CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 4.1 and Version 4.2  
ID

Differences between Version 4.1 and Version 4.2

Summary
Summary
Total weaknesses/chains/composites (Version 4.2) 891
Total weaknesses/chains/composites (Version 4.1) 875
Total new 22
Total deprecated 0
Total with major changes 259
Total with only minor changes
Total unchanged 1028

Summary of Entry Types

Type Version 4.1 Version 4.2
Weakness 875 891
Category 312 316
View 39 41
Deprecated 61 61
Total 1287 1309

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 19 0
Description 44 0
Applicable_Platforms 10 0
Time_of_Introduction 0 0
Demonstrative_Examples 37 0
Detection_Factors 0 0
Likelihood_of_Exploit 0 0
Common_Consequences 14 0
Relationships 189 0
References 4 0
Potential_Mitigations 30 0
Observed_Examples 5 0
Terminology_Notes 0 0
Alternate_Terms 5 0
Related_Attack_Patterns 70 0
Relationship_Notes 0 0
Taxonomy_Mappings 0 0
Maintenance_Notes 6 0
Modes_of_Introduction 20 0
Research_Gaps 5 0
Background_Details 1 0
Theoretical_Notes 1 0
Weakness_Ordinalities 0 0
Other_Notes 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Type 0 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1287

Status Changes

From To Total
Unchanged 1287

Relationship Changes

The "Version 4.2 Total" lists the total number of relationships in Version 4.2. The "Shared" value is the total number of relationships in entries that were in both Version 4.2 and Version 4.1. The "New" value is the total number of relationships involving entries that did not exist in Version 4.1. Thus, the total number of relationships in Version 4.2 would combine stats from Shared entries and New entries.

Relationship Version 4.2 Total Version 4.1 Total Version 4.2 Shared Unchanged Added to Version 4.2 Removed from Version 4.1 Version 4.2 New
ALL 9241 8767 8875 8747 128 20 366
ChildOf 3857 3656 3708 3648 60 8 149
ParentOf 3857 3656 3708 3648 60 8 149
MemberOf 528 496 499 496 3 29
HasMember 528 496 499 496 3 29
CanPrecede 129 128 129 128 1
CanFollow 129 128 129 128 1
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 28 28 28 28
PeerOf 156 150 146 146 4 10

Nodes Removed from Version 4.1

CWE-ID CWE Name
None.

Software Nodes Added to Version 4.2

CWE-ID CWE Name
1293 Missing Source Correlation of Multiple Independent Data
1305 CISQ Quality Measures (2020)
1306 CISQ Quality Measures - Reliability
1307 CISQ Quality Measures - Maintainability
1308 CISQ Quality Measures - Security
1309 CISQ Quality Measures - Efficiency
1350 Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses

Hardware Nodes Added to Version 4.2

CWE-ID CWE Name
1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
1290 Incorrect Decoding of Security Identifiers
1291 Public Key Re-Use for Signing both Debug and Production Code
1292 Incorrect Conversion of Security Identifiers
1294 Insecure Security Identifier Mechanism
1295 Debug Messages Revealing Unnecessary Information
1296 Incorrect Chaining or Granularity of Debug Components
1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors
1298 Hardware Logic Contains Race Conditions
1299 Missing Protection Mechanism for Alternate Hardware Interface
1300 Improper Protection Against Physical Side Channels
1301 Insufficient or Incomplete Data Removal within Hardware Component
1302 Missing Security Identifier
1303 Non-Transparent Sharing of Microarchitectural Resources
1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation

Nodes Deprecated in Version 4.2

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 20 Improper Input Validation
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 23 Relative Path Traversal
R 36 Absolute Path Traversal
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 94 Improper Control of Generation of Code ('Code Injection')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 123 Write-what-where Condition
R 125 Out-of-bounds Read
R 129 Improper Validation of Array Index
R 130 Improper Handling of Length Parameter Inconsistency
R 131 Incorrect Calculation of Buffer Size
R 134 Use of Externally-Controlled Format String
R 170 Improper Null Termination
R 190 Integer Overflow or Wraparound
R 194 Unexpected Sign Extension
R 195 Signed to Unsigned Conversion Error
R 196 Unsigned to Signed Conversion Error
R 197 Numeric Truncation Error
D R 200 Exposure of Sensitive Information to an Unauthorized Actor
DN 201 Insertion of Sensitive Information Into Sent Data
DNR 203 Observable Differences in Behavior to Error Inputs
R 205 Observable Behavioral Discrepancy
DNR 226 Sensitive Information in Resource Not Removed Before Reuse
R 248 Uncaught Exception
R 252 Unchecked Return Value
R 259 Use of Hard-coded Password
R 260 Password in Configuration File
R 269 Improper Privilege Management
D 276 Incorrect Default Permissions
R 284 Improper Access Control
R 285 Improper Authorization
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 306 Missing Authentication for Critical Function
R 320 Key Management Errors
R 321 Use of Hard-coded Cryptographic Key
DN 325 Missing Cryptographic Step
R 345 Insufficient Verification of Data Authenticity
R 352 Cross-Site Request Forgery (CSRF)
R 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
R 366 Race Condition within a Thread
R 369 Divide By Zero
R 390 Detection of Error Condition Without Action
R 391 Unchecked Error Condition
R 392 Missing Report of Error Condition
R 394 Unexpected Status Code or Return Value
R 400 Uncontrolled Resource Consumption
R 401 Missing Release of Memory after Effective Lifetime
R 404 Improper Resource Shutdown or Release
R 407 Inefficient Algorithmic Complexity
R 415 Double Free
R 416 Use After Free
R 420 Unprotected Alternate Channel
R 424 Improper Protection of Alternate Path
R 434 Unrestricted Upload of File with Dangerous Type
D 440 Expected Behavior Violation
D R 441 Unintended Proxy or Intermediary ('Confused Deputy')
R 456 Missing Initialization of a Variable
R 457 Use of Uninitialized Variable
R 459 Incomplete Cleanup
R 476 NULL Pointer Dereference
R 477 Use of Obsolete Function
R 478 Missing Default Case in Switch Statement
R 480 Use of Incorrect Operator
R 484 Omitted Break Statement in Switch
R 494 Download of Code Without Integrity Check
R 502 Deserialization of Untrusted Data
R 522 Insufficiently Protected Credentials
R 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
R 555 J2EE Misconfiguration: Plaintext Password in Configuration File
R 561 Dead Code
R 562 Return of Stack Variable Address
R 564 SQL Injection: Hibernate
R 567 Unsynchronized Access to Shared Data in a Multithreaded Context
R 570 Expression is Always False
R 571 Expression is Always True
R 595 Comparison of Object References Instead of Object Contents
R 597 Use of Wrong Operator in String Comparison
R 606 Unchecked Input for Loop Condition
R 611 Improper Restriction of XML External Entity Reference
R 624 Executable Regular Expression Error
R 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
R 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
R 662 Improper Synchronization
R 664 Improper Control of a Resource Through its Lifetime
R 665 Improper Initialization
R 667 Improper Locking
R 672 Operation on a Resource after Expiration or Release
R 681 Incorrect Conversion between Numeric Types
R 682 Incorrect Calculation
R 689 Permission Race Condition During Resource Copy
R 693 Protection Mechanism Failure
R 699 Software Development
R 703 Improper Check or Handling of Exceptional Conditions
R 704 Incorrect Type Conversion or Cast
R 732 Incorrect Permission Assignment for Critical Resource
R 758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
R 764 Multiple Locks of a Critical Resource
R 772 Missing Release of Resource after Effective Lifetime
R 775 Missing Release of File Descriptor or Handle after Effective Lifetime
R 778 Insufficient Logging
R 783 Operator Precedence Logic Error
R 786 Access of Memory Location Before Start of Buffer
R 787 Out-of-bounds Write
R 788 Access of Memory Location After End of Buffer
R 789 Uncontrolled Memory Allocation
R 798 Use of Hard-coded Credentials
R 805 Buffer Access with Incorrect Length Value
R 820 Missing Synchronization
