CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Chains and Composites  
ID

Chains and Composites

Introduction
Introduction

This report lists several chains and composites, as represented by various relationships within CWE. They help to illustrate how weaknesses can be combined to create software vulnerabilities, and they help to expose existing problems with classification and terminology.

A Chain is a sequence of two or more separate weaknesses that can be closely linked together within software. One weakness, X, can directly create the conditions that are necessary to cause another weakness, Y, to enter a vulnerable condition. When this happens, CWE refers to X as "primary" to Y, and Y is "resultant" from X. For example, if an integer overflow (CWE-190) occurs when calculating the amount of memory to allocate, an undersized buffer will be created, which can lead to a buffer overflow (CWE-120). In this case, the integer overflow would be primary to the buffer overflow. Chains can involve more than two weaknesses, and in some cases, they might have a tree-like structure.

While CWE primarily contains "implicit" chaining relationships, there are several chains that are so common that they were assigned their own CWE identifiers. These are called Named Chains. For example, CWE-690 covers the integer-overflow-to-buffer-overflow chain in the previous paragraph.

In the schema for CWE 1.0 and later, the CanPrecede relationship is used to identify when the weakness is primary to others, and CanFollow is used to identify when a weakness is resultant from others. These relationships are mostly found within the Research Concepts view (CWE-1000).

A Composite is a combination of two or more separate weaknesses that can create a vulnerability, but only if they all occur all the same time. One weakness, X, can be "broken down" into component weaknesses Y and Z. For example, Symlink Following (CWE-61) is only possible through a combination of several component weaknesses, including predictability (CWE-340), inadequate permissions (CWE-275), and race conditions (CWE-362). By eliminating any single component, a developer can prevent the composite from becoming exploitable. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability; for example, NUL byte interaction errors (CWE-626) can widen the scope of path traversal weaknesses (CWE-22), which often limit which files could be accessed due to idiosyncracies in filename generation.

In the schema for CWE 1.0 and later, the Requires relationship is used by a composite to identify its component weaknesses, and the RequiredBy relationship is used by the components of that composite. In Draft 9, the component relationship was called IsRequiredBy.

Both chains and composites might explain some of the existing differences in security code scanners. For example, one scanner might report the primary part of a chain, and a different scanner might report the resultant part. Both scanners would be correct, but they would be reporting different CWE identifiers in different portions of the code. It is suspected that chains have a correspondence to some aspects of artifact labels as used in vulnerability theory (primarily in crossover and trigger points), but this has not been actively explored.

In general, both chains and composites pose challenges for vulnerability classification and terminology. Sometimes a researcher is only focusing on one weakness in the chain, or one component of the composite. Attempts to create a hierarchical organization of "vulnerabilities" can be complicated, because vulnerabilities can contain multiple weaknesses. The CWE team is actively researching these concepts. Some early discussion is found in the CWE Research List archives.

