	308	Use of Single-factor Authentication
		R	310	Cryptographic Issues
		R	311	Missing Encryption of Sensitive Data
		R	312	Cleartext Storage of Sensitive Information
		R	319	Cleartext Transmission of Sensitive Information
		R	320	Key Management Errors
		R	325	Missing Required Cryptographic Step
		R	326	Inadequate Encryption Strength
		R	327	Use of a Broken or Risky Cryptographic Algorithm
		R	328	Reversible One-Way Hash
		R	359	Exposure of Private Information ('Privacy Violation')
		R	372	Incomplete Internal State Distinction
		R	384	Session Fixation
		R	425	Direct Request ('Forced Browsing')
		R	426	Untrusted Search Path
		R	428	Unquoted Search Path or Element
D	N	R	435	Improper Interaction Between Multiple Correctly-Behaving Entities
		R	438	Behavioral Problems
		R	471	Modification of Assumed-Immutable Data (MAID)
		R	478	Missing Default Case in Switch Statement
		R	486	Comparison of Classes by Name
		R	502	Deserialization of Untrusted Data
		R	522	Insufficiently Protected Credentials
		R	523	Unprotected Transport of Credentials
D		R	532	Information Exposure Through Log Files
D	N	R	533	DEPRECATED: Information Exposure Through Server Log Files
D	N	R	534	DEPRECATED: Information Exposure Through Debug Log Files
D	N	R	542	DEPRECATED: Information Exposure Through Cleanup Log Files
		R	548	Information Exposure Through Directory Listing
		R	564	SQL Injection: Hibernate
		R	569	Expression Issues
		R	581	Object Model Violation: Just One of Equals and Hashcode Defined
D		R	595	Comparison of Object References Instead of Object Contents
D	N	R	596	DEPRECATED: Incorrect Semantic Object Comparison
		R	611	Improper Restriction of XML External Entity Reference ('XXE')
		R	613	Insufficient Session Expiration
		R	620	Unverified Password Change
		R	639	Authorization Bypass Through User-Controlled Key
		R	640	Weak Password Recovery Mechanism for Forgotten Password
		R	643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')
		R	652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
		R	664	Improper Control of a Resource Through its Lifetime
		R	693	Protection Mechanism Failure
D	N	R	697	Incorrect Comparison
D			699	Development Concepts
		R	706	Use of Incorrectly-Resolved Name or Reference
		R	731	OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
		R	733	Compiler Optimization Removal or Modification of Security-critical Code
		R	758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
		R	776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
		R	778	Insufficient Logging
D			787	Out-of-bounds Write
D			839	Numeric Range Comparison Without Minimum Check
		R	840	Business Logic Errors
		R	857	CERT Java Secure Coding Section 12 - Input Output (FIO)
		R	917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
		R	929	OWASP Top Ten 2013 Category A1 - Injection
		R	930	OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
		R	932	OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
		R	934	OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
		R	935	OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control
		R	943	Improper Neutralization of Special Elements in Data Query Logic
		R	963	SFP Secondary Cluster: Exposed Data
		R	977	SFP Secondary Cluster: Design
D			1000	Research Concepts
D			1007	Insufficient Visual Distinction of Homoglyphs Presented to User
D			1008	Architectural Concepts
D	N		1022	Use of Web Link to Untrusted Target with window.opener Access

Detailed Difference Report

13	ASP.NET Misconfiguration: Password in Configuration File
	Major	Demonstrative_Examples
	Minor	None
14	Compiler Removal of Code to Clear Buffers
	Major	References, Type
	Minor	None
16	Configuration
	Major	Relationships
	Minor	None
19	Data Processing Errors
	Major	Relationships
	Minor	None
20	Improper Input Validation
	Major	References
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	References, Relationships
	Minor	None
23	Relative Path Traversal
	Major	None
	Minor	References
36	Absolute Path Traversal
	Major	None
	Minor	References
40	Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
	Major	None
	Minor	References
58	Path Equivalence: Windows 8.3 Filename
	Major	References
	Minor	None
59	Improper Link Resolution Before File Access ('Link Following')
	Major	None
	Minor	References
61	UNIX Symbolic Link (Symlink) Following
	Major	None