R 821 Incorrect Synchronization
R 822 Untrusted Pointer Dereference
R 823 Use of Out-of-range Pointer Offset
R 824 Access of Uninitialized Pointer
R 825 Expired Pointer Dereference
R 833 Deadlock
R 835 Loop with Unreachable Exit Condition ('Infinite Loop')
R 862 Missing Authorization
R 863 Incorrect Authorization
R 888 Software Fault Pattern (SFP) Clusters
R 908 Use of Uninitialized Resource
R 917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
R 1041 Use of Redundant Code
R 1042 Static Member Data Element outside of a Singleton Class Element
R 1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
R 1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
R 1046 Creation of Immutable Text Using String Concatenation
R 1047 Modules with Circular Dependencies
R 1048 Invokable Control Element with Large Number of Outward Calls
R 1049 Excessive Data Query Operations in a Large Data Table
R 1050 Excessive Platform Resource Consumption within a Loop
R 1051 Initialization with Hard-Coded Network Resource Configuration Data
R 1052 Excessive Use of Hard-Coded Literals in Initialization
R 1054 Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
R 1055 Multiple Inheritance from Concrete Classes
R 1057 Data Access Operations Outside of Expected Data Manager Component
R 1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
R 1060 Excessive Number of Inefficient Server-Side Data Accesses
R 1062 Parent Class with References to Child Class
R 1064 Invokable Control Element with Signature Containing an Excessive Number of Parameters
R 1066 Missing Serialization Control Element
R 1067 Excessive Execution of Sequential Searches of Data Resource
R 1070 Serializable Data Element Containing non-Serializable Item Elements
R 1072 Data Resource Access without Use of Connection Pooling
R 1073 Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
R 1074 Class with Excessively Deep Inheritance
R 1075 Unconditional Control Flow Transfer outside of Switch Block
R 1077 Floating Point Comparison with Incorrect Operator
R 1079 Parent Class without Virtual Destructor Method
R 1080 Source Code File with Excessive Number of Lines of Code
R 1082 Class Instance Self Destruction Control Element
R 1083 Data Access from Outside Expected Data Manager Component
R 1084 Invokable Control Element with Excessive File or Data Access Operations
R 1085 Invokable Control Element with Excessive Volume of Commented-out Code
R 1086 Class with Excessive Number of Child Classes
R 1087 Class with Virtual Method without a Virtual Destructor
R 1088 Synchronous Access of Remote Resource without Timeout
R 1089 Large Data Table with Excessive Number of Indices
R 1090 Method Containing Access of a Member Element from Another Class
R 1091 Use of Object without Invoking Destructor Method
R 1094 Excessive Index Range Scan for a Data Resource
R 1095 Loop Condition Value Update within the Loop
R 1096 Singleton Class Instance Creation without Proper Locking or Synchronization
R 1097 Persistent Storable Data Element without Associated Comparison Control Element
R 1098 Data Element containing Pointer Item without Proper Copy Control Element
DNR 1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
DNR 1191 Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization
D 1192 System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
R 1195 Manufacturing and Life Cycle Management Concerns
D 1197 Integration Issues
R 1198 Privilege Separation and Access Control Issues
R 1199 General Circuit and Logic Design Concerns
R 1201 Core and Compute Issues
R 1206 Power, Clock, and Reset Concerns
R 1207 Debug and Test Problems
R 1208 Cross-Cutting Problems
D 1232 Improper Lock Behavior After Power State Transition
D 1234 Hardware Internal or Debug Modes Allow Override of Locks
R 1236 Improper Neutralization of Formula Elements in a CSV File
R 1237 SFP Primary Cluster: Faulty Resource Release
R 1238 SFP Primary Cluster: Failure to Release Memory
D 1240 Use of a Risky Cryptographic Primitive
D 1241 Use of Predictable Algorithm in Random Number Generator
D 1242 Inclusion of Undocumented Features or Chicken Bits
DN 1243 Sensitive Non-Volatile Information Not Protected During Debug
N 1244 Improper Access to Sensitive Information Using Debug and Test Interfaces
D 1246 Improper Write Handling in Limited-write Non-Volatile Memories
DN 1247 Missing or Improperly Implemented Protection Against Voltage and Clock Glitches
D 1251 Mirrored Regions with Different Values
D 1253 Incorrect Selection of Fuse Values
R 1254 Incorrect Comparison Logic Granularity
D 1256 Hardware Features Enable Physical Attacks from Software
D 1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
