CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Draft 8 and Draft 9  
ID

Differences between Draft 8 and Draft 9
Differences between Draft 8 and Draft 9

Summary
Summary
Total new 39
Total deprecated 1
Total shared 656
Total important changes 429
Total major changes 463
Total minor changes 399
Total minor changes (no major) 134
Total unchanged 59
Back to top
Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "CanResultIn" to "CanPrecede" in Draft 9. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Affected_Resource 1 0
Alternate_Terms 1 0
Applicable_Platforms 2 0
Black_Box_Definition 0 0
CVEs_Mentioned 3 0
Causal_Nature 0 0
Common_Consequences 3 0
Common_Methods_of_Exploitation 0 0
Context_Notes 22 2
Demonstrative_Example 3 2
Description 186 50
Detection_Factor 1 0
Enabling_Factors_for_Exploitation 0 0
Functional_Area 0 0
Likelihood_of_Exploit 0 0
Name 248 1
Node_Relationship 202 71
Observed_Example 11 1
Potential_Mitigations 10 0
References 3 0
Related_Attack_Patterns 0 0
Relevant_Properties 3 0
Research_Gaps 0 0
Source_Taxonomy 2 0
Time_of_Introduction 59 0
Type 24 377
Weakness_Ordinality 2 0
White_Box_Definition 0 0

Node Type Changes

From To Total
Unchanged 632
Category View 5
Category Weakness/Class 8
Weakness/Base Composite 5
Weakness/Base Deprecated 1
Weakness/Base Weakness/Class 1
Weakness/Variant Composite 3
Weakness/Variant Weakness/Base 1

Relationship Changes

Relationship Total Draft 8 Tot Draft 9 Tot Unchanged Added to Draft 9 Removed from Draft 9
ALL 2266 1991 2191 1916 275 75
CanAlsoBe 48 48 47 47 1
CanFollow 33 33 32 32 1
CanPrecede 36 33 35 32 3 1
ChildOf 990 826 958 794 164 32
IsRequiredBy 27 25 27 25 2
ParentOf 922 826 890 794 96 32
PeerOf 185 175 177 167 10 8
Requires 25 25 25 25

Nodes Removed from Draft 8

CWE-ID CWE Name
None.

Nodes Added to Draft 9

CWE-ID CWE Name
369 Divide By Zero
658 Weaknesses found in the C Language
659 Weaknesses found in the C++ Language
660 Weaknesses found in the Java Language
661 Weaknesses found in the PHP Language
662 Insufficient Synchronization
663 Use of a Non-reentrant Function in an Unsynchronized Context
664 Insufficient Control of a Resource Through its Lifetime
665 Incorrect or Incomplete Initialization
666 Operation on Resource in Wrong Phase of Lifetime
667 Insufficient Locking
668 Exposure of Resource to Wrong Sphere
669 Incorrect Resource Transfer Between Spheres
670 Always-Incorrect Control Flow Implementation
671 Design Principle Violation: Lack of Administrator Control over Security
672 Use of a Resource after Expiration or Release
673 External Influence of Sphere Definition
674 Uncontrolled Recursion
675 Duplicate Operations on Resource
676 Use of Potentially Dangerous Function
677 Weakness Base Elements
678 Composites
679 Chain Elements
680 Integer Overflow to Buffer Overflow
681 Incorrect Conversion between Numeric Types
682 Incorrect Calculation
683 Function Call With Incorrect Order of Arguments
684 Failure to Provide Specified Functionality
685 Function Call With Incorrect Number of Arguments
686 Function Call With Incorrect Argument Type
687 Function Call With Incorrectly Specified Argument Value
688 Function Call With Incorrect Variable or Reference as Argument
689 Permission Race Condition During Resource Copy
690 Unchecked Return Value to NULL Pointer Dereference
691 Insufficient Control Flow Management
692 Incomplete Blacklist to Cross-Site Scripting
693 Protection Mechanism Failure
1000 Natural Hierarchy
2000 Comprehensive CWE Dictionary

Nodes Deprecated in Draft 9

CWE-ID CWE Name
458 DEPRECATED: Incorrect Initialization
Back to top
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 1 Location
R 2 Environment
NR 5 J2EE Misconfiguration: Data Transmission Without Encryption
R 6 J2EE Misconfiguration: Insufficient Session-ID Length
R 8 J2EE Misconfiguration: Entity Bean Declared Remote
NR 9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
R 12 ASP.NET Misconfiguration: Missing Custom Error Handling
NR 14 Compiler Removal of Code to Clear Buffers
NR 15 External Control of System or Configuration Setting
R 18 Source Code
D R 20 Insufficient Input Validation
D R 22 Path Traversal
D 23 Relative Path Traversal
N 24 Path Traversal: '../filedir'
N 25 Path Traversal: '/../filedir'
N 26 Path Traversal: '/dir/../filename'
N 27 Path Traversal: 'dir/../../filename'
N 28 Path Traversal: '..\filename'
N 29 Path Traversal: '\..\filename'
N 30 Path Traversal: '\dir\..\filename'
N 31 Path Traversal: 'dir\..\filename'
N 32 Path Traversal: '...' (Triple Dot)
N 33 Path Traversal: '....' (Multiple Dot)
N 34 Path Traversal: '....//'
N 35 Path Traversal: '.../...//'
D 36 Absolute Path Traversal
N 37 Path Traversal: '/absolute/pathname/here'
N 38 Path Traversal: '\absolute\pathname\here'
N 39 Path Traversal: 'C:dirname'
N 40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
N 41 Failure to Resolve Path Equivalence
N 42 Path Equivalence: 'filename.' (Trailing Dot)
N 43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
N 44 Path Equivalence: 'file.name' (Internal Dot)
N 45 Path Equivalence: 'file...name' (Multiple Internal Dot)
N 46 Path Equivalence: 'filename ' (Trailing Space)
N 47 Path Equivalence: ' filename (Leading Space)
N 48 Path Equivalence: 'file name' (Internal Whitespace)
N 49 Path Equivalence: 'filename/' (Trailing Slash)
N 50 Path Equivalence: '//multiple/leading/slash'
N 51 Path Equivalence: '/multiple//internal/slash'
N 52 Path Equivalence: '/multiple/trailing/slash//'
N 53 Path Equivalence: '\multiple\\internal\backslash'
N 54 Path Equivalence: 'filedir\' (Trailing Backslash)
N 55 Path Equivalence: '/./' (Single Dot Directory)
N 56 Path Equivalence: 'filedir*' (Wildcard)
N 57 Path Equivalence: 'dirname/fakechild/../realchild/filename'
N 58 Path Equivalence: Windows 8.3 Filename