	Minor	References
62	UNIX Hard Link
	Major	None
	Minor	References
65	Windows Hard Link
	Major	None
	Minor	References
67	Improper Handling of Windows Device Names
	Major	References
	Minor	None
69	Improper Handling of Windows ::DATA Alternate Data Stream
	Major	References
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Relationships
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Relationships
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Relationships
	Minor	References
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Alternate_Terms, Demonstrative_Examples, Description, Observed_Examples, References, Relationship_Notes, Relationships
	Minor	Applicable_Platforms
88	Argument Injection or Modification
	Major	Relationships
	Minor	References
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	References, Relationships
	Minor	None
90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
	Major	Relationships
	Minor	None
91	XML Injection (aka Blind XPath Injection)
	Major	Relationships
	Minor	References
95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
	Major	None
	Minor	References
116	Improper Encoding or Escaping of Output
	Major	References
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	References
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	References
	Minor	None
121	Stack-based Buffer Overflow
	Major	References
	Minor	None
122	Heap-based Buffer Overflow
	Major	References
	Minor	None
125	Out-of-bounds Read
	Major	Description
	Minor	None
126	Buffer Over-read
	Major	Demonstrative_Examples
	Minor	None
128	Wrap-around Error
	Major	None
	Minor	References
129	Improper Validation of Array Index
	Major	References
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	References
	Minor	Potential_Mitigations
134	Use of Externally-Controlled Format String
	Major	References
	Minor	None
135	Incorrect Calculation of Multi-Byte String Length
	Major	References
	Minor	None
141	Improper Neutralization of Parameter/Argument Delimiters
	Major	None
	Minor	References
142	Improper Neutralization of Value Delimiters
	Major	None
	Minor	References
143	Improper Neutralization of Record Delimiters
	Major	None
	Minor	References
144	Improper Neutralization of Line Delimiters
	Major	None
	Minor	References
145	Improper Neutralization of Section Delimiters
	Major	None
	Minor	References
146	Improper Neutralization of Expression/Command Delimiters
	Major	None
	Minor	References
158	Improper Neutralization of Null Byte or NUL Character
	Major	None
	Minor	References
170	Improper Null Termination
	Major	Demonstrative_Examples
	Minor	None
171	Cleansing, Canonicalization, and Comparison Errors
	Major	References, Relationships
	Minor	None
176	Improper Handling of Unicode Encoding
	Major	None
	Minor	References
179	Incorrect Behavior Order: Early Validation
	Major	None
	Minor	References
182	Collapse of Data into Unsafe Value
	Major	None
	Minor	References
183	Permissive Whitelist
	Major	None
	Minor	References
184	Incomplete Blacklist
	Major	Observed_Examples, Relationships
	Minor	References
185	Incorrect Regular Expression
	Major	References
	Minor	None
187	Partial String Comparison
	Major	Name, Observed_Examples, Relationships, Type
	Minor	None
188	Reliance on Data/Memory Layout
	Major	None
	Minor	References
190	Integer Overflow or Wraparound
	Major	References
	Minor	Potential_Mitigations
192	Integer Coercion Error
	Major	None
	Minor	References
193	Off-by-one Error
	Major	Demonstrative_Examples
	Minor	References
195	Signed to Unsigned Conversion Error
	Major	None
	Minor	References
196	Unsigned to Signed Conversion Error
	Major	None
	Minor	References
197	Numeric Truncation Error
	Major	None
	Minor	References
209	Information Exposure Through an Error Message
	Major	References, Relationships
	Minor	None
210	Information Exposure Through Self-generated Error Message
	Major	None
	Minor	References
216	Containment Errors (Container Errors)
	Major	Relationships
	Minor	None
220	Sensitive Data Under FTP Root
	Major	Relationships
	Minor	None
223	Omission of Security-relevant Information
	Major	Relationships
	Minor	References
224	Obscured Security-relevant Information by Alternate Name
	Major	References
	Minor	None
242	Use of Inherently Dangerous Function
	Major	References
	Minor	None
250	Execution with Unnecessary Privileges
	Major	References
