Common Weakness Enumeration

CWE Glossary Definition

Chains and Composites

This report lists several chains and composites, as represented by various relationships within CWE. They help to illustrate how weaknesses can be combined to create software vulnerabilities, and they help to expose existing problems with classification and terminology.

A Chain is a sequence of two or more separate weaknesses that can be closely linked together within software. One weakness, X, can directly create the conditions that are necessary to cause another weakness, Y, to enter a vulnerable condition. When this happens, CWE refers to X as "primary" to Y, and Y is "resultant" from X. For example, if an integer overflow (CWE-190) occurs when calculating the amount of memory to allocate, an undersized buffer will be created, which can lead to a buffer overflow (CWE-120). In this case, the integer overflow would be primary to the buffer overflow. Chains can involve more than two weaknesses, and in some cases, they might have a tree-like structure.

While CWE primarily contains "implicit" chaining relationships, there are several chains that are so common that they were assigned their own CWE identifiers. These are called Named Chains. For example, CWE-690 covers the integer-overflow-to-buffer-overflow chain in the previous paragraph.

In the schema for CWE 1.0 and later, the CanPrecede relationship is used to identify when the weakness is primary to others, and CanFollow is used to identify when a weakness is resultant from others. These relationships are mostly found within the Research Concepts view (CWE-1000).

A Composite is a combination of two or more separate weaknesses that can create a vulnerability, but only if they all occur all the same time. One weakness, X, can be "broken down" into component weaknesses Y and Z. For example, Symlink Following (CWE-61) is only possible through a combination of several component weaknesses, including predictability (CWE-340), inadequate permissions (CWE-275), and race conditions (CWE-362). By eliminating any single component, a developer can prevent the composite from becoming exploitable. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability; for example, NUL byte interaction errors (CWE-626) can widen the scope of path traversal weaknesses (CWE-22), which often limit which files could be accessed due to idiosyncracies in filename generation.

In the schema for CWE 1.0 and later, the Requires relationship is used by a composite to identify its component weaknesses, and the RequiredBy relationship is used by the components of that composite. In Draft 9, the component relationship was called IsRequiredBy.

Both chains and composites might explain some of the existing differences in security code scanners. For example, one scanner might report the primary part of a chain, and a different scanner might report the resultant part. Both scanners would be correct, but they would be reporting different CWE identifiers in different portions of the code. It is suspected that chains have a correspondence to some aspects of artifact labels as used in vulnerability theory (primarily in crossover and trigger points), but this has not been actively explored.

In general, both chains and composites pose challenges for vulnerability classification and terminology. Sometimes a researcher is only focusing on one weakness in the chain, or one component of the composite. Attempts to create a hierarchical organization of "vulnerabilities" can be complicated, because vulnerabilities can contain multiple weaknesses. The CWE team is actively researching these concepts. Some early discussion is found in the CWE Research List archives.

