Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

2021 CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.10)  

CWE CATEGORY: Configuration

Category ID: 16
+ Summary
Weaknesses in this category are typically introduced during the configuration of the software.
+ Membership
MemberOfViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).635Weaknesses Originally Used by NVD from 2008 to 2016
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.933OWASP Top Ten 2013 Category A5 - Security Misconfiguration
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.1032OWASP Top Ten 2017 Category A6 - Security Misconfiguration
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.1349OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
+ Notes


Use for Mapping: Prohibited (this CWE ID must not be used to map to real-world vulnerabilities).

Rationale: this entry is a Category. Using categories for mapping has been an actively discouraged practice since at least 2019. Categories are informal organizational groupings of weaknesses that help navigation and browsing by CWE users, but they are not weaknesses in themselves [REF-1287]. This CWE entry may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016). Mapping is also Prohibited because this entry's status is Obsolete.

Comments: As of CWE 4.9, "Configuration" is beginning to be treated as an aspect of the SDLC in which a product is directed (by a human or automated process) to perform an insecure behavior. CWE mapping should be conducted by analyzing the weakness in the behavior that has been set by the configuration, such as those related to access control (descendants of CWE-284) or resource management (CWE-400), etc.


Further discussion about this category was held over the CWE Research mailing list in early 2020. No definitive action has been decided.


This entry is a Category, but various sources map to it anyway, despite CWE guidance that Categories should not be mapped. In this case, there are no clear CWE Weaknesses that can be utilized. "Inappropriate Configuration" sounds more like a Weakness in CWE's style, but it still does not indicate actual behavior of the product. Further research is still required, however, as a "configuration weakness" might be Primary to many other CWEs, i.e., it might be better described in terms of chaining relationships.
+ References
[REF-1287] MITRE. "Supplemental Details - 2022 CWE Top 25". Details of Problematic Mappings. 2022-06-28. <>.
+ Content History
+ Submissions
Submission DateSubmitterOrganization
2006-07-19CWE Community
Submitted by members of the CWE community to extend early CWE versions
+ Modifications
Modification DateModifierOrganization
2008-09-08CWE Content TeamMITRE
updated Relationships
2010-02-16CWE Content TeamMITRE
updated Taxonomy_Mappings
2013-07-17CWE Content TeamMITRE
updated Relationships
2014-07-30CWE Content TeamMITRE
updated Detection_Factors
2015-12-07CWE Content TeamMITRE
updated Relationships
2017-01-19CWE Content TeamMITRE
updated Maintenance_Notes, Relationships
2017-11-08CWE Content TeamMITRE
updated Detection_Factors
2018-03-27CWE Content TeamMITRE
updated Relationships
2019-06-20CWE Content TeamMITRE
updated Relationships
2020-02-24CWE Content TeamMITRE
updated Maintenance_Notes, Relationships
2021-10-28CWE Content TeamMITRE
updated Relationships
2022-10-13CWE Content TeamMITRE
updated Maintenance_Notes, References
More information is available — Please select a different filter.
Page Last Updated: January 31, 2023