	Minor	None
252	Unchecked Return Value
	Major	References
	Minor	None
253	Incorrect Check of Function Return Value
	Major	None
	Minor	References
256	Unprotected Storage of Credentials
	Major	Name, Relationships
	Minor	None
264	Permissions, Privileges, and Access Controls
	Major	References
	Minor	None
269	Improper Privilege Management
	Major	None
	Minor	References
270	Privilege Context Switching Error
	Major	References
	Minor	None
271	Privilege Dropping / Lowering Errors
	Major	None
	Minor	References
275	Permission Issues
	Major	Relationships
	Minor	None
276	Incorrect Default Permissions
	Major	None
	Minor	References
284	Improper Access Control
	Major	References, Relationships
	Minor	Description
285	Improper Authorization
	Major	References, Relationships
	Minor	None
287	Improper Authentication
	Major	References, Relationships
	Minor	None
290	Authentication Bypass by Spoofing
	Major	None
	Minor	References
293	Using Referer Field for Authentication
	Major	None
	Minor	References
295	Improper Certificate Validation
	Major	Background_Details, Modes_of_Introduction, Potential_Mitigations, Relationships
	Minor	None
296	Improper Following of a Certificate's Chain of Trust
	Major	Modes_of_Introduction, Observed_Examples, Potential_Mitigations, Time_of_Introduction
	Minor	None
297	Improper Validation of Certificate with Host Mismatch
	Major	Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, Potential_Mitigations, References, Time_of_Introduction
	Minor	None
298	Improper Validation of Certificate Expiration
	Major	Common_Consequences, Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction
	Minor	None
299	Improper Check for Certificate Revocation
	Major	Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction
	Minor	None
301	Reflection Attack in an Authentication Protocol
	Major	None
	Minor	References
308	Use of Single-factor Authentication
	Major	Relationships
	Minor	None
310	Cryptographic Issues
	Major	References, Relationships
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	References, Relationships
	Minor	None
312	Cleartext Storage of Sensitive Information
	Major	References, Relationships, Type
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	References, Relationships, Type
	Minor	None
320	Key Management Errors
	Major	Relationships
	Minor	None
322	Key Exchange without Entity Authentication
	Major	None
	Minor	References
325	Missing Required Cryptographic Step
	Major	Relationships
	Minor	None
326	Inadequate Encryption Strength
	Major	References, Relationships
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	References, Relationships
	Minor	None
328	Reversible One-Way Hash
	Major	Relationships
	Minor	References
329	Not Using a Random IV with CBC Mode
	Major	None
	Minor	References
330	Use of Insufficiently Random Values
	Major	References
	Minor	None
350	Reliance on Reverse DNS Resolution for a Security-Critical Action
	Major	None
	Minor	References
352	Cross-Site Request Forgery (CSRF)
	Major	References, Relationship_Notes, Research_Gaps
	Minor	None
359	Exposure of Private Information ('Privacy Violation')
	Major	Relationships
	Minor	None
363	Race Condition Enabling Link Following
	Major	None
	Minor	References
364	Signal Handler Race Condition
	Major	None
	Minor	References
366	Race Condition within a Thread
	Major	None
	Minor	References
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	None
	Minor	References
372	Incomplete Internal State Distinction
	Major	Maintenance_Notes, Relationships
	Minor	None
377	Insecure Temporary File
	Major	References
	Minor	None
379	Creation of Temporary File in Directory with Incorrect Permissions
	Major	None
	Minor	References
384	Session Fixation
	Major	Relationships
	Minor	None
400	Uncontrolled Resource Consumption ('Resource Exhaustion')
	Major	References, Type
	Minor	None
410	Insufficient Resource Pool
	Major	References
	Minor	None
415	Double Free
	Major	None
	Minor	References
422	Unprotected Windows Messaging Channel ('Shatter')
	Major	None
	Minor	References
425	Direct Request ('Forced Browsing')
	Major	Relationships
	Minor	None
426	Untrusted Search Path
	Major	Demonstrative_Examples, References, Relationships, Type
	Minor	None
428	Unquoted Search Path or Element
	Major	Relationships
	Minor	References
430	Deployment of Wrong Handler
	Major	None
	Minor	References
431	Missing Handler
	Major	None
	Minor	References
433	Unparsed Raw Web Content Delivery
	Major	None
	Minor	References
434	Unrestricted Upload of File with Dangerous Type
	Major	None
	Minor	References
435	Improper Interaction Between Multiple Correctly-Behaving Entities
	Major	Alternate_Terms, Description, Name, References, Relationships
	Minor	None
436	Interpretation Conflict
	Major	References
	Minor	None
438	Behavioral Problems
	Major	Relationships
	Minor	None
456	Missing Initialization of a Variable
	Major	None
	Minor	References
457	Use of Uninitialized Variable
	Major	None
	Minor	References
463	Deletion of Data Structure Sentinel
	Major	None
	Minor	References
468	Incorrect Pointer Scaling
	Major	None
	Minor	References
471	Modification of Assumed-Immutable Data (MAID)
	Major	Relationships
	Minor	None
472	External Control of Assumed-Immutable Web Parameter
	Major	None
	Minor	References
478	Missing Default Case in Switch Statement
	Major	Relationships
	Minor	References
479	Signal Handler Use of a Non-reentrant Function
	Major	None
	Minor	References
480	Use of Incorrect Operator
	Major	None
	Minor	References
481	Assigning instead of Comparing
	Major	None
	Minor	References
482	Comparing instead of Assigning
	Major	None
	Minor	References
484	Omitted Break Statement in Switch
	Major	None
	Minor	References
486	Comparison of Classes by Name
	Major	Relationships
	Minor	None
502	Deserialization of Untrusted Data
	Major	Relationships
	Minor	None
507	Trojan Horse
	Major	References
	Minor	None
522	Insufficiently Protected Credentials
	Major	Relationships
	Minor	None
523	Unprotected Transport of Credentials
	Major	Relationships
	Minor	None
532	Information Exposure Through Log Files
	Major	Description, Potential_Mitigations, Relationships
	Minor	None
533	DEPRECATED: Information Exposure Through Server Log Files
	Major	Affected_Resources, Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
	Minor	None
534	DEPRECATED: Information Exposure Through Debug Log Files
	Major	Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
	Minor	None
542	DEPRECATED: Information Exposure Through Cleanup Log Files
	Major	Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
	Minor	None
548	Information Exposure Through Directory Listing
	Major	Relationships
	Minor	None
564	SQL Injection: Hibernate
	Major	Relationships
	Minor	None
569	Expression Issues
	Major	Relationships
	Minor	None
581	Object Model Violation: Just One of Equals and Hashcode Defined
	Major	Relationships
	Minor	None
595	Comparison of Object References Instead of Object Contents
	Major	Applicable_Platforms, Common_Consequences, Description, Other_Notes, Potential_Mitigations, References, Relationships, Type
	Minor	None
596	DEPRECATED: Incorrect Semantic Object Comparison
	Major	Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Relationships, Time_of_Introduction, Type
	Minor	None
597	Use of Wrong Operator in String Comparison
	Major	None
	Minor	References
602	Client-Side Enforcement of Server-Side Security
	Major	References
	Minor	None
603	Use of Client-Side Authentication
	Major	None
	Minor	References
606	Unchecked Input for Loop Condition
	Major	None
	Minor	References
609	Double-Checked Locking
	Major	None
	Minor	References
611	Improper Restriction of XML External Entity Reference ('XXE')
	Major	Relationships
	Minor	None
613	Insufficient Session Expiration
	Major	Relationships
	Minor	None
618	Exposed Unsafe ActiveX Method
	Major	None
	Minor	References
620	Unverified Password Change
	Major	Relationships
	Minor	None
623	Unsafe ActiveX Control Marked Safe For Scripting
	Major	References
	Minor	None
625	Permissive Regular Expression
	Major	None
	Minor	References
639	Authorization Bypass Through User-Controlled Key
	Major	Relationships
	Minor	None
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	Relationships
	Minor	None
643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')
	Major	Relationships
	Minor	References
648	Incorrect Use of Privileged APIs
	Major	Observed_Examples
	Minor	None
652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
	Major	Relationships
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Relationships
	Minor	None
665	Improper Initialization
	Major	None
	Minor	References
676	Use of Potentially Dangerous Function
	Major	References
	Minor	None
