CWE - Differences between Version 4.7 and Version 4.8

Home > CWE List > Reports > Differences between Version 4.7 and Version 4.8

Differences between Version 4.7 and Version 4.8

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total weaknesses/chains/composites (Version 4.8)	927
Total weaknesses/chains/composites (Version 4.7)	926
Total new	3
Total deprecated	0
Total with major changes	82
Total with only minor changes	2
Total unchanged	1302

Summary of Entry Types

Type	Version 4.7	Version 4.8
Weakness	926	927
Category	351	352
View	47	48
Deprecated	62	62
Total	1386	1389

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	3	0
Description	4	2
Relationships	44	0
Applicable_Platforms	27	0
Modes_of_Introduction	1	1
Detection_Factors	0	0
Potential_Mitigations	3	1
Demonstrative_Examples	2	2
Observed_Examples	32	0
Related_Attack_Patterns	0	0
Weakness_Ordinalities	0	0
Time_of_Introduction	0	0
Likelihood_of_Exploit	0	0
References	3	1
Common_Consequences	2	1
Terminology_Notes	0	0
Alternate_Terms	2	0
Relationship_Notes	0	0
Taxonomy_Mappings	1	0
Maintenance_Notes	2	0
Research_Gaps	0	0
Background_Details	0	0
Theoretical_Notes	1	0
Other_Notes	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Type	1	0
Source_Taxonomy	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged		1385
Weakness/Base	Weakness/Class	1	1384

Status Changes

From	To	Total
Unchanged		1386

Relationship Changes

The "Version 4.8 Total" lists the total number of relationships in Version 4.8. The "Shared" value is the total number of relationships in entries that were in both Version 4.8 and Version 4.7. The "New" value is the total number of relationships involving entries that did not exist in Version 4.7. Thus, the total number of relationships in Version 4.8 would combine stats from Shared entries and New entries.

Relationship	Version 4.8 Total	Version 4.7 Total	Version 4.8 Shared	Unchanged	Added to Version 4.8	Removed from Version 4.7	Version 4.8 New
ALL	10310	10232	10236	10230	6	2	74
ChildOf	4262	4250	4251	4249	2	1	11
ParentOf	4262	4250	4251	4249	2	1	11
MemberOf	642	616	616	616			26
HasMember	642	616	616	616			26
CanPrecede	135	135	135	135
CanFollow	135	135	135	135
StartsWith	3	3	3	3
Requires	13	13	13	13
RequiredBy	13	13	13	13
CanAlsoBe	27	27	27	27
PeerOf	176	174	176	174	2

Nodes Removed from Version 4.7

CWE-ID	CWE Name
None.

Nodes Added to Version 4.8

CWE-ID	CWE Name
1386	Insecure Operation on Windows Junction / Mount Point
1387	Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses
1388	Physical Access Issues and Concerns

Nodes Deprecated in Version 4.8

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	20	Improper Input Validation
		R	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
		R	59	Improper Link Resolution Before File Access ('Link Following')
		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
		R	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
		R	89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
		R	94	Improper Control of Generation of Code ('Code Injection')
D	N	R	113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
		R	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
		R	125	Out-of-bounds Read
		R	190	Integer Overflow or Wraparound
		R	276	Incorrect Default Permissions
		R	287	Improper Authentication
		R	306	Missing Authentication for Critical Function
		R	311	Missing Encryption of Sensitive Data
		R	319	Cleartext Transmission of Sensitive Information
		R	352	Cross-Site Request Forgery (CSRF)
		R	362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
		R	400	Uncontrolled Resource Consumption
		R	416	Use After Free
		R	434	Unrestricted Upload of File with Dangerous Type
		R	436	Interpretation Conflict
D	N		444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
		R	476	NULL Pointer Dereference
		R	502	Deserialization of Untrusted Data
		R	611	Improper Restriction of XML External Entity Reference
		R	614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
		R	787	Out-of-bounds Write
		R	798	Use of Hard-coded Credentials
		R	862	Missing Authorization
D		R	917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
		R	918	Server-Side Request Forgery (SSRF)
		R	1194	Hardware Design
		R	1247	Improper Protection Against Voltage and Clock Glitches
		R	1248	Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
		R	1255	Comparison Logic is Vulnerable to Power Side-Channel Attacks
		R	1261	Improper Handling of Single Event Upsets
		R	1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
		R	1300	Improper Protection of Physical Side Channels
		R	1319	Improper Protection against Electromagnetic Fault Injection (EM-FI)
		R	1332	Improper Handling of Faults that Lead to Instruction Skips
		R	1336	Improper Neutralization of Special Elements Used in a Template Engine
		R	1351	Improper Handling of Hardware Behavior in Exceptionally Cold Environments
D	N	R	1384	Improper Handling of Physical or Environmental Conditions

