Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWRAF > Enumeration of Technical Impacts  

Enumeration of Technical Impacts

Each weakness, if successfully exploited, can lead to one or more potential Technical Impacts:

  • Modify data
  • Read data
  • DoS: unreliable execution
  • DoS: resource consumption
  • Execute unauthorized code or commands
  • Gain privileges / assume identity
  • Bypass protection mechanism
  • Hide activities

Note that some of these items are abstractions of the technical impact enumeration used in CWE 2.0, which includes values such as Modify memory, Read application data, memory consumption, etc. Such values are overly specific with limited flexibility, which was addressed by using layers.

Within CWRAF and CWSS, the successful exploitation of a weakness could have varying impacts at four different "layers":

  • System - The entity has access to, or control of, a system or physical host.
  • Application - The entity has access to an affected application.
  • Network - The entity has access to/from the network.
  • Enterprise - The entity has access to a critical piece of enterprise infrastructure, such as a router, DNS, etc.

The user then evaluates all possible combinations of Technical Impact and Impact Layer (32 possibilities as of CWSS 0.8) and captures the analysis within the Technical Impact Scorecard, which contains the following information:

Impact The kind of Technical Impact under consideration.
Layer The layer at which the Technical Impact could reside. Four impact layers are defined: System, Application, Network, and Enterprise. These layers are used by the Required Privilege Layer and the Acquired Privilege Layer factors in CWSS.
Importance A value between 0 and 10 that quantifies the impact of any weakness that can be exploited to have the given Impact at the specified Layer. Also referred to as a "Subscore."
Notes Explanations and rationales for the score, describing the associated business impact if the given weakness could be successfully exploited.
Page Last Updated: January 18, 2017