DN 59 Failure to Resolve Links Before File Access (aka 'Link Following')
R 62 UNIX Hard Link
DNR 66 Failure to Handle File Names that Identify Virtual Resources
N 67 Failure to Handle Windows Device Names
NR 69 Failure to Handle Windows ::DATA Alternate Data Stream
R 71 Apple '.DS_Store'
R 72 Apple HFS+ Alternate Data Stream
N 73 External Control of File Name or Path
N 74 Failure to Sanitize Data into a Different Plane (aka 'Injection')
N 75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
DN 76 Failure to Resolve Equivalent Special Elements into a Different Plane
N 77 Failure to Sanitize Data into a Control Plane (aka 'Command Injection')
N 78 Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
DNR 79 Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
N 80 Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)
N 81 Failure to Sanitize Directives in an Error Message Web Page
N 82 Failure to Sanitize Script in Attributes of IMG Tags in a Web Page
N 83 Failure to Sanitize Script in Attributes in a Web Page
N 84 Failure to Resolve Encoded URI Schemes in a Web Page
D 88 Argument Injection or Modification
N 89 Failure to Sanitize Data into SQL Queries (aka 'SQL Injection')
DN 90 Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')
DN 93 Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')
D R 94 Code Injection
N 95 Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')
DN 96 Insufficient Control of Directives in Statically Saved Code (Static Code Injection)
N 97 Failure to Sanitize Server-Side Includes (SSI) Within a Web Page
N 98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
N 99 Insufficient Control of Resource Identifiers (aka 'Resource Injection')
R 102 Struts: Duplicate Validation Forms
N 111 Direct Use of Unsafe JNI
N 113 Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')
N 115 Misinterpretation of Input
DN 116 Incorrect Output Sanitization
DN 117 Incorrect Output Sanitization for Logs
DNR 119 Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer
R 120 Unbounded Transfer ('Classic Buffer Overflow')
D 122 Heap-based Buffer Overflow
D 131 Incorrect Calculation of Buffer Size
R 132 Miscalculated Null Termination
R 133 String Errors
D R 134 Uncontrolled Format String
DNR 135 Incorrect Calculation of Multi-Byte String Length
R 137 Representation Errors
DNR 138 Failure to Sanitize Special Elements
DN 140 Failure to Sanitize Delimiters
DN 141 Failure to Sanitize Parameter/Argument Delimiters
DN 142 Failure to Sanitize Value Delimiters
DN 143 Failure to Sanitize Record Delimiters
DN 144 Failure to Sanitize Line Delimiters
N 145 Failure to Sanitize Section Delimiters
N 146 Failure to Sanitize Expression/Command Delimiters
N 147 Failure to Sanitize Input Terminators
N 148 Failure to Sanitize Input Leaders
DN 149 Failure to Sanitize Quoting Syntax
N 150 Failure to Sanitize Escape, Meta, or Control Sequences
DN 151 Failure to Sanitize Comment Element
DN 152 Failure to Sanitize Macro Symbol
DN 153 Failure to Sanitize Substitution Character
N 154 Failure to Sanitize Variable Name Delimiter
DN 155 Failure to Sanitize Wildcard or Matching Symbol
DN 156 Failure to Sanitize Whitespace
N 157 Failure to Sanitize Paired Delimiters
DN 158 Failure to Sanitize Null Byte or NUL Character
N 159 Failure to Sanitize Special Element
N 160 Failure to Sanitize Leading Special Element
N 161 Failure to Sanitize Multiple Leading Special Elements
N 162 Failure to Sanitize Trailing Special Element
N 163 Failure to Sanitize Multiple Trailing Special Elements
N 164 Failure to Sanitize Internal Special Element
N 165 Failure to Sanitize Multiple Internal Special Elements
N 166 Failure to Handle Missing Special Element
DN 167 Failure to Handle Additional Special Element
N 168 Failure to Resolve Inconsistent Special Elements
D 171 Cleansing, Canonicalization, and Comparison Errors
D 172 Encoding Error
DN 173 Failure to Handle Alternate Encoding
DNR 174 Double Decoding of the Same Data
DN 175 Failure to Handle Mixed Encoding
DN 176 Failure to Handle Unicode Encoding
N 177 Failure to Handle URL Encoding (Hex Encoding)
N 178 Failure to Resolve Case Sensitivity
NR 179 Incorrect Behavior Order: Early Validation
NR 180 Incorrect Behavior Order: Validate Before Canonicalize
NR 181 Incorrect Behavior Order: Validate Before Filter
R 182 Collapse of Data Into Unsafe Value
R 183 Permissive Whitelist
R 184 Incomplete Blacklist
D 186 Overly Restrictive Regular Expression
DNR 188 Reliance on Data/Memory Layout
R 189 Numeric Errors
D R 191 Integer Underflow (Wrap or Wraparound)
D R 193 Off-by-one Error
NR 194 Incorrect Sign Extension
R 195 Signed to Unsigned Conversion Error
D R 196 Unsigned to Signed Conversion Error
R 197 Numeric Truncation Error
NR 198 Use of Incorrect Byte Ordering
N 202 Privacy Leak through Data Queries
D R 209 Error Message Information Leaks
N 214 Process Environment Information Leak
D R 221 Information Loss or Omission
D 223 Omission of Security-relevant Information
DN 226 Sensitive Information Uncleared Before Release
NR 227 Failure to Fulfill API Contract (aka 'API Abuse')
R 228 Structure and Validity Problems
N 229 Improper Handling of Values
N 230 Failure to Handle Missing Value
N 231 Failure to Handle Extra Value
N 232 Failure to Handle Undefined Value
N 234 Failure to Handle Missing Parameter
DN 235 Failure to Handle Extra Parameter
DN 236 Failure to Handle Undefined Parameter
N 238 Failure to Handle Missing Element
N 239 Failure to Handle Incomplete Element
N 240 Failure to Resolve Inconsistent Elements
N 241 Failure to Handle Wrong Data Type
DNR 242 Use of Inherently Dangerous Function
D R 243 Failure to Change Working Directory in chroot Jail
NR 244 Failure to Clear Heap Memory Before Release
DNR 245 J2EE Bad Practices: Direct Management of Connections
DNR 246 J2EE Bad Practices: Direct Use of Sockets
NR 247 Reliance on DNS Lookups in a Security Decision