681	Incorrect Conversion between Numeric Types
	Major	None
	Minor	References
682	Incorrect Calculation
	Major	None
	Minor	References
689	Permission Race Condition During Resource Copy
	Major	None
	Minor	References
693	Protection Mechanism Failure
	Major	Relationships
	Minor	None
697	Incorrect Comparison
	Major	Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Observed_Examples, Relationships
	Minor	None
699	Development Concepts
	Major	Description, View_Audience
	Minor	None
704	Incorrect Type Conversion or Cast
	Major	None
	Minor	Description
706	Use of Incorrectly-Resolved Name or Reference
	Major	Relationships
	Minor	None
731	OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
	Major	Relationships
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	None
	Minor	References
733	Compiler Optimization Removal or Modification of Security-critical Code
	Major	References, Relationships
	Minor	Description
758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
	Major	Relationships
	Minor	None
759	Use of a One-Way Hash without a Salt
	Major	References
	Minor	None
760	Use of a One-Way Hash with a Predictable Salt
	Major	References
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	References
	Minor	None
774	Allocation of File Descriptors or Handles Without Limits or Throttling
	Major	None
	Minor	References
775	Missing Release of File Descriptor or Handle after Effective Lifetime
	Major	None
	Minor	References
776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
	Major	Relationships
	Minor	None
778	Insufficient Logging
	Major	Relationships
	Minor	References
783	Operator Precedence Logic Error
	Major	None
	Minor	References
784	Reliance on Cookies without Validation and Integrity Checking in a Security Decision
	Major	References
	Minor	None
787	Out-of-bounds Write
	Major	Description
	Minor	None
789	Uncontrolled Memory Allocation
	Major	None
	Minor	References
798	Use of Hard-coded Credentials
	Major	References
	Minor	Potential_Mitigations
805	Buffer Access with Incorrect Length Value
	Major	References
	Minor	None
823	Use of Out-of-range Pointer Offset
	Major	None
	Minor	References
824	Access of Uninitialized Pointer
	Major	None
	Minor	References
833	Deadlock
	Major	References
	Minor	None
834	Excessive Iteration
	Major	None
	Minor	References
835	Loop with Unreachable Exit Condition ('Infinite Loop')
	Major	None
	Minor	References
839	Numeric Range Comparison Without Minimum Check
	Major	Description
	Minor	References
840	Business Logic Errors
	Major	Relationships
	Minor	None
843	Access of Resource Using Incompatible Type ('Type Confusion')
	Major	None
	Minor	References
857	CERT Java Secure Coding Section 12 - Input Output (FIO)
	Major	Relationships
	Minor	None
862	Missing Authorization
	Major	References
	Minor	None
863	Incorrect Authorization
	Major	References
	Minor	None
917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
	Major	Relationships
	Minor	None
918	Server-Side Request Forgery (SSRF)
	Major	References
	Minor	None
928	Weaknesses in OWASP Top Ten (2013)
	Major	Relationship_Notes
	Minor	None
929	OWASP Top Ten 2013 Category A1 - Injection
	Major	Relationships
	Minor	None
930	OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
	Major	Relationships
	Minor	None
932	OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
	Major	Relationships
	Minor	None
934	OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
	Major	Relationships
	Minor	None
935	OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control
	Major	Relationships
	Minor	None
943	Improper Neutralization of Special Elements in Data Query Logic
	Major	Relationships
	Minor	None
963	SFP Secondary Cluster: Exposed Data
	Major	Relationships
	Minor	None
977	SFP Secondary Cluster: Design
	Major	Relationships
	Minor	None
1000	Research Concepts
	Major	Description, Other_Notes, View_Audience
	Minor	None
1007	Insufficient Visual Distinction of Homoglyphs Presented to User
	Major	Demonstrative_Examples, Description, References
	Minor	None
1008	Architectural Concepts
	Major	Description, Other_Notes, View_Audience
	Minor	None
1022	Use of Web Link to Untrusted Target with window.opener Access
	Major	Alternate_Terms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, References
	Minor	None

Page Last Updated: March 28, 2018


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration