CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 4.2 and Version 4.3  
ID

Differences between Version 4.2 and Version 4.3

Summary
Summary
Total weaknesses/chains/composites (Version 4.3) 916
Total weaknesses/chains/composites (Version 4.2) 891
Total new 26
Total deprecated 0
Total with major changes 142
Total with only minor changes
Total unchanged 1167

Summary of Entry Types

Type Version 4.2 Version 4.3
Weakness 891 916
Category 316 316
View 41 42
Deprecated 61 61
Total 1309 1335

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 2 0
Description 6 0
Applicable_Platforms 0 0
Time_of_Introduction 3 0
Demonstrative_Examples 7 0
Detection_Factors 0 0
Likelihood_of_Exploit 1 0
Common_Consequences 4 0
Relationships 113 0
References 0 0
Potential_Mitigations 24 0
Observed_Examples 5 0
Terminology_Notes 0 0
Alternate_Terms 2 0
Related_Attack_Patterns 3 0
Relationship_Notes 0 0
Taxonomy_Mappings 0 0
Maintenance_Notes 1 0
Modes_of_Introduction 1 0
Research_Gaps 1 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
Other_Notes 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Type 0 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1309

Status Changes

From To Total
Unchanged 1308
Incomplete Draft 1

Relationship Changes

The "Version 4.3 Total" lists the total number of relationships in Version 4.3. The "Shared" value is the total number of relationships in entries that were in both Version 4.3 and Version 4.2. The "New" value is the total number of relationships involving entries that did not exist in Version 4.2. Thus, the total number of relationships in Version 4.3 would combine stats from Shared entries and New entries.

Relationship Version 4.3 Total Version 4.2 Total Version 4.3 Shared Unchanged Added to Version 4.3 Removed from Version 4.2 Version 4.3 New
ALL 9533 9241 9347 9239 108 2 186
ChildOf 3956 3857 3909 3856 53 1 47
ParentOf 3956 3857 3909 3856 53 1 47
MemberOf 564 528 528 528 36
HasMember 564 528 528 528 36
CanPrecede 132 129 129 129 3
CanFollow 132 129 129 129 3
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 28 28 28 28
PeerOf 172 156 158 156 2 14

Nodes Removed from Version 4.2

CWE-ID CWE Name
None.

Software Nodes Added to Version 4.3

CWE-ID CWE Name
1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
1322 Use of Blocking Code in Single-threaded, Non-blocking Context
1325 Improperly Controlled Sequential Memory Allocation
1327 Binding to an Unrestricted IP Address
1329 Reliance on Component That is Not Updateable
1340 CISQ Data Protection Measures

Hardware Nodes Added to Version 4.3

CWE-ID CWE Name
1310 Missing Ability to Patch ROM Code
1311 Improper Translation of Security Attributes by Fabric Bridge
1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
1313 Hardware Allows Activation of Test or Debug Logic at Runtime
1314 Missing Write Protection for Parametric Data Values
1315 Improper Setting of Bus Controlling Capability in Fabric End-point
1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
1317 Missing Security Checks in Fabric Bridge
1318 Missing Support for Security Features in On-chip Fabrics or Buses
1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
1320 Improper Protection for Out of Bounds Signal Level Alerts
1323 Improper Management of Sensitive Trace Data
1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
1326 Missing Immutable Root of Trust in Hardware
1328 Security Version Number Mutable to Older Versions
1330 Remanent Data Readable after Memory Erase
1331 Improper Isolation of Shared Resources in Network On Chip
1332 Insufficient Protection Against Instruction Skipping Via Fault Injection
1334 Unauthorized Error Injection Can Degrade Hardware Redundancy
1338 Improper Protections Against Hardware Overheating