CWE-20 Improper Input Validation
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	CWE-41 Improper Resolution of Path Equivalence
	CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	CWE-770 Allocation of Resources Without Limits or Throttling
CWE-46 Path Equivalence: 'filename ' (Trailing Space)
	CWE-289 Authentication Bypass by Alternate Name
CWE-52 Path Equivalence: '/multiple/trailing/slash//'
	CWE-289 Authentication Bypass by Alternate Name
CWE-73 External Control of File Name or Path
	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	CWE-41 Improper Resolution of Path Equivalence
	CWE-434 Unrestricted Upload of File with Dangerous Type
	CWE-59 Improper Link Resolution Before File Access ('Link Following')
	CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
		CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
	CWE-117 Improper Output Neutralization for Logs
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
	CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
		CWE-494 Download of Code Without Integrity Check
CWE-116 Improper Encoding or Escaping of Output
	CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-128 Wrap-around Error
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-129 Improper Validation of Array Index
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
	CWE-789 Memory Allocation with Excessive Size Value
		CWE-476 NULL Pointer Dereference
	CWE-823 Use of Out-of-range Pointer Offset
		CWE-125 Out-of-bounds Read
		CWE-787 Out-of-bounds Write
CWE-130 Improper Handling of Length Parameter Inconsistency
	CWE-805 Buffer Access with Incorrect Length Value
CWE-131 Incorrect Calculation of Buffer Size
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-134 Use of Externally-Controlled Format String
	CWE-123 Write-what-where Condition
CWE-172 Encoding Error
	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	CWE-41 Improper Resolution of Path Equivalence
CWE-173 Improper Handling of Alternate Encoding
	CWE-289 Authentication Bypass by Alternate Name
CWE-178 Improper Handling of Case Sensitivity
	CWE-289 Authentication Bypass by Alternate Name
	CWE-433 Unparsed Raw Web Content Delivery
CWE-183 Permissive List of Allowed Inputs
	CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-184 Incomplete List of Disallowed Inputs
	CWE-434 Unrestricted Upload of File with Dangerous Type
	CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-185 Incorrect Regular Expression
	CWE-182 Collapse of Data into Unsafe Value
		CWE-33 Path Traversal: '....' (Multiple Dot)
		CWE-34 Path Traversal: '....//'
		CWE-35 Path Traversal: '.../...//'
	CWE-187 Partial String Comparison
CWE-190 Integer Overflow or Wraparound
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-193 Off-by-one Error
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
	CWE-170 Improper Null Termination
		CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
			CWE-123 Write-what-where Condition
		CWE-126 Buffer Over-read
	CWE-617 Reachable Assertion
CWE-205 Observable Behavioral Discrepancy
	CWE-514 Covert Channel
CWE-208 Observable Timing Discrepancy
	CWE-327 Use of a Broken or Risky Cryptographic Algorithm
	CWE-385 Covert Timing Channel
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer
	CWE-201 Insertion of Sensitive Information Into Sent Data
CWE-226 Sensitive Information in Resource Not Removed Before Reuse
	CWE-201 Insertion of Sensitive Information Into Sent Data
CWE-231 Improper Handling of Extra Values
	CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
	CWE-669 Incorrect Resource Transfer Between Spheres
CWE-252 Unchecked Return Value
	CWE-476 NULL Pointer Dereference
CWE-322 Key Exchange without Entity Authentication
	CWE-923 Improper Restriction of Communication Channel to Intended Endpoints
CWE-330 Use of Insufficiently Random Values
	CWE-804 Guessable CAPTCHA
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
	CWE-923 Improper Restriction of Communication Channel to Intended Endpoints
CWE-363 Race Condition Enabling Link Following
	CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-364 Signal Handler Race Condition
	CWE-123 Write-what-where Condition
	CWE-415 Double Free
	CWE-416 Use After Free
		CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
		CWE-123 Write-what-where Condition
CWE-390 Detection of Error Condition Without Action
	CWE-401 Missing Release of Memory after Effective Lifetime
CWE-404 Improper Resource Shutdown or Release
	CWE-619 Dangling Database Cursor ('Cursor Injection')
CWE-410 Insufficient Resource Pool
	CWE-400 Uncontrolled Resource Consumption
CWE-425 Direct Request ('Forced Browsing')
	CWE-471 Modification of Assumed-Immutable Data (MAID)
	CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-430 Deployment of Wrong Handler
	CWE-433 Unparsed Raw Web Content Delivery
CWE-431 Missing Handler
	CWE-433 Unparsed Raw Web Content Delivery
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') (also a composite component)
	CWE-668 Exposure of Resource to Wrong Sphere
CWE-456 Missing Initialization of a Variable
	CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	CWE-457 Use of Uninitialized Variable
	CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-473 PHP External Variable Modification
	CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-479 Signal Handler Use of a Non-reentrant Function
	CWE-123 Write-what-where Condition
CWE-481 Assigning instead of Comparing
	CWE-697 Incorrect Comparison
CWE-489 Active Debug Code
	CWE-215 Insertion of Sensitive Information Into Debugging Code
CWE-498 Cloneable Class Containing Sensitive Information
	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-499 Serializable Class Containing Sensitive Data
	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-562 Return of Stack Variable Address
	CWE-672 Operation on a Resource after Expiration or Release
	CWE-825 Expired Pointer Dereference
		CWE-125 Out-of-bounds Read
		CWE-787 Out-of-bounds Write
CWE-567 Unsynchronized Access to Shared Data in a Multithreaded Context
	CWE-488 Exposure of Data Element to Wrong Session
CWE-570 Expression is Always False
	CWE-561 Dead Code
CWE-571 Expression is Always True
	CWE-561 Dead Code
CWE-590 Free of Memory not on the Heap
	CWE-123 Write-what-where Condition
CWE-600 Uncaught Exception in Servlet
	CWE-209 Generation of Error Message Containing Sensitive Information
CWE-602 Client-Side Enforcement of Server-Side Security
	CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-606 Unchecked Input for Loop Condition
	CWE-834 Excessive Iteration
CWE-609 Double-Checked Locking
	CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-613 Insufficient Session Expiration (also a composite component)
	CWE-287 Improper Authentication
CWE-621 Variable Extraction Error
	CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-656 Reliance on Security Through Obscurity
	CWE-259 Use of Hard-coded Password
	CWE-321 Use of Hard-coded Cryptographic Key
	CWE-472 External Control of Assumed-Immutable Web Parameter (also a composite component)
CWE-662 Improper Synchronization
	CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (also a composite component)
CWE-681 Incorrect Conversion between Numeric Types
	CWE-682 Incorrect Calculation
		CWE-170 Improper Null Termination
CWE-756 Missing Custom Error Page
	CWE-209 Generation of Error Message Containing Sensitive Information
CWE-782 Exposed IOCTL with Insufficient Access Control
	CWE-781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
		CWE-822 Untrusted Pointer Dereference
			CWE-125 Out-of-bounds Read
			CWE-787 Out-of-bounds Write
CWE-824 Access of Uninitialized Pointer
	CWE-125 Out-of-bounds Read
	CWE-787 Out-of-bounds Write
CWE-826 Premature Release of Resource During Expected Lifetime
	CWE-672 Operation on a Resource after Expiration or Release
CWE-827 Improper Control of Document Type Definition
	CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-839 Numeric Range Comparison Without Minimum Check
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
	CWE-124 Buffer Underwrite ('Buffer Underflow')
	CWE-195 Signed to Unsigned Conversion Error
		CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
	CWE-682 Incorrect Calculation
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-909 Missing Initialization of Resource
	CWE-908 Use of Uninitialized Resource
CWE-911 Improper Update of Reference Count
	CWE-672 Operation on a Resource after Expiration or Release
	CWE-772 Missing Release of Resource after Effective Lifetime
CWE-941 Incorrectly Specified Destination in a Communication Channel
	CWE-406 Insufficient Control of Network Message Volume (Network Amplification)
CWE-942 Permissive Cross-domain Policy with Untrusted Domains
	CWE-668 Exposure of Resource to Wrong Sphere
CWE-1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
	CWE-416 Use After Free
CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition
	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-1275 Sensitive Cookie with Improper SameSite Attribute
	CWE-352 Cross-Site Request Forgery (CSRF) (also a composite)
CWE-1282 Assumed-Immutable Data is Stored in Writable Memory
	CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-1284 Improper Validation of Specified Quantity in Input
	CWE-789 Memory Allocation with Excessive Size Value
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
	CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-1322 Use of Blocking Code in Single-threaded, Non-blocking Context
	CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-1325 Improperly Controlled Sequential Memory Allocation
	CWE-476 NULL Pointer Dereference
CWE-1339 Insufficient Precision or Accuracy of a Real Number
	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
	CWE-834 Excessive Iteration
CWE-1341 Multiple Releases of Same Resource or Handle
	CWE-672 Operation on a Resource after Expiration or Release