DNR 1258 Exposure of Sensitive System Information Due to Uncleared Debug Information
DNR 1259 Improper Restriction of Security Token Assignment
D 1260 Improper Handling of Overlap Between Protected Memory Ranges
D 1262 Register Interface Allows Software Access to Sensitive Data or Security Settings
DNR 1263 Improper Physical Access Control
D 1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels
D 1267 Policy Uses Obsolete Encoding
DN 1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents
D 1269 Product Released in Non-Release Configuration
DNR 1270 Generation of Incorrect Security Tokens
DNR 1271 Unitialized Value on Reset for Registers Holding Security Settings
DNR 1272 Sensitive Information Uncleared Before Debug/Power State Transition
D 1273 Device Unlock Credential Sharing
D 1274 Insufficient Protections on the Volatile Memory Containing Boot Code
DN 1276 Hardware Child Block Incorrectly Connected to Parent System
D 1277 Firmware Not Updateable
D 1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
DN 1279 Cryptographic Operations are run Before Supporting Units are Ready
D 1280 Access Control Check Implemented After Asset is Accessed
DN 1282 Assumed-Immutable Data is Stored in Writable Memory
Detailed Difference Report
Detailed Difference Report
20 Improper Input Validation
Major Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Relationships
Minor None
23 Relative Path Traversal
Major Relationships
Minor None
36 Absolute Path Traversal
Major Relationships
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Related_Attack_Patterns, Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Relationships
Minor None
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Major Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Relationships
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Relationships
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Relationships
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Alternate_Terms, Relationships
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Alternate_Terms, Relationships
Minor None
123 Write-what-where Condition
Major Relationships
Minor None
125 Out-of-bounds Read
Major Observed_Examples, Potential_Mitigations, Relationships
Minor None
129 Improper Validation of Array Index
Major Potential_Mitigations, Relationships
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Relationships
Minor None
131 Incorrect Calculation of Buffer Size
Major Relationships
Minor None
134 Use of Externally-Controlled Format String
Major Relationships
Minor None
170 Improper Null Termination
Major Relationships
Minor None
190 Integer Overflow or Wraparound
Major Relationships
Minor None
194 Unexpected Sign Extension
Major Relationships
Minor None
195 Signed to Unsigned Conversion Error
Major Relationships
Minor None
196 Unsigned to Signed Conversion Error
Major Relationships
Minor None
197 Numeric Truncation Error
Major Relationships
Minor None
200 Exposure of Sensitive Information to an Unauthorized Actor
Major Alternate_Terms, Description, Maintenance_Notes, Related_Attack_Patterns, Relationships
Minor None
201 Insertion of Sensitive Information Into Sent Data
Major Description, Name
Minor None
203 Observable Differences in Behavior to Error Inputs
Major Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships, Research_Gaps
Minor None
205 Observable Behavioral Discrepancy
Major Relationships
Minor None
226 Sensitive Information in Resource Not Removed Before Reuse
Major Description, Name, Related_Attack_Patterns, Relationships
Minor None
248 Uncaught Exception
Major Relationships
Minor None
252 Unchecked Return Value
Major Relationships
Minor None
259 Use of Hard-coded Password
Major Relationships
Minor None
260 Password in Configuration File
Major Relationships
Minor None
262 Not Using Password Aging
Major Related_Attack_Patterns
Minor None
263 Password Aging with Long Expiration
Major Related_Attack_Patterns
Minor None
267 Privilege Defined With Unsafe Actions
Major Demonstrative_Examples
Minor None
269 Improper Privilege Management
Major Relationships
Minor None
276 Incorrect Default Permissions
Major Description, Modes_of_Introduction, Potential_Mitigations
Minor None
284 Improper Access Control
Major Relationships
Minor None
285 Improper Authorization
Major Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Relationships
Minor None
294 Authentication Bypass by Capture-replay
Major Related_Attack_Patterns
Minor None
295 Improper Certificate Validation
Major Related_Attack_Patterns
Minor None
306 Missing Authentication for Critical Function
Major Relationships
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Related_Attack_Patterns
Minor None
