CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types
CWE Top 25 Most Dangerous Weaknesses
Home > CWRAF > Enumeration of Technical Impacts  
ID

Enumeration of Technical Impacts

Each weakness, if successfully exploited, can lead to one or more potential Technical Impacts:

  • Modify data
  • Read data
  • DoS: unreliable execution
  • DoS: resource consumption
  • Execute unauthorized code or commands
  • Gain privileges / assume identity
  • Bypass protection mechanism
  • Hide activities

Note that some of these items are abstractions of the technical impact enumeration used in CWE 2.0, which includes values such as Modify memory, Read application data, memory consumption, etc. Such values are overly specific with limited flexibility, which was addressed by using layers.

Within CWRAF and CWSS, the successful exploitation of a weakness could have varying impacts at four different "layers":

  • System - The entity has access to, or control of, a system or physical host.
  • Application - The entity has access to an affected application.
  • Network - The entity has access to/from the network.
  • Enterprise - The entity has access to a critical piece of enterprise infrastructure, such as a router, DNS, etc.

The user then evaluates all possible combinations of Technical Impact and Impact Layer (32 possibilities as of CWSS 0.8) and captures the analysis within the Technical Impact Scorecard, which contains the following information:

Impact The kind of Technical Impact under consideration.
Layer The layer at which the Technical Impact could reside. Four impact layers are defined: System, Application, Network, and Enterprise. These layers are used by the Required Privilege Layer and the Acquired Privilege Layer factors in CWSS.
Importance A value between 0 and 10 that quantifies the impact of any weakness that can be exploited to have the given Impact at the specified Layer. Also referred to as a "Subscore."
Notes Explanations and rationales for the score, describing the associated business impact if the given weakness could be successfully exploited.
Back to top
More information is available — Please select a different filter.
Page Last Updated: January 18, 2017
 

Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006-2021, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.