Nodes Deprecated in Version 4.3

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 23 Relative Path Traversal
R 36 Absolute Path Traversal
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 99 Improper Control of Resource Identifiers ('Resource Injection')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 123 Write-what-where Condition
R 125 Out-of-bounds Read
R 129 Improper Validation of Array Index
R 130 Improper Handling of Length Parameter Inconsistency
R 131 Incorrect Calculation of Buffer Size
R 134 Use of Externally-Controlled Format String
R 170 Improper Null Termination
R 194 Unexpected Sign Extension
R 195 Signed to Unsigned Conversion Error
R 196 Unsigned to Signed Conversion Error
R 197 Numeric Truncation Error
DN 203 Observable Discrepancy
R 213 Exposure of Sensitive Information Due to Incompatible Policies
R 248 Uncaught Exception
R 259 Use of Hard-coded Password
R 284 Improper Access Control
R 285 Improper Authorization
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 300 Channel Accessible by Non-Endpoint
R 311 Missing Encryption of Sensitive Data
R 321 Use of Hard-coded Cryptographic Key
R 359 Exposure of Private Personal Information to an Unauthorized Actor
R 366 Race Condition within a Thread
R 369 Divide By Zero
R 391 Unchecked Error Condition
R 392 Missing Report of Error Condition
R 404 Improper Resource Shutdown or Release
R 415 Double Free
R 416 Use After Free
R 424 Improper Protection of Alternate Path
R 434 Unrestricted Upload of File with Dangerous Type
R 456 Missing Initialization of a Variable
R 457 Use of Uninitialized Variable
R 471 Modification of Assumed-Immutable Data (MAID)
R 476 NULL Pointer Dereference
R 502 Deserialization of Untrusted Data
R 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
R 562 Return of Stack Variable Address
R 567 Unsynchronized Access to Shared Data in a Multithreaded Context
R 606 Unchecked Input for Loop Condition
R 611 Improper Restriction of XML External Entity Reference
R 624 Executable Regular Expression Error
R 639 Authorization Bypass Through User-Controlled Key
R 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
D 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
R 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
R 653 Insufficient Compartmentalization
R 654 Reliance on a Single Factor in a Security Decision
R 662 Improper Synchronization
R 664 Improper Control of a Resource Through its Lifetime
R 665 Improper Initialization
R 667 Improper Locking
R 672 Operation on a Resource after Expiration or Release
D 674 Uncontrolled Recursion
R 681 Incorrect Conversion between Numeric Types
R 682 Incorrect Calculation
R 693 Protection Mechanism Failure
R 703 Improper Check or Handling of Exceptional Conditions
R 704 Incorrect Type Conversion or Cast
R 732 Incorrect Permission Assignment for Critical Resource
R 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
R 761 Free of Pointer not at Start of Buffer
R 762 Mismatched Memory Management Routines
R 763 Release of Invalid Pointer or Reference
R 764 Multiple Locks of a Critical Resource
R 770 Allocation of Resources Without Limits or Throttling
R 772 Missing Release of Resource after Effective Lifetime
R 775 Missing Release of File Descriptor or Handle after Effective Lifetime
R 786 Access of Memory Location Before Start of Buffer
R 787 Out-of-bounds Write
R 788 Access of Memory Location After End of Buffer
DNR 789 Memory Allocation with Excessive Size Value
R 798 Use of Hard-coded Credentials
R 805 Buffer Access with Incorrect Length Value
R 820 Missing Synchronization
R 821 Incorrect Synchronization
R 822 Untrusted Pointer Dereference
R 823 Use of Out-of-range Pointer Offset
R 824 Access of Uninitialized Pointer
R 825 Expired Pointer Dereference
R 834 Excessive Iteration
R 835 Loop with Unreachable Exit Condition ('Infinite Loop')
R 862 Missing Authorization
R 863 Incorrect Authorization
R 908 Use of Uninitialized Resource
R 915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
R 917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
R 1051 Initialization with Hard-Coded Network Resource Configuration Data
R 1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
R 1096 Singleton Class Instance Creation without Proper Locking or Synchronization
R 1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
R 1196 Security Flow Issues
R 1198 Privilege Separation and Access Control Issues
R 1203 Peripherals, On-chip Fabric, and Interface/IO Problems
R 1206 Power, Clock, and Reset Concerns
R 1207 Debug and Test Problems
R 1247 Missing or Improperly Implemented Protection Against Voltage and Clock Glitches
R 1251 Mirrored Regions with Different Values
D R 1277 Firmware Not Updateable
D R 1293 Missing Source Correlation of Multiple Independent Data
R 1299 Missing Protection Mechanism for Alternate Hardware Interface
R 1301 Insufficient or Incomplete Data Removal within Hardware Component
Detailed Difference Report
Detailed Difference Report
15 External Control of System or Configuration Setting
Major Potential_Mitigations
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Potential_Mitigations, Relationships
Minor None
23 Relative Path Traversal