308 Use of Single-factor Authentication
Major Related_Attack_Patterns
Minor None
309 Use of Password System for Primary Authentication
Major Related_Attack_Patterns
Minor None
320 Key Management Errors
Major Relationships
Minor None
321 Use of Hard-coded Cryptographic Key
Major Relationships
Minor None
325 Missing Cryptographic Step
Major Common_Consequences, Description, Modes_of_Introduction, Name
Minor None
345 Insufficient Verification of Data Authenticity
Major Relationships
Minor None
347 Improper Verification of Cryptographic Signature
Major Related_Attack_Patterns
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Relationships
Minor None
359 Exposure of Private Personal Information to an Unauthorized Actor
Major Related_Attack_Patterns
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Relationships
Minor None
366 Race Condition within a Thread
Major Relationships
Minor None
369 Divide By Zero
Major Relationships
Minor None
390 Detection of Error Condition Without Action
Major Relationships
Minor None
391 Unchecked Error Condition
Major Relationships
Minor None
392 Missing Report of Error Condition
Major Relationships
Minor None
394 Unexpected Status Code or Return Value
Major Relationships
Minor None
400 Uncontrolled Resource Consumption
Major Relationships
Minor None
401 Missing Release of Memory after Effective Lifetime
Major Relationships
Minor None
404 Improper Resource Shutdown or Release
Major Relationships
Minor None
407 Inefficient Algorithmic Complexity
Major Relationships
Minor None
415 Double Free
Major Relationships
Minor None
416 Use After Free
Major Relationships
Minor None
420 Unprotected Alternate Channel
Major Relationships
Minor None
424 Improper Protection of Alternate Path
Major Relationships
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Relationships
Minor None
436 Interpretation Conflict
Major Related_Attack_Patterns
Minor None
440 Expected Behavior Violation
Major Description, Observed_Examples, Theoretical_Notes
Minor None
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships
Minor None
456 Missing Initialization of a Variable
Major Relationships
Minor None
457 Use of Uninitialized Variable
Major Relationships
Minor None
459 Incomplete Cleanup
Major Relationships
Minor None
476 NULL Pointer Dereference
Major Relationships
Minor None
477 Use of Obsolete Function
Major Relationships
Minor None
478 Missing Default Case in Switch Statement
Major Relationships
Minor None
480 Use of Incorrect Operator
Major Relationships
Minor None
484 Omitted Break Statement in Switch
Major Relationships
Minor None
494 Download of Code Without Integrity Check
Major Relationships
Minor None
502 Deserialization of Untrusted Data
Major Relationships
Minor None
521 Weak Password Requirements
Major Related_Attack_Patterns
Minor None
522 Insufficiently Protected Credentials
Major Related_Attack_Patterns, Relationships
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Relationships
Minor None
552 Files or Directories Accessible to External Parties
Major Related_Attack_Patterns
Minor None
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Relationships
Minor None
561 Dead Code
Major Relationships
Minor None
562 Return of Stack Variable Address
Major Relationships
Minor None
564 SQL Injection: Hibernate
Major Relationships
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Relationships
Minor None
570 Expression is Always False
Major Relationships
Minor None
571 Expression is Always True
Major Relationships
Minor None
595 Comparison of Object References Instead of Object Contents
Major Relationships
Minor None
597 Use of Wrong Operator in String Comparison
Major Relationships
Minor None
606 Unchecked Input for Loop Condition
Major Relationships
Minor None
611 Improper Restriction of XML External Entity Reference
Major Relationships
Minor None
624 Executable Regular Expression Error
Major Relationships
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Relationships
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Relationships
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Related_Attack_Patterns
Minor None
662 Improper Synchronization
Major Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor None
665 Improper Initialization
Major Relationships
Minor None
667 Improper Locking
Major Relationships
Minor None
672 Operation on a Resource after Expiration or Release
Major Relationships
Minor None
681 Incorrect Conversion between Numeric Types
Major Relationships
Minor None
682 Incorrect Calculation
Major Relationships
Minor None
689 Permission Race Condition During Resource Copy
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Related_Attack_Patterns, Relationships