Detailed Difference Report

20	Improper Input Validation
	Major	Observed_Examples, Relationships
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Observed_Examples, Relationships
	Minor	None
23	Relative Path Traversal
	Major	Observed_Examples
	Minor	None
59	Improper Link Resolution Before File Access ('Link Following')
	Major	Relationships
	Minor	None
64	Windows Shortcut Following (.LNK)
	Major	Observed_Examples
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Observed_Examples
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Observed_Examples, Relationships
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Observed_Examples, Relationships
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Observed_Examples, Relationships
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Observed_Examples, Relationships
	Minor	None
94	Improper Control of Generation of Code ('Code Injection')
	Major	Observed_Examples, Relationships
	Minor	None
95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
	Major	Observed_Examples
	Minor	None
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
	Major	Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Theoretical_Notes
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Observed_Examples, Relationships
	Minor	None
121	Stack-based Buffer Overflow
	Major	Observed_Examples
	Minor	None
125	Out-of-bounds Read
	Major	Observed_Examples, Relationships
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Observed_Examples
	Minor	None
190	Integer Overflow or Wraparound
	Major	Observed_Examples, Relationships
	Minor	None
197	Numeric Truncation Error
	Major	Observed_Examples
	Minor	None
276	Incorrect Default Permissions
	Major	Relationships
	Minor	None
284	Improper Access Control
	Major	Observed_Examples
	Minor	None
287	Improper Authentication
	Major	Observed_Examples, Relationships
	Minor	None
306	Missing Authentication for Critical Function
	Major	Observed_Examples, Relationships
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Relationships
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Relationships
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Relationships
	Minor	None
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
	Major	Observed_Examples, Relationships
	Minor	None
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	Observed_Examples
	Minor	None
400	Uncontrolled Resource Consumption
	Major	Observed_Examples, Relationships
	Minor	None
416	Use After Free
	Major	Observed_Examples, Relationships
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Relationships
	Minor	None
436	Interpretation Conflict
	Major	Relationships
	Minor	None
444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
	Major	Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, References, Taxonomy_Mappings
	Minor	None
476	NULL Pointer Dereference
	Major	Relationships
	Minor	None
502	Deserialization of Untrusted Data
	Major	Relationships
	Minor	None
611	Improper Restriction of XML External Entity Reference
	Major	Relationships
	Minor	None
614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
	Major	Relationships
	Minor	None
625	Permissive Regular Expression
	Major	Observed_Examples
	Minor	None
667	Improper Locking
	Major	Observed_Examples
	Minor	None
697	Incorrect Comparison
	Major	Observed_Examples
	Minor	None
787	Out-of-bounds Write
	Major	Observed_Examples, Relationships
	Minor	None
798	Use of Hard-coded Credentials
	Major	Relationships
	Minor	None
862	Missing Authorization
	Major	Relationships
	Minor	None
917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
	Major	Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships
	Minor	None
918	Server-Side Request Forgery (SSRF)
	Major	Observed_Examples, Relationships
	Minor	None
1059	Insufficient Technical Documentation
	Major	None
	Minor	References
1194	Hardware Design
	Major	Relationships
	Minor	None
1246	Improper Write Handling in Limited-write Non-Volatile Memories
	Major	Applicable_Platforms