Chains
Chains
CWE-20 Improper Input Validation
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
--> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
--> CWE-41 Improper Resolution of Path Equivalence
--> CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
--> CWE-770 Allocation of Resources Without Limits or Throttling
CWE-46 Path Equivalence: 'filename ' (Trailing Space)
--> CWE-289 Authentication Bypass by Alternate Name
CWE-52 Path Equivalence: '/multiple/trailing/slash//'
--> CWE-289 Authentication Bypass by Alternate Name
CWE-73 External Control of File Name or Path
--> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
--> CWE-41 Improper Resolution of Path Equivalence
--> CWE-434 Unrestricted Upload of File with Dangerous Type
--> CWE-59 Improper Link Resolution Before File Access ('Link Following')
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
--> CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
--> CWE-117 Improper Output Neutralization for Logs
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
--> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
--> CWE-494 Download of Code Without Integrity Check
CWE-116 Improper Encoding or Escaping of Output
--> CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-128 Wrap-around Error
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-129 Improper Validation of Array Index
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
--> CWE-789 Memory Allocation with Excessive Size Value
--> CWE-476 NULL Pointer Dereference
--> CWE-823 Use of Out-of-range Pointer Offset
--> CWE-125 Out-of-bounds Read
--> CWE-787 Out-of-bounds Write
CWE-130 Improper Handling of Length Parameter Inconsistency
--> CWE-805 Buffer Access with Incorrect Length Value
CWE-131 Incorrect Calculation of Buffer Size
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-134 Use of Externally-Controlled Format String
--> CWE-123 Write-what-where Condition
CWE-172 Encoding Error
--> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
--> CWE-41 Improper Resolution of Path Equivalence
CWE-173 Improper Handling of Alternate Encoding
--> CWE-289 Authentication Bypass by Alternate Name
CWE-178 Improper Handling of Case Sensitivity
--> CWE-289 Authentication Bypass by Alternate Name
--> CWE-433 Unparsed Raw Web Content Delivery
CWE-183 Permissive List of Allowed Inputs
--> CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-184 Incomplete List of Disallowed Inputs
--> CWE-434 Unrestricted Upload of File with Dangerous Type
--> CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
--> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-185 Incorrect Regular Expression
--> CWE-182 Collapse of Data into Unsafe Value
--> CWE-33 Path Traversal: '....' (Multiple Dot)
--> CWE-34 Path Traversal: '....//'
--> CWE-35 Path Traversal: '.../...//'
--> CWE-187 Partial String Comparison
CWE-190 Integer Overflow or Wraparound
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-193 Off-by-one Error
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
--> CWE-170 Improper Null Termination
--> CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
--> CWE-123 Write-what-where Condition
--> CWE-126 Buffer Over-read
--> CWE-617 Reachable Assertion
CWE-205 Observable Behavioral Discrepancy
--> CWE-514 Covert Channel
CWE-208 Observable Timing Discrepancy
--> CWE-327 Use of a Broken or Risky Cryptographic Algorithm
--> CWE-385 Covert Timing Channel
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer
--> CWE-201 Insertion of Sensitive Information Into Sent Data
CWE-226 Sensitive Information in Resource Not Removed Before Reuse
--> CWE-201 Insertion of Sensitive Information Into Sent Data
CWE-231 Improper Handling of Extra Values
--> CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
--> CWE-669 Incorrect Resource Transfer Between Spheres
CWE-252 Unchecked Return Value
--> CWE-476 NULL Pointer Dereference
CWE-322 Key Exchange without Entity Authentication
--> CWE-923 Improper Restriction of Communication Channel to Intended Endpoints
CWE-330 Use of Insufficiently Random Values
--> CWE-804 Guessable CAPTCHA
CWE-340 Generation of Predictable Numbers or Identifiers (also a composite component)
--> CWE-384 Session Fixation (also a composite)
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
--> CWE-923 Improper Restriction of Communication Channel to Intended Endpoints
CWE-363 Race Condition Enabling Link Following
--> CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-364 Signal Handler Race Condition
--> CWE-123 Write-what-where Condition
--> CWE-415 Double Free
--> CWE-416 Use After Free
--> CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
--> CWE-123 Write-what-where Condition
CWE-390 Detection of Error Condition Without Action
--> CWE-401 Missing Release of Memory after Effective Lifetime
CWE-404 Improper Resource Shutdown or Release
--> CWE-619 Dangling Database Cursor ('Cursor Injection')
CWE-410 Insufficient Resource Pool
--> CWE-400 Uncontrolled Resource Consumption
CWE-425 Direct Request ('Forced Browsing')
--> CWE-471 Modification of Assumed-Immutable Data (MAID)
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-430 Deployment of Wrong Handler
--> CWE-433 Unparsed Raw Web Content Delivery
CWE-431 Missing Handler
--> CWE-433 Unparsed Raw Web Content Delivery
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') (also a composite component)
--> CWE-668 Exposure of Resource to Wrong Sphere
CWE-456 Missing Initialization of a Variable
--> CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
--> CWE-457 Use of Uninitialized Variable
--> CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-473 PHP External Variable Modification
--> CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-479 Signal Handler Use of a Non-reentrant Function
--> CWE-123 Write-what-where Condition
CWE-481 Assigning instead of Comparing
--> CWE-697 Incorrect Comparison
CWE-489 Active Debug Code