Minor None
697 Incorrect Comparison
Major Related_Attack_Patterns
Minor None
699 Software Development
Major Relationships
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Relationships
Minor None
704 Incorrect Type Conversion or Cast
Major Relationships
Minor None
707 Improper Neutralization
Major Related_Attack_Patterns
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Relationships
Minor None
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Major Relationships
Minor None
764 Multiple Locks of a Critical Resource
Major Relationships
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Relationships
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Relationships
Minor None
778 Insufficient Logging
Major Relationships
Minor None
783 Operator Precedence Logic Error
Major Relationships
Minor None
786 Access of Memory Location Before Start of Buffer
Major Relationships
Minor None
787 Out-of-bounds Write
Major Alternate_Terms, Demonstrative_Examples, Observed_Examples, Relationships
Minor None
788 Access of Memory Location After End of Buffer
Major Relationships
Minor None
789 Uncontrolled Memory Allocation
Major Relationships
Minor None
798 Use of Hard-coded Credentials
Major Relationships
Minor None
805 Buffer Access with Incorrect Length Value
Major Relationships
Minor None
820 Missing Synchronization
Major Relationships
Minor None
821 Incorrect Synchronization
Major Relationships
Minor None
822 Untrusted Pointer Dereference
Major Relationships
Minor None
823 Use of Out-of-range Pointer Offset
Major Relationships
Minor None
824 Access of Uninitialized Pointer
Major Relationships
Minor None
825 Expired Pointer Dereference
Major Relationships
Minor None
833 Deadlock
Major Relationships
Minor None
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major Relationships
Minor None
836 Use of Password Hash Instead of Password for Authentication
Major Related_Attack_Patterns
Minor None
862 Missing Authorization
Major Relationships
Minor None
863 Incorrect Authorization
Major Relationships
Minor None
888 Software Fault Pattern (SFP) Clusters
Major Relationships
Minor None
908 Use of Uninitialized Resource
Major Relationships
Minor None
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Major Relationships
Minor None
1021 Improper Restriction of Rendered UI Layers or Frames
Major Related_Attack_Patterns
Minor None
1041 Use of Redundant Code
Major Relationships
Minor None
1042 Static Member Data Element outside of a Singleton Class Element
Major Relationships
Minor None
1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
Major Relationships
Minor None
1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
Major Relationships
Minor None
1046 Creation of Immutable Text Using String Concatenation
Major Relationships
Minor None
1047 Modules with Circular Dependencies
Major Relationships
Minor None
1048 Invokable Control Element with Large Number of Outward Calls
Major Relationships
Minor None
1049 Excessive Data Query Operations in a Large Data Table
Major Relationships
Minor None
1050 Excessive Platform Resource Consumption within a Loop
Major Relationships
Minor None
1051 Initialization with Hard-Coded Network Resource Configuration Data
Major Relationships
Minor None
1052 Excessive Use of Hard-Coded Literals in Initialization
Major Relationships
Minor None
1054 Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
Major Relationships
Minor None
1055 Multiple Inheritance from Concrete Classes
Major Relationships
Minor None
1057 Data Access Operations Outside of Expected Data Manager Component
Major Relationships
Minor None
1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
Major Relationships
Minor None
1060 Excessive Number of Inefficient Server-Side Data Accesses
Major Relationships
Minor None
1062 Parent Class with References to Child Class
Major Relationships
Minor None
1064 Invokable Control Element with Signature Containing an Excessive Number of Parameters
Major Relationships
Minor None
1066 Missing Serialization Control Element
Major Relationships
Minor None
1067 Excessive Execution of Sequential Searches of Data Resource
Major Relationships
Minor None
1070 Serializable Data Element Containing non-Serializable Item Elements
Major Relationships
Minor None
1072 Data Resource Access without Use of Connection Pooling
Major Relationships
Minor None
1073 Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
Major Relationships
Minor None
1074 Class with Excessively Deep Inheritance
Major Relationships
Minor None
1075 Unconditional Control Flow Transfer outside of Switch Block
Major Relationships
Minor None
1077 Floating Point Comparison with Incorrect Operator
Major Relationships
Minor None
1079 Parent Class without Virtual Destructor Method
Major Relationships
Minor None
1080 Source Code File with Excessive Number of Lines of Code
Major Relationships
Minor None
1082 Class Instance Self Destruction Control Element
Major Relationships
Minor None
1083 Data Access from Outside Expected Data Manager Component
Major Relationships
Minor None
1084 Invokable Control Element with Excessive File or Data Access Operations
Major Relationships
Minor None
1085 Invokable Control Element with Excessive Volume of Commented-out Code
Major Relationships
Minor None
1086 Class with Excessive Number of Child Classes
Major Relationships
Minor None
1087 Class with Virtual Method without a Virtual Destructor
Major Relationships
Minor None
1088 Synchronous Access of Remote Resource without Timeout
Major Relationships
Minor None
1089 Large Data Table with Excessive Number of Indices
Major Relationships
Minor None
1090 Method Containing Access of a Member Element from Another Class
Major Relationships
Minor None
1091 Use of Object without Invoking Destructor Method
Major Relationships
Minor None
1094 Excessive Index Range Scan for a Data Resource
Major Relationships
Minor None
1095 Loop Condition Value Update within the Loop
Major Relationships
Minor None
1096 Singleton Class Instance Creation without Proper Locking or Synchronization
Major Relationships
Minor None
1097 Persistent Storable Data Element without Associated Comparison Control Element
Major Relationships
Minor None
1098 Data Element containing Pointer Item without Proper Copy Control Element
Major Relationships
Minor None
1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
Major Common_Consequences, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
1190 DMA Device Enabled Too Early in Boot Phase
Major Related_Attack_Patterns
Minor None
1191 Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization
Major Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
1192 System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
Major Description
Minor None
1193 Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
Major References, Related_Attack_Patterns
Minor None
1195 Manufacturing and Life Cycle Management Concerns
Major Relationships
Minor None
1197 Integration Issues
Major Description
Minor None
1198 Privilege Separation and Access Control Issues
Major Relationships
Minor None
1199 General Circuit and Logic Design Concerns
Major Relationships
Minor None
1201 Core and Compute Issues
Major Relationships
Minor None
1206 Power, Clock, and Reset Concerns
Major Relationships
Minor None
1207 Debug and Test Problems
Major Relationships
Minor None
1208 Cross-Cutting Problems
Major Relationships
Minor None
1209 Failure to Disable Reserved Bits
Major Related_Attack_Patterns
Minor None
1220 Insufficient Granularity of Access Control
Major Related_Attack_Patterns
Minor None
1222 Insufficient Granularity of Address Regions Protected by Register Locks
Major Related_Attack_Patterns
Minor None
1223 Race Condition for Write-Once Attributes
Major Related_Attack_Patterns
Minor None
1224 Improper Restriction of Write-Once Bit Fields
Major Related_Attack_Patterns
Minor None
1231 Improper Implementation of Lock Protection Registers
Major Related_Attack_Patterns
Minor None
1232 Improper Lock Behavior After Power State Transition
Major Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns
Minor None
1233 Improper Hardware Lock Protection for Security Sensitive Controls
Major Related_Attack_Patterns
Minor None
1234 Hardware Internal or Debug Modes Allow Override of Locks
Major Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns
Minor None
1236 Improper Neutralization of Formula Elements in a CSV File
Major Relationships
Minor None
1237 SFP Primary Cluster: Faulty Resource Release
Major Relationships
Minor None
1238 SFP Primary Cluster: Failure to Release Memory
Major Relationships
Minor None
1239 Improper Zeroization of Hardware Register
Major Related_Attack_Patterns
Minor None
1240 Use of a Risky Cryptographic Primitive
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns, Research_Gaps
Minor None
1241 Use of Predictable Algorithm in Random Number Generator
Major Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns, Research_Gaps
Minor None
1242 Inclusion of Undocumented Features or Chicken Bits
Major Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, Related_Attack_Patterns
Minor None
1243 Sensitive Non-Volatile Information Not Protected During Debug
Major Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns
Minor None
1244 Improper Access to Sensitive Information Using Debug and Test Interfaces
Major Demonstrative_Examples, Name, Observed_Examples, Related_Attack_Patterns