R 248 Uncaught Exception
R 249 Often Misused: Path Manipulation
R 250 Design Principle Violation: Failure to Use Least Privilege
R 251 Often Misused: String Management
R 252 Unchecked Return Value
R 253 Misinterpreted Function Return Value
R 254 Security Features
R 258 Empty Password in Configuration File
R 259 Hard-Coded Password
R 260 Password in Configuration File
NR 262 Not Using Password Aging
NR 263 Password Aging with Long Expiration
N 267 Privilege Defined With Unsafe Actions
N 274 Failure to Handle Insufficient Privileges
R 275 Permission Issues
R 276 Insecure Default Permissions
R 281 Permission Preservation Failure
N 282 Improper Ownership Management
D 284 Access Control Issues
NR 287 Insufficient Authentication
R 296 Failure to Follow Chain of Trust in Certificate Validation
R 297 Failure to Validate Host-specific Certificate Data
R 298 Failure to Validate Certificate Expiration
R 299 Failure to Check for Certificate Revocation
DN 300 Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')
DN 303 Improper Implementation of Authentication Algorithm
R 304 Missing Critical Step in Authentication
N 307 Failure to Restrict Excessive Authentication Attempts
N 308 Use of Single-factor Authentication
N 309 Use of Password System for Primary Authentication
R 310 Cryptographic Issues
NR 311 Failure to Encrypt Sensitive Data
D R 312 Plaintext Storage of Sensitive Information
DN 313 Plaintext Storage in a File or on Disk
DN 314 Plaintext Storage in the Registry
DN 315 Plaintext Storage in a Cookie
D 316 Plaintext Storage in Memory
D 317 Plaintext Storage in GUI
R 319 Plaintext Transmission of Sensitive Information
D R 321 Use of Hard-coded Cryptographic Key
D R 322 Key Exchange without Entity Authentication
DNR 324 Use of a Key Past its Expiration Date
R 325 Missing Required Cryptographic Step
R 326 Weak Encryption
N 327 Use of a Broken or Risky Cryptographic Algorithm
D 328 Reversible One-Way Hash
D R 329 Not Using a Random IV with CBC Mode
NR 330 Use of Insufficiently Random Values
D 332 Insufficient Entropy in PRNG
N 333 Failure to Handle Insufficient Entropy in TRNG
R 334 Small Space of Random Values
D 335 PRNG Seed Error
DN 338 Use of Cryptographically Weak PRNG
R 341 Predictable from Observable State
R 342 Predictable Exact Value from Previous Values
D R 343 Predictable Value Range from Previous Values
DNR 344 Use of Invariant Value in Dynamically Changing Context
DNR 345 Insufficient Verification of Data Authenticity
DN 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 357 Insufficient UI Warning of Dangerous Operations
R 358 Improperly Implemented Security Check for Standard
R 359 Privacy Violation
R 360 Trust of System Event Data
R 361 Time and State
DNR 362 Race Condition
D 365 Race Condition in Switch
R 373 State Synchronization Error
R 374 Mutable Objects Passed by Reference
D R 375 Passing Mutable Objects to an Untrusted Method
NR 378 Creation of Temporary File With Insecure Permissions
NR 379 Creation of Temporary File in Directory with Insecure Permissions
DNR 382 J2EE Bad Practices: Use of System.exit()
N 383 J2EE Bad Practices: Direct Use of Threads
D R 386 Symbolic Name not Mapping to Correct Object
R 389 Error Conditions, Return Values, Status Codes
N 390 Detection of Error Condition Without Action
N 392 Failure to Report Error in Status Code
DN 393 Return of Wrong Status Code
D 394 Unexpected Status Code or Return Value
NR 395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
N 396 Declaration of Catch for Generic Exception
N 397 Declaration of Throws for Generic Exception
DNR 398 Indicator of Poor Code Quality
R 399 Resource Management Errors
NR 401 Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')
DNR 402 Transmission of Private Resources into a New Sphere (aka 'Resource Leak')
D R 404 Improper Resource Shutdown or Release
DN 408 Incorrect Behavior Order: Early Amplification
N 409 Failure to Handle Highly Compressed Data (Data Amplification)
NR 412 Unrestricted Lock on Critical Resource
R 413 Insufficient Resource Locking
R 414 Missing Lock Check
D R 415 Double Free
D R 416 Use After Free
R 419 Unprotected Primary Channel
R 420 Unprotected Alternate Channel
DN 421 Race Condition During Access to Alternate Channel
R 422 Unprotected Windows Messaging Channel ('Shatter')
DNR 424 Failure to Protect Alternate Path
R 426 Untrusted Search Path
D 428 Unquoted Search Path or Element
R 429 Handler Errors
NR 430 Deployment of Wrong Handler
R 431 Missing Handler
N 432 Dangerous Handler not Disabled During Sensitive Operations
R 433 Unparsed Raw Web Content Delivery
R 434 Unrestricted File Upload
N 435 Interaction Error
NR 436 Interpretation Conflict
DN 437 Incomplete Model of Endpoint Features
N 439 Behavioral Change in New Version or Environment
R 440 Expected Behavior Violation
R 441 Unintended Proxy/Intermediary
D 443 DEPRECATED (Duplicate): HTTP response splitting
NR 444 Interpretation Conflict in Web Traffic (aka 'HTTP Request Smuggling')
N 445 User Interface Errors
NR 446 UI Discrepancy for Security Feature
R 447 Unimplemented or Unsupported Feature in UI
D R 450 Multiple Interpretations of UI Input
R 451 UI Misrepresentation of Critical Information
R 452 Initialization and Cleanup Errors
R 453 Insecure Default Variable Initialization
DNR 454 External Initialization of Trusted Variables
D R 455 Non-exit on Failed Initialization
R 456 Missing Initialization
DN 457 Use of Uninitialized Variable
DNR 458 DEPRECATED: Incorrect Initialization
R 459 Incomplete Cleanup
D R 460 Improper Cleanup on Thrown Exception
R 462 Duplicate Key in Associative List (Alist)
N 463 Deletion of Data Structure Sentinel
NR 464 Addition of Data Structure Sentinel
DNR 466 Return of Pointer Value Outside of Expected Range
D R 467 Use of sizeof() on a Pointer Type
NR 468 Incorrect Pointer Scaling
DNR 469 Use of Pointer Subtraction to Determine Size
DNR 470 Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')
DN 472 External Control of Assumed-Immutable Web Parameter
DNR 474 Use of Function with Inconsistent Implementations
NR 475 Undefined Behavior for Input to API
D R 476 NULL Pointer Dereference
D 477 Use of Obsolete Functions
N 478 Failure to Use Default Case in Switch
D 479 Unsafe Function Call from a Signal Handler
DN 480 Use of Incorrect Operator
D 481 Assigning instead of Comparing
D 482 Comparing instead of Assigning
D R 483 Incorrect Block Delimitation
D R 484 Omitted Break Statement
DN 485 Insufficient Encapsulation
DN 486 Comparison of Classes by Name
N 487 Reliance on Package-level Scope
DNR 488 Data Leak Between Sessions
D 489 Leftover Debug Code
D 490 Mobile Code Issues
DN 491 Public cloneable() Method Without Final (aka 'Object Hijack')
NR 492 Use of Inner Class Containing Sensitive Data
DNR 493 Critical Public Variable Without Final Modifier
DNR 494 Download of Untrusted Mobile Code Without Integrity Check
D 495 Private Array-Typed Field Returned From A Public Method
N 497 Information Leak of System Data
D 498 Information Leak through Class Cloning
DN 499 Serializable Class Containing Sensitive Data
DN 500 Static Field Not Marked Final
D 501 Trust Boundary Violation
D 502 Deserialization of Untrusted Data
D R 503 Byte/Object Code
D R 504 Motivation/Intent
D 505 Intentionally Introduced Weakness
D 506 Embedded Malicious Code
D 507 Trojan Horse
N 509 Replicating Malicious Code (Virus or Worm)
D 516 DEPRECATED (Duplicate): Covert Timing Channel
D 519 .NET Environment Issues
N 520 .NET Misconfiguration: Use of Impersonation
D R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
D 528 Information Leak Through Core Dump Files
D 531 Information Leak Through Test Code
D 534 Information Leak Through Debug Log Files
D 542 Information Leak Through Cleanup Log Files
R 543 Use of Singleton Pattern in a Non-thread-safe Manner
D 544 Missing Error Handling Mechanism
N 545 Use of Dynamic Class Loading
D 546 Suspicious Comment
DN 547 Use of Hard-coded, Security-relevant Constants
R 549 Missing Password Field Masking
N 551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
NR 552 Files or Directories Accessible to External Parties
DN 553 Command Shell in Externally Accessible Directory
DN 554 ASP.NET Misconfiguration: Not Using Input Validation Framework
DNR 555 J2EE Misconfiguration: Plaintext Password in Configuration File
N 556 ASP.NET Misconfiguration: Use of Identity Impersonation
D 557 Concurrency Issues
DNR 558 Use of getlogin() in Multithreaded Application
R 559 Often Misused: Arguments and Parameters
DNR 560 Use of umask() with chmod-style Argument
D 561 Dead Code
DNR 562 Return of Stack Variable Address
NR 565 Use of Cookies in Security Decision
D R 567 Unsynchronized Access to Shared Data
NR 568 finalize() Method Without super.finalize()
DN 572 Call to Thread run() instead of start()
D R 573 Failure to Follow Specification
D 574 EJB Bad Practices: Use of Synchronization Primitives
D 575 EJB Bad Practices: Use of AWT Swing
D 576 EJB Bad Practices: Use of Java I/O
D 577 EJB Bad Practices: Use of Sockets
D 578 EJB Bad Practices: Use of Class Loader
D 579 J2EE Bad Practices: Non-serializable Object Stored in Session
N 580 clone() Method Without super.clone()
D 581 Object Model Violation: Just One of Equals and Hashcode Defined
DN 582 Array Declared Public, Final, and Static
NR 583 finalize() Method Declared Public
D R 584 Return Inside Finally Block
R 586 Explicit Call to Finalize
D R 587 Assignment of a Fixed Address to a Pointer
D 588 Attempt to Access Child of a Non-structure Pointer
NR 589 Call to Non-ubiquitous API
N 590 Free of Invalid Pointer Not on the Heap
DN 591 Sensitive Data Storage in Improperly Locked Memory
D 592 Authentication Bypass Issues
R 593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
N 594 J2EE Framework: Saving Unserializable Objects to Disk
N 595 Incorrect Syntactic Object Comparison
N 596 Incorrect Semantic Object Comparison
DN 597 Use of Wrong Operator in String Comparison
DN 598 Information Leak Through Query Strings in GET Request
N 599 Trust of OpenSSL Certificate Without Validation
DNR 600 Failure to Catch All Exceptions (Missing Catch Block)
DNR 601 URL Redirection to Untrusted Site
DNR 602 Design Principle Violation: Client-Side Enforcement of Server-Side Security
DN 603 Use of Client-Side Authentication
D R 604 Deprecated
NR 605 Multiple Binds to the Same Port
D 606 Unchecked Input for Loop Condition
D 607 Public Static Final Field References Mutable Object
D 608 Struts: Non-private Field in ActionForm Class
DNR 609 Double-Checked Locking
DNR 610 Externally Controlled Reference to a Resource in Another Sphere
D R 611 Information Leak Through XML External Entity File Disclosure
DNR 612 Information Leak Through Indexing of Private Data
R 613 Insufficient Session Expiration
DN 614 Sensitive Cookie in HTTPS Session Without "Secure" Attribute
R 617 Reachable Assertion
R 618 Exposed Unsafe ActiveX Method
NR 619 Dangling Database Cursor (aka 'Cursor Injection')
D R 623 Unsafe ActiveX Control Marked Safe For Scripting
R 624 Executable Regular Expression Error
D 626 Null Byte Interaction Error (Poison Null Byte)
R 627 Dynamic Variable Evaluation
DNR 628 Function Call with Incorrectly Specified Arguments
D 631 Resource-specific Weaknesses
R 636 Design Principle Violation: Not Failing Securely
NR 642 External Control of User State Data
R 648 Improper Use of Privileged APIs
N 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
R 657 Violation of Secure Design Principles
Back to top
Detailed Difference Report
Detailed Difference Report
1 Location
Major Node_Relationship
Minor Type, Description
2 Environment
Major Node_Relationship
Minor Type, Description
3 Technology-specific Environment Issues
Major None
Minor Type, Description
4 J2EE Environment Issues
Major None
Minor Type
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major Name, Node_Relationship
Minor None
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Node_Relationship
Minor None
8 J2EE Misconfiguration: Entity Bean Declared Remote
Major Node_Relationship
Minor None
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Major Name, Node_Relationship
Minor None
10 ASP.NET Environment Issues
Major None
Minor Type
12 ASP.NET Misconfiguration: Missing Custom Error Handling
Major Node_Relationship
Minor None
14 Compiler Removal of Code to Clear Buffers
Major Name, Node_Relationship
Minor Type
15 External Control of System or Configuration Setting
Major Name, Node_Relationship
Minor Type
16 Configuration
Major None
Minor Type, Description
17 Code
Major None
Minor Type, Description
18 Source Code
Major Node_Relationship
Minor Type, Description
19 Data Handling
Major None
Minor Type, Description
20 Insufficient Input Validation
Major Description, Node_Relationship
Minor Type
21 Pathname Traversal and Equivalence Errors
Major None
Minor Type
22 Path Traversal
Major Description, Node_Relationship
Minor Type
23 Relative Path Traversal
Major Description
Minor Type
24 Path Traversal: '../filedir'
Major Name
Minor None
25 Path Traversal: '/../filedir'
Major Name
Minor None
26 Path Traversal: '/dir/../filename'
Major Name
Minor None
27 Path Traversal: 'dir/../../filename'
Major Name
Minor None
28 Path Traversal: '..\filename'
Major Name
Minor None
29 Path Traversal: '\..\filename'
Major Name
Minor None
30 Path Traversal: '\dir\..\filename'
Major Name
Minor None
31 Path Traversal: 'dir\..\filename'
Major Name
Minor None
32 Path Traversal: '...' (Triple Dot)
Major Name
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Name
Minor None
34 Path Traversal: '....//'
Major Name
Minor None
35 Path Traversal: '.../...//'
Major Name
Minor None
36 Absolute Path Traversal
Major Description, Potential_Mitigations
Minor Type
37 Path Traversal: '/absolute/pathname/here'
Major Name
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Name
Minor None
39 Path Traversal: 'C:dirname'
Major Name
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Name
Minor None
41 Failure to Resolve Path Equivalence
Major Name
Minor Type
42 Path Equivalence: 'filename.' (Trailing Dot)
Major Name
Minor None
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Name
Minor None
44 Path Equivalence: 'file.name' (Internal Dot)
Major Name
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Name
Minor None
46 Path Equivalence: 'filename ' (Trailing Space)
Major Name
Minor Node_Relationship
47 Path Equivalence: ' filename (Leading Space)
Major Name
Minor None
48 Path Equivalence: 'file name' (Internal Whitespace)
Major Name
Minor None
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Name
Minor None
50 Path Equivalence: '//multiple/leading/slash'
Major Name, Observed_Example
Minor None
51 Path Equivalence: '/multiple//internal/slash'
Major Name
Minor None
52 Path Equivalence: '/multiple/trailing/slash//'
Major Name
Minor Node_Relationship
53 Path Equivalence: '\multiple\\internal\backslash'
Major Name
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Name
Minor None
55 Path Equivalence: '/./' (Single Dot Directory)
Major Name
Minor None
56 Path Equivalence: 'filedir*' (Wildcard)
Major Name
Minor None
57 Path Equivalence: 'dirname/fakechild/../realchild/filename'
Major Name
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major Name
Minor None
59 Failure to Resolve Links Before File Access (aka 'Link Following')
Major Name, Description
Minor Type
60 UNIX Path Link Problems
Major None
Minor Type, Description
61 UNIX Symbolic Link (Symlink) Following
Major Type
Minor None
62 UNIX Hard Link
Major Node_Relationship
Minor None
63 Windows Path Link Problems
Major None
Minor Type, Description
66 Failure to Handle File Names that Identify Virtual Resources
Major Name, Type, Description, Affected_Resource, Node_Relationship
Minor None
67 Failure to Handle Windows Device Names
Major Name
Minor None
68 Windows Virtual File Problems
Major None
Minor Type, Description
69 Failure to Handle Windows ::DATA Alternate Data Stream
Major Name, Potential_Mitigations, Node_Relationship
Minor Description
70 Mac Virtual File Problems
Major None
Minor Type, Description
71 Apple '.DS_Store'
Major Node_Relationship
Minor None
72 Apple HFS+ Alternate Data Stream
Major Node_Relationship
Minor None
73 External Control of File Name or Path
Major Name
Minor Type
74 Failure to Sanitize Data into a Different Plane (aka 'Injection')
Major Name, Context_Notes
Minor Type
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Name
Minor Type
76 Failure to Resolve Equivalent Special Elements into a Different Plane
Major Name, Description
Minor Type
77 Failure to Sanitize Data into a Control Plane (aka 'Command Injection')
Major Name
Minor Type
78 Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
Major Name, Observed_Example
Minor Type, Node_Relationship
79 Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
Major Name, Description, Observed_Example, CVEs_Mentioned, Node_Relationship
Minor Type
80 Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)
Major Name
Minor None
81 Failure to Sanitize Directives in an Error Message Web Page
Major Name
Minor None
82 Failure to Sanitize Script in Attributes of IMG Tags in a Web Page
Major Name
Minor None
83 Failure to Sanitize Script in Attributes in a Web Page
Major Name
Minor None
84 Failure to Resolve Encoded URI Schemes in a Web Page
Major Name
Minor None
86 Invalid Characters in Identifiers
Major None
Minor Node_Relationship
88 Argument Injection or Modification
Major Description
Minor Type
89 Failure to Sanitize Data into SQL Queries (aka 'SQL Injection')
Major Name
Minor Type, Node_Relationship
90 Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')
Major Name, Description
Minor Type
91 XML Injection (aka Blind XPath Injection)
Major None
Minor Type
92 Custom Special Character Injection
Major None
Minor Type
93 Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')
Major Name, Description
Minor Type, Node_Relationship
94 Code Injection
Major Description, Potential_Mitigations, Node_Relationship
Minor Type
95 Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')
Major Name
Minor Type
96 Insufficient Control of Directives in Statically Saved Code (Static Code Injection)
Major Name, Description
Minor Type
97 Failure to Sanitize Server-Side Includes (SSI) Within a Web Page
Major Name
Minor Type
98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
Major Name, Type
Minor Description, Node_Relationship
99 Insufficient Control of Resource Identifiers (aka 'Resource Injection')
Major Name
Minor Type, Node_Relationship
100 Technology-Specific Input Validation Problems
Major None
Minor Type, Node_Relationship
101 Struts Validation Problems
Major None
Minor Type
102 Struts: Duplicate Validation Forms
Major Node_Relationship
Minor None
111 Direct Use of Unsafe JNI
Major Name
Minor Type
112 Missing XML Validation
Major None
Minor Type
113 Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')
Major Name
Minor Type, Node_Relationship
114 Process Control
Major None
Minor Type
115 Misinterpretation of Input
Major Name
Minor Type
116 Incorrect Output Sanitization
Major Name, Description
Minor Type
117 Incorrect Output Sanitization for Logs
Major Name, Description
Minor Type, Node_Relationship
118 Range Errors
Major None
Minor Type
119 Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer
Major Name, Type, Description, Node_Relationship
Minor None
120 Unbounded Transfer ('Classic Buffer Overflow')
Major Type, Time_of_Introduction, Node_Relationship
Minor None
121 Stack-based Buffer Overflow
Major Context_Notes, Time_of_Introduction
Minor None
122 Heap-based Buffer Overflow
Major Description, Time_of_Introduction
Minor Node_Relationship
123 Write-what-where Condition
Major None
Minor Type, Node_Relationship
124 Boundary Beginning Violation ('Buffer Underwrite')
Major Time_of_Introduction
Minor Type, Node_Relationship
125 Out-of-bounds Read
Major Time_of_Introduction
Minor Type
126 Buffer Over-read
Major Time_of_Introduction
Minor None
127 Buffer Under-read
Major Time_of_Introduction
Minor None
128 Wrap-around Error
Major Time_of_Introduction
Minor Type, Node_Relationship
129 Unchecked Array Indexing
Major Time_of_Introduction
Minor Type, Node_Relationship
130 Length Parameter Inconsistency
Major Time_of_Introduction
Minor Type
131 Incorrect Calculation of Buffer Size
Major Description, Context_Notes
Minor Type
132 Miscalculated Null Termination
Major Node_Relationship
Minor Type
133 String Errors
Major Node_Relationship
Minor Type, Description
134 Uncontrolled Format String
Major Description, Time_of_Introduction, Node_Relationship
Minor Type
135 Incorrect Calculation of Multi-Byte String Length
Major Name, Description, Node_Relationship
Minor Type
136 Type Errors
Major None
Minor Type, Description
137 Representation Errors
Major Node_Relationship
Minor Type, Description
138 Failure to Sanitize Special Elements
Major Name, Type, Description, Node_Relationship
Minor None
139 General Special Element Problems
Major None
Minor Type
140 Failure to Sanitize Delimiters
Major Name, Description
Minor Type
141 Failure to Sanitize Parameter/Argument Delimiters
Major Name, Description
Minor None
142 Failure to Sanitize Value Delimiters
Major Name, Description
Minor None
143 Failure to Sanitize Record Delimiters
Major Name, Description
Minor None
144 Failure to Sanitize Line Delimiters
Major Name, Description
Minor None
145 Failure to Sanitize Section Delimiters
Major Name
Minor None
146 Failure to Sanitize Expression/Command Delimiters
Major Name
Minor None
147 Failure to Sanitize Input Terminators
Major Name
Minor None
148 Failure to Sanitize Input Leaders
Major Name
Minor None
149 Failure to Sanitize Quoting Syntax
Major Name, Description
Minor None
150 Failure to Sanitize Escape, Meta, or Control Sequences
Major Name
Minor None
151 Failure to Sanitize Comment Element
Major Name, Description
Minor None
152 Failure to Sanitize Macro Symbol
Major Name, Description
Minor None
153 Failure to Sanitize Substitution Character
Major Name, Description
Minor None
154 Failure to Sanitize Variable Name Delimiter
Major Name
Minor None
155 Failure to Sanitize Wildcard or Matching Symbol
Major Name, Description
Minor None
156 Failure to Sanitize Whitespace
Major Name, Description
Minor None
157 Failure to Sanitize Paired Delimiters
Major Name, Observed_Example
Minor None
158 Failure to Sanitize Null Byte or NUL Character
Major Name, Description, Time_of_Introduction
Minor None
159 Failure to Sanitize Special Element
Major Name
Minor Type
160 Failure to Sanitize Leading Special Element
Major Name
Minor None
161 Failure to Sanitize Multiple Leading Special Elements
Major Name
Minor None
162 Failure to Sanitize Trailing Special Element
Major Name
Minor None
163 Failure to Sanitize Multiple Trailing Special Elements
Major Name
Minor None
164 Failure to Sanitize Internal Special Element
Major Name
Minor None
165 Failure to Sanitize Multiple Internal Special Elements
Major Name
Minor None
166 Failure to Handle Missing Special Element
Major Name
Minor Type
167 Failure to Handle Additional Special Element
Major Name, Description
Minor Type
168 Failure to Resolve Inconsistent Special Elements
Major Name
Minor Type
169 Technology-Specific Special Elements
Major None
Minor Type, Description
170 Improper Null Termination
Major None
Minor Type, Node_Relationship
171 Cleansing, Canonicalization, and Comparison Errors
Major Description
Minor Type, Node_Relationship
172 Encoding Error
Major Type, Description
Minor None
173 Failure to Handle Alternate Encoding
Major Name, Description
Minor Node_Relationship
174 Double Decoding of the Same Data
Major Name, Description, Time_of_Introduction, Node_Relationship
Minor None
175 Failure to Handle Mixed Encoding
Major Name, Description
Minor None
176 Failure to Handle Unicode Encoding
Major Name, Description
Minor None
177 Failure to Handle URL Encoding (Hex Encoding)
Major Name
Minor None
178 Failure to Resolve Case Sensitivity
Major Name
Minor Type, Node_Relationship
179 Incorrect Behavior Order: Early Validation
Major Name, Node_Relationship
Minor Type
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Name, Time_of_Introduction, Node_Relationship
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Name, Time_of_Introduction, Node_Relationship
Minor None
182 Collapse of Data Into Unsafe Value
Major Time_of_Introduction, Node_Relationship
Minor Name, Type
183 Permissive Whitelist
Major Time_of_Introduction, Node_Relationship
Minor Type
184 Incomplete Blacklist
Major References, Weakness_Ordinality, Time_of_Introduction, Node_Relationship
Minor Type
185 Regular Expression Error
Major None
Minor Type
186 Overly Restrictive Regular Expression
Major Description
Minor Type
187 Partial Comparison
Major None
Minor Type, Node_Relationship
188 Reliance on Data/Memory Layout
Major Name, Description, Node_Relationship
Minor Type
189 Numeric Errors
Major Node_Relationship
Minor Type, Description
190 Integer Overflow (Wrap or Wraparound)
Major Time_of_Introduction
Minor Type, Node_Relationship
191 Integer Underflow (Wrap or Wraparound)
Major Description, Time_of_Introduction, Node_Relationship
Minor Type
192 Integer Coercion Error
Major Time_of_Introduction
Minor Type
193 Off-by-one Error
Major Description, Time_of_Introduction, Node_Relationship
Minor Type
194 Incorrect Sign Extension
Major Name, Time_of_Introduction, Node_Relationship
Minor Type
195 Signed to Unsigned Conversion Error
Major Time_of_Introduction, Node_Relationship
Minor None
196 Unsigned to Signed Conversion Error
Major Description, Time_of_Introduction, Node_Relationship
Minor None
197 Numeric Truncation Error
Major Time_of_Introduction, Node_Relationship
Minor Type
198 Use of Incorrect Byte Ordering
Major Name, Node_Relationship
Minor Type
199 Information Management Errors
Major None
Minor Type, Description
200 Information Leak (Information Disclosure)
Major None
Minor Type
202 Privacy Leak through Data Queries
Major Name
Minor None
203 Discrepancy Information Leaks
Major None
Minor Type
204 Response Discrepancy Information Leak
Major None
Minor Type
205 Behavioral Discrepancy Information Leak
Major None
Minor Type
208 Timing Discrepancy Information Leak
Major None
Minor Type
209 Error Message Information Leaks
Major Description, Node_Relationship
Minor Type
210 Product-Generated Error Message Information Leak
Major None
Minor Type
211 Product-External Error Message Information Leak
Major None
Minor Type
212 Cross-boundary Cleansing Information Leak
Major None
Minor Type
213 Intended Information Leak
Major None
Minor Type
214 Process Environment Information Leak
Major Name
Minor None
216 Containment Errors (Container Errors)
Major None
Minor Type, Node_Relationship
217 Failure to Protect Stored Data from Modification
Major Potential_Mitigations
Minor Type
218 Failure to Provide Confidentiality for Stored Data
Major None
Minor Type
219 Sensitive Data Under Web Root
Major Time_of_Introduction
Minor None
220 Sensitive Data Under FTP Root
Major Time_of_Introduction
Minor None
221 Information Loss or Omission
Major Description, Node_Relationship
Minor Type
222 Truncation of Security-relevant Information
Major None
Minor Type
223 Omission of Security-relevant Information
Major Description
Minor Type
224 Obscured Security-relevant Information by Alternate Name
Major None
Minor Type
225 DEPRECATED (Duplicate): General Information Management Problems
Major None
Minor Description
226 Sensitive Information Uncleared Before Release
Major Name, Description
Minor Type
227 Failure to Fulfill API Contract (aka 'API Abuse')
Major Name, Alternate_Terms, Node_Relationship
Minor Type
228 Structure and Validity Problems
Major Node_Relationship
Minor Type
229 Improper Handling of Values
Major Name
Minor Type
230 Failure to Handle Missing Value
Major Name
Minor Type
231 Failure to Handle Extra Value
Major Name
Minor Type
232 Failure to Handle Undefined Value
Major Name
Minor Type
233 Parameter Problems
Major None
Minor Type
234 Failure to Handle Missing Parameter
Major Name, Observed_Example
Minor Type
235 Failure to Handle Extra Parameter
Major Name, Description
Minor Type
236 Failure to Handle Undefined Parameter
Major Name, Description
Minor Type
237 Element Problems
Major None
Minor Type
238 Failure to Handle Missing Element
Major Name
Minor Type
239 Failure to Handle Incomplete Element
Major Name
Minor Type, Node_Relationship
240 Failure to Resolve Inconsistent Elements
Major Name
Minor Type
241 Failure to Handle Wrong Data Type
Major Name
Minor Type
242 Use of Inherently Dangerous Function
Major Name, Description, Weakness_Ordinality, Time_of_Introduction, Node_Relationship
Minor Type
243 Failure to Change Working Directory in chroot Jail
Major Description, Time_of_Introduction, Node_Relationship
Minor None
244 Failure to Clear Heap Memory Before Release
Major Name, Time_of_Introduction, Node_Relationship
Minor Description
245 J2EE Bad Practices: Direct Management of Connections
Major Name, Description, Context_Notes, Node_Relationship
Minor None
246 J2EE Bad Practices: Direct Use of Sockets
Major Name, Description, Node_Relationship
Minor None
247 Reliance on DNS Lookups in a Security Decision
Major Name, Node_Relationship