Major Relationships
Minor None
36 Absolute Path Traversal
Major Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Potential_Mitigations, Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Relationships
Minor None
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Major Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Potential_Mitigations, Relationships
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Relationships
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Relationships
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Alternate_Terms, Observed_Examples, Relationships
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Demonstrative_Examples, Relationships
Minor None
123 Write-what-where Condition
Major Relationships
Minor None
125 Out-of-bounds Read
Major Related_Attack_Patterns, Relationships
Minor None
129 Improper Validation of Array Index
Major Relationships
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Relationships
Minor None
131 Incorrect Calculation of Buffer Size
Major Relationships
Minor None
134 Use of Externally-Controlled Format String
Major Common_Consequences, Relationships
Minor None
170 Improper Null Termination
Major Relationships
Minor None
190 Integer Overflow or Wraparound
Major Observed_Examples
Minor None
194 Unexpected Sign Extension
Major Relationships
Minor None
195 Signed to Unsigned Conversion Error
Major Relationships
Minor None
196 Unsigned to Signed Conversion Error
Major Relationships
Minor None
197 Numeric Truncation Error
Major Relationships
Minor None
200 Exposure of Sensitive Information to an Unauthorized Actor
Major Potential_Mitigations
Minor None
201 Insertion of Sensitive Information Into Sent Data
Major Potential_Mitigations
Minor None
203 Observable Discrepancy
Major Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Research_Gaps
Minor None
204 Observable Response Discrepancy
Major Potential_Mitigations
Minor None
209 Generation of Error Message Containing Sensitive Information
Major Potential_Mitigations, Related_Attack_Patterns
Minor None
212 Improper Removal of Sensitive Information Before Storage or Transfer
Major Potential_Mitigations
Minor None
213 Exposure of Sensitive Information Due to Incompatible Policies
Major Relationships
Minor None
215 Insertion of Sensitive Information Into Debugging Code
Major Potential_Mitigations
Minor None
242 Use of Inherently Dangerous Function
Major Demonstrative_Examples
Minor None
248 Uncaught Exception
Major Relationships
Minor None
259 Use of Hard-coded Password
Major Relationships
Minor None
271 Privilege Dropping / Lowering Errors
Major Potential_Mitigations
Minor None
272 Least Privilege Violation
Major Potential_Mitigations
Minor None
273 Improper Check for Dropped Privileges
Major Potential_Mitigations
Minor None
276 Incorrect Default Permissions
Major Potential_Mitigations
Minor None
277 Insecure Inherited Permissions
Major Potential_Mitigations
Minor None
278 Insecure Preserved Inherited Permissions
Major Potential_Mitigations
Minor None
279 Incorrect Execution-Assigned Permissions
Major Potential_Mitigations
Minor None
280 Improper Handling of Insufficient Permissions or Privileges
Major Potential_Mitigations
Minor None
284 Improper Access Control
Major Potential_Mitigations, Relationships
Minor None
285 Improper Authorization
Major Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Relationships
Minor None
300 Channel Accessible by Non-Endpoint
Major Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Potential_Mitigations, Relationships
Minor None
321 Use of Hard-coded Cryptographic Key
Major Relationships
Minor None
359 Exposure of Private Personal Information to an Unauthorized Actor
Major Relationships
Minor None
366 Race Condition within a Thread
Major Relationships
Minor None
369 Divide By Zero
Major Relationships
Minor None
391 Unchecked Error Condition
Major Relationships
Minor None
392 Missing Report of Error Condition
Major Relationships
Minor None
404 Improper Resource Shutdown or Release
Major Relationships
Minor None
415 Double Free
Major Relationships
Minor None
416 Use After Free
Major Relationships
Minor None
424 Improper Protection of Alternate Path
Major Relationships
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Relationships
Minor None
456 Missing Initialization of a Variable
Major Relationships
Minor None
457 Use of Uninitialized Variable
Major Relationships
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Relationships
Minor None
476 NULL Pointer Dereference
Major Relationships
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major Common_Consequences
Minor None
494 Download of Code Without Integrity Check
Major Demonstrative_Examples
Minor None
502 Deserialization of Untrusted Data
Major Relationships
Minor None
506 Embedded Malicious Code
Major Time_of_Introduction
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Relationships
Minor None
562 Return of Stack Variable Address
Major Relationships
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Relationships
Minor None
606 Unchecked Input for Loop Condition
Major Relationships
Minor None
611 Improper Restriction of XML External Entity Reference
Major Relationships