Minor None
1245 Improper Finite State Machines (FSMs) in Hardware Logic
Major Related_Attack_Patterns
Minor None
1246 Improper Write Handling in Limited-write Non-Volatile Memories
Major Demonstrative_Examples, Description, Potential_Mitigations, Research_Gaps
Minor None
1247 Missing or Improperly Implemented Protection Against Voltage and Clock Glitches
Major Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns
Minor None
1248 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
Major Modes_of_Introduction, Related_Attack_Patterns
Minor None
1251 Mirrored Regions with Different Values
Major Applicable_Platforms, Demonstrative_Examples, Description, Research_Gaps
Minor None
1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
Major Related_Attack_Patterns
Minor None
1253 Incorrect Selection of Fuse Values
Major Applicable_Platforms, Demonstrative_Examples, Description
Minor None
1254 Incorrect Comparison Logic Granularity
Major Relationships
Minor None
1256 Hardware Features Enable Physical Attacks from Software
Major Demonstrative_Examples, Description, Maintenance_Notes, Related_Attack_Patterns
Minor None
1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
Major Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns
Minor None
1258 Exposure of Sensitive System Information Due to Uncleared Debug Information
Major Demonstrative_Examples, Description, Name, Related_Attack_Patterns, Relationships
Minor None
1259 Improper Restriction of Security Token Assignment
Major Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
1260 Improper Handling of Overlap Between Protected Memory Ranges
Major Demonstrative_Examples, Description, Modes_of_Introduction, Related_Attack_Patterns
Minor None
1262 Register Interface Allows Software Access to Sensitive Data or Security Settings
Major Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns
Minor None
1263 Improper Physical Access Control
Major Common_Consequences, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels
Major Description, Related_Attack_Patterns
Minor None
1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
Major Demonstrative_Examples, Related_Attack_Patterns
Minor None
1266 Improper Scrubbing of Sensitive Data from Decommissioned Device
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
1267 Policy Uses Obsolete Encoding
Major Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations
Minor None
1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents
Major Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns
Minor None
1269 Product Released in Non-Release Configuration
Major Description, Related_Attack_Patterns
Minor None
1270 Generation of Incorrect Security Tokens
Major Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Relationships
Minor None
1271 Unitialized Value on Reset for Registers Holding Security Settings
Major Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
1272 Sensitive Information Uncleared Before Debug/Power State Transition
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
1273 Device Unlock Credential Sharing
Major Demonstrative_Examples, Description, Related_Attack_Patterns
Minor None
1274 Insufficient Protections on the Volatile Memory Containing Boot Code
Major Demonstrative_Examples, Description, Related_Attack_Patterns
Minor None
1275 Sensitive Cookie with Improper SameSite Attribute
Major Demonstrative_Examples, Related_Attack_Patterns
Minor None
1276 Hardware Child Block Incorrectly Connected to Parent System
Major Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations
Minor None
1277 Firmware Not Updateable
Major Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations
Minor None
1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
Major Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, References, Related_Attack_Patterns
Minor None
1279 Cryptographic Operations are run Before Supporting Units are Ready
Major Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns
Minor None
1280 Access Control Check Implemented After Asset is Accessed
Major Applicable_Platforms, Demonstrative_Examples, Description, Related_Attack_Patterns
Minor None
1281 Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)
Major Related_Attack_Patterns
Minor None
1282 Assumed-Immutable Data is Stored in Writable Memory
Major Demonstrative_Examples, Description, Modes_of_Introduction, Name
Minor None
1283 Mutable Attestation or Measurement Reporting Data
Major References, Related_Attack_Patterns
Minor None
1286 Improper Validation of Syntactic Correctness of Input
Major Related_Attack_Patterns
Minor None
More information is available — Please select a different filter.
Page Last Updated: August 20, 2020