--> CWE-215 Insertion of Sensitive Information Into Debugging Code
CWE-498 Cloneable Class Containing Sensitive Information
--> CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-499 Serializable Class Containing Sensitive Data
--> CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-562 Return of Stack Variable Address
--> CWE-672 Operation on a Resource after Expiration or Release
--> CWE-825 Expired Pointer Dereference
--> CWE-125 Out-of-bounds Read
--> CWE-787 Out-of-bounds Write
CWE-567 Unsynchronized Access to Shared Data in a Multithreaded Context
--> CWE-488 Exposure of Data Element to Wrong Session
CWE-570 Expression is Always False
--> CWE-561 Dead Code
CWE-571 Expression is Always True
--> CWE-561 Dead Code
CWE-590 Free of Memory not on the Heap
--> CWE-123 Write-what-where Condition
CWE-600 Uncaught Exception in Servlet
--> CWE-209 Generation of Error Message Containing Sensitive Information
CWE-602 Client-Side Enforcement of Server-Side Security
--> CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-606 Unchecked Input for Loop Condition
--> CWE-834 Excessive Iteration
CWE-609 Double-Checked Locking
--> CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-613 Insufficient Session Expiration (also a composite component)
--> CWE-287 Improper Authentication
CWE-621 Variable Extraction Error
--> CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-656 Reliance on Security Through Obscurity
--> CWE-259 Use of Hard-coded Password
--> CWE-321 Use of Hard-coded Cryptographic Key
--> CWE-472 External Control of Assumed-Immutable Web Parameter (also a composite component)
CWE-662 Improper Synchronization
--> CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (also a composite component)
--> CWE-416 Use After Free
--> CWE-476 NULL Pointer Dereference
CWE-681 Incorrect Conversion between Numeric Types
--> CWE-682 Incorrect Calculation
--> CWE-170 Improper Null Termination
CWE-754 Improper Check for Unusual or Exceptional Conditions
--> CWE-416 Use After Free
CWE-756 Missing Custom Error Page
--> CWE-209 Generation of Error Message Containing Sensitive Information
CWE-782 Exposed IOCTL with Insufficient Access Control
--> CWE-781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
--> CWE-822 Untrusted Pointer Dereference
--> CWE-125 Out-of-bounds Read
--> CWE-787 Out-of-bounds Write
CWE-824 Access of Uninitialized Pointer
--> CWE-125 Out-of-bounds Read
--> CWE-787 Out-of-bounds Write
CWE-826 Premature Release of Resource During Expected Lifetime
--> CWE-672 Operation on a Resource after Expiration or Release
CWE-827 Improper Control of Document Type Definition
--> CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-839 Numeric Range Comparison Without Minimum Check
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
--> CWE-124 Buffer Underwrite ('Buffer Underflow')
--> CWE-195 Signed to Unsigned Conversion Error
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
--> CWE-682 Incorrect Calculation
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-909 Missing Initialization of Resource
--> CWE-908 Use of Uninitialized Resource
CWE-911 Improper Update of Reference Count
--> CWE-672 Operation on a Resource after Expiration or Release
--> CWE-772 Missing Release of Resource after Effective Lifetime
CWE-941 Incorrectly Specified Destination in a Communication Channel
--> CWE-406 Insufficient Control of Network Message Volume (Network Amplification)
CWE-942 Permissive Cross-domain Policy with Untrusted Domains
--> CWE-668 Exposure of Resource to Wrong Sphere
CWE-1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
--> CWE-416 Use After Free
CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition
--> CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-1275 Sensitive Cookie with Improper SameSite Attribute
--> CWE-352 Cross-Site Request Forgery (CSRF) (also a composite)
CWE-1282 Assumed-Immutable Data is Stored in Writable Memory
--> CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-1284 Improper Validation of Specified Quantity in Input
--> CWE-789 Memory Allocation with Excessive Size Value
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
--> CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-1322 Use of Blocking Code in Single-threaded, Non-blocking Context
--> CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-1325 Improperly Controlled Sequential Memory Allocation
--> CWE-476 NULL Pointer Dereference
CWE-1339 Insufficient Precision or Accuracy of a Real Number
--> CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
--> CWE-834 Excessive Iteration
CWE-1341 Multiple Releases of Same Resource or Handle
--> CWE-672 Operation on a Resource after Expiration or Release
Named Chains
Named Chains
CWE-680Integer Overflow to Buffer Overflow
CWE-690Unchecked Return Value to NULL Pointer Dereference
CWE-692Incomplete Denylist to Cross-Site Scripting
Composites
Composites
CWE-61 UNIX Symbolic Link (Symlink) Following
  • CWE-340 Generation of Predictable Numbers or Identifiers (also a chain link)
  • CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (also a chain link)
  • CWE-386 Symbolic Name not Mapping to Correct Object
  • CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-352 Cross-Site Request Forgery (CSRF) (also a chain link)
  • CWE-346 Origin Validation Error
  • CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') (also a chain link)
  • CWE-613 Insufficient Session Expiration (also a chain link)
  • CWE-642 External Control of Critical State Data
CWE-384 Session Fixation (also a chain link)
  • CWE-346 Origin Validation Error
  • CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') (also a chain link)
  • CWE-472 External Control of Assumed-Immutable Web Parameter (also a chain link)
CWE-689 Permission Race Condition During Resource Copy
  • CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (also a chain link)
  • CWE-732 Incorrect Permission Assignment for Critical Resource
Page Last Updated: July 07, 2024