Minor None
624 Executable Regular Expression Error
Major Relationships
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Relationships
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Relationships
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Description
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Relationships
Minor None
653 Insufficient Compartmentalization
Major Relationships
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Relationships
Minor None
662 Improper Synchronization
Major Relationships
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Common_Consequences
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor None
665 Improper Initialization
Major Relationships
Minor None
667 Improper Locking
Major Relationships
Minor None
672 Operation on a Resource after Expiration or Release
Major Relationships
Minor None
674 Uncontrolled Recursion
Major Demonstrative_Examples, Description, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, Time_of_Introduction
Minor None
676 Use of Potentially Dangerous Function
Major Demonstrative_Examples
Minor None
681 Incorrect Conversion between Numeric Types
Major Relationships
Minor None
682 Incorrect Calculation
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Relationships
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Relationships
Minor None
704 Incorrect Type Conversion or Cast
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Potential_Mitigations
Minor None
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Relationships
Minor None
761 Free of Pointer not at Start of Buffer
Major Relationships
Minor None
762 Mismatched Memory Management Routines
Major Relationships
Minor None
763 Release of Invalid Pointer or Reference
Major Relationships
Minor None
764 Multiple Locks of a Critical Resource
Major Relationships
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Relationships
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Relationships
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Relationships
Minor None
786 Access of Memory Location Before Start of Buffer
Major Relationships
Minor None
787 Out-of-bounds Write
Major Relationships
Minor None
788 Access of Memory Location After End of Buffer
Major Relationships
Minor None
789 Memory Allocation with Excessive Size Value
Major Alternate_Terms, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Relationships, Time_of_Introduction
Minor None
798 Use of Hard-coded Credentials
Major Relationships
Minor None
805 Buffer Access with Incorrect Length Value
Major Relationships
Minor None
820 Missing Synchronization
Major Relationships
Minor None
821 Incorrect Synchronization
Major Relationships
Minor None
822 Untrusted Pointer Dereference
Major Relationships
Minor None
823 Use of Out-of-range Pointer Offset
Major Relationships
Minor None
824 Access of Uninitialized Pointer
Major Relationships
Minor None
825 Expired Pointer Dereference
Major Relationships
Minor None
834 Excessive Iteration
Major Relationships
Minor None
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major Observed_Examples, Relationships
Minor None
862 Missing Authorization
Major Relationships
Minor None
863 Incorrect Authorization
Major Relationships
Minor None
908 Use of Uninitialized Resource
Major Relationships
Minor None
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Major Relationships
Minor None
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Major Relationships
Minor None
1051 Initialization with Hard-Coded Network Resource Configuration Data
Major Relationships
Minor None
1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
Major Relationships
Minor None
1096 Singleton Class Instance Creation without Proper Locking or Synchronization
Major Relationships
Minor None
1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
Major Relationships
Minor None
1192 System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
Major Related_Attack_Patterns
Minor None
1196 Security Flow Issues
Major Relationships
Minor None
1198 Privilege Separation and Access Control Issues
Major Relationships
Minor None
1203 Peripherals, On-chip Fabric, and Interface/IO Problems
Major Relationships
Minor None
1206 Power, Clock, and Reset Concerns
Major Relationships
Minor None
1207 Debug and Test Problems
Major Relationships
Minor None
1247 Missing or Improperly Implemented Protection Against Voltage and Clock Glitches
Major Relationships
Minor None
1251 Mirrored Regions with Different Values
Major Relationships
Minor None
1260 Improper Handling of Overlap Between Protected Memory Ranges
Major Maintenance_Notes
Minor None
1263 Improper Physical Access Control
Major Potential_Mitigations
Minor None
1277 Firmware Not Updateable
Major Description, Relationships
Minor None
1293 Missing Source Correlation of Multiple Independent Data
Major Description, Relationships
Minor None
1299 Missing Protection Mechanism for Alternate Hardware Interface
Major Relationships
Minor None
1301 Insufficient or Incomplete Data Removal within Hardware Component
Major Relationships
Minor None
More information is available — Please select a different filter.
Page Last Updated: December 10, 2020