Minor None
248 Uncaught Exception
Major Node_Relationship
Minor Type, Description
249 Often Misused: Path Manipulation
Major Node_Relationship
Minor None
250 Design Principle Violation: Failure to Use Least Privilege
Major Time_of_Introduction, Node_Relationship
Minor Type
251 Often Misused: String Management
Major Node_Relationship
Minor Type
252 Unchecked Return Value
Major Time_of_Introduction, Node_Relationship
Minor Type
253 Misinterpreted Function Return Value
Major Time_of_Introduction, Node_Relationship
Minor Type
254 Security Features
Major Node_Relationship
Minor Type
255 Credentials Management
Major None
Minor Type, Description
256 Plaintext Storage of a Password
Major Time_of_Introduction
Minor None
257 Storing Passwords in a Recoverable Format
Major Time_of_Introduction
Minor Type, Node_Relationship
258 Empty Password in Configuration File
Major Node_Relationship
Minor None
259 Hard-Coded Password
Major Context_Notes, Time_of_Introduction, Node_Relationship
Minor Type, Demonstrative_Example
260 Password in Configuration File
Major Node_Relationship
Minor None
261 Weak Cryptography for Passwords
Major Time_of_Introduction
Minor None
262 Not Using Password Aging
Major Name, Time_of_Introduction, Node_Relationship
Minor None
263 Password Aging with Long Expiration
Major Name, Time_of_Introduction, Node_Relationship
Minor Type
264 Permissions, Privileges, and Access Controls
Major None
Minor Type, Description
265 Privilege / Sandbox Issues
Major None
Minor Type, Node_Relationship
266 Incorrect Privilege Assignment
Major None
Minor Type
267 Privilege Defined With Unsafe Actions
Major Name
Minor Type
268 Privilege Chaining
Major None
Minor Type
269 Privilege Management Error
Major None
Minor Type
270 Privilege Context Switching Error
Major None
Minor Type
271 Privilege Dropping / Lowering Errors
Major Observed_Example
Minor Type, Node_Relationship
272 Least Privilege Violation
Major None
Minor Type
273 Failure to Check Whether Privileges Were Dropped Successfully
Major Context_Notes
Minor Type
274 Failure to Handle Insufficient Privileges
Major Name
Minor Type
275 Permission Issues
Major Node_Relationship
Minor Type, Description
276 Insecure Default Permissions
Major Node_Relationship
Minor None
280 Failure to Handle Insufficient Permissions or Privileges
Major None
Minor Type, Node_Relationship
281 Permission Preservation Failure
Major Node_Relationship
Minor Type
282 Improper Ownership Management
Major Name
Minor Type
283 Unverified Ownership
Major None
Minor Type
284 Access Control Issues
Major Description
Minor Type
285 Missing or Inconsistent Access Control
Major None
Minor Type
286 User Management Issues
Major None
Minor Type
287 Insufficient Authentication
Major Name, Node_Relationship
Minor Type
288 Authentication Bypass by Alternate Path/Channel
Major Time_of_Introduction
Minor Node_Relationship
289 Authentication Bypass by Alternate Name
Major None
Minor Node_Relationship
290 Authentication Bypass by Spoofing
Major None
Minor Type, Node_Relationship
291 Trusting Self-reported IP Address
Major Type, Potential_Mitigations, Time_of_Introduction
Minor Node_Relationship
292 Trusting Self-reported DNS Name
Major Context_Notes, Potential_Mitigations, Time_of_Introduction
Minor Node_Relationship
293 Using Referer Field for Authentication
Major Potential_Mitigations, Time_of_Introduction
Minor Node_Relationship
294 Authentication Bypass by Capture-replay
Major Time_of_Introduction
Minor Type
295 Certificate Issues
Major None
Minor Type
296 Failure to Follow Chain of Trust in Certificate Validation
Major Node_Relationship
Minor Type
297 Failure to Validate Host-specific Certificate Data
Major Node_Relationship
Minor Type
298 Failure to Validate Certificate Expiration
Major Node_Relationship
Minor Type
299 Failure to Check for Certificate Revocation
Major Node_Relationship
Minor Type
300 Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')
Major Name, Description
Minor Type, Node_Relationship
301 Reflection Attack in an Authentication Protocol
Major None
Minor Node_Relationship
303 Improper Implementation of Authentication Algorithm
Major Name, Description
Minor Type
304 Missing Critical Step in Authentication
Major Node_Relationship
Minor Type
305 Authentication Bypass by Primary Weakness
Major None
Minor Type
307 Failure to Restrict Excessive Authentication Attempts
Major Name, Time_of_Introduction
Minor Type
308 Use of Single-factor Authentication
Major Name, Time_of_Introduction
Minor Type, Node_Relationship
309 Use of Password System for Primary Authentication
Major Name, Time_of_Introduction
Minor Type, Node_Relationship
310 Cryptographic Issues
Major Node_Relationship
Minor Type, Description
311 Failure to Encrypt Sensitive Data
Major Name, Node_Relationship
Minor Type
312 Plaintext Storage of Sensitive Information
Major Description, Node_Relationship
Minor Type
313 Plaintext Storage in a File or on Disk
Major Name, Description
Minor None
314 Plaintext Storage in the Registry
Major Name, Description
Minor None
315 Plaintext Storage in a Cookie
Major Name, Description
Minor None
316 Plaintext Storage in Memory
Major Description
Minor None
317 Plaintext Storage in GUI
Major Description
Minor None
319 Plaintext Transmission of Sensitive Information
Major Type, Node_Relationship
Minor None
320 Key Management Errors
Major None
Minor Type, Description
321 Use of Hard-coded Cryptographic Key
Major Description, Node_Relationship
Minor Type
322 Key Exchange without Entity Authentication
Major Description, Node_Relationship
Minor Type
323 Reusing a Nonce, Key Pair in Encryption
Major None
Minor Type
324 Use of a Key Past its Expiration Date
Major Name, Description, Node_Relationship
Minor Type
325 Missing Required Cryptographic Step
Major Node_Relationship
Minor Type
326 Weak Encryption
Major