	Minor	None
1247	Improper Protection Against Voltage and Clock Glitches
	Major	Applicable_Platforms, Relationships
	Minor	None
1248	Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
	Major	Relationships
	Minor	None
1250	Improper Preservation of Consistency Between Independent Representations of Shared State
	Major	Applicable_Platforms
	Minor	None
1252	CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
	Major	Applicable_Platforms
	Minor	None
1255	Comparison Logic is Vulnerable to Power Side-Channel Attacks
	Major	Relationships
	Minor	None
1256	Improper Restriction of Software Interfaces to Hardware Features
	Major	Applicable_Platforms
	Minor	None
1257	Improper Access Control Applied to Mirrored or Aliased Memory Regions
	Major	Applicable_Platforms
	Minor	None
1259	Improper Restriction of Security Token Assignment
	Major	Applicable_Platforms
	Minor	None
1260	Improper Handling of Overlap Between Protected Memory Ranges
	Major	Applicable_Platforms
	Minor	None
1261	Improper Handling of Single Event Upsets
	Major	Relationships
	Minor	None
1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
	Major	Relationships
	Minor	None
1279	Cryptographic Operations are run Before Supporting Units are Ready
	Major	Applicable_Platforms
	Minor	None
1280	Access Control Check Implemented After Asset is Accessed
	Major	None
	Minor	Demonstrative_Examples
1290	Incorrect Decoding of Security Identifiers
	Major	Applicable_Platforms
	Minor	None
1292	Incorrect Conversion of Security Identifiers
	Major	Applicable_Platforms
	Minor	None
1294	Insecure Security Identifier Mechanism
	Major	Applicable_Platforms
	Minor	None
1296	Incorrect Chaining or Granularity of Debug Components
	Major	Applicable_Platforms
	Minor	None
1297	Unprotected Confidential Information on Device is Accessible by OSAT Vendors
	Major	Applicable_Platforms
	Minor	None
1299	Missing Protection Mechanism for Alternate Hardware Interface
	Major	Applicable_Platforms
	Minor	None
1300	Improper Protection of Physical Side Channels
	Major	Relationships
	Minor	None
1314	Missing Write Protection for Parametric Data Values
	Major	Applicable_Platforms
	Minor	None
1316	Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
	Major	Applicable_Platforms
	Minor	None
1317	Missing Security Checks in Fabric Bridge
	Major	Applicable_Platforms
	Minor	None
1318	Missing Support for Security Features in On-chip Fabrics or Buses
	Major	Applicable_Platforms
	Minor	None
1319	Improper Protection against Electromagnetic Fault Injection (EM-FI)
	Major	Applicable_Platforms, Relationships
	Minor	None
1320	Improper Protection for Out of Bounds Signal Level Alerts
	Major	Applicable_Platforms
	Minor	None
1324	Sensitive Information Accessible by Physical Probing of JTAG Interface
	Major	Applicable_Platforms
	Minor	None
1326	Missing Immutable Root of Trust in Hardware
	Major	Applicable_Platforms, Modes_of_Introduction
	Minor	Demonstrative_Examples, Description
1328	Security Version Number Mutable to Older Versions
	Major	Applicable_Platforms
	Minor	None
1330	Remanent Data Readable after Memory Erase
	Major	Applicable_Platforms
	Minor	None
1331	Improper Isolation of Shared Resources in Network On Chip (NoC)
	Major	Applicable_Platforms
	Minor	Common_Consequences
1332	Improper Handling of Faults that Lead to Instruction Skips
	Major	Relationships
	Minor	Potential_Mitigations
1336	Improper Neutralization of Special Elements Used in a Template Engine
	Major	Maintenance_Notes, Relationships
	Minor	None
1338	Improper Protections Against Hardware Overheating
	Major	Applicable_Platforms
	Minor	Description
1351	Improper Handling of Hardware Behavior in Exceptionally Cold Environments
	Major	Relationships
	Minor	None
1384	Improper Handling of Physical or Environmental Conditions
	Major	Description, Name, Potential_Mitigations, Relationships, Type
	Minor	Modes_of_Introduction

Page Last Updated: June 28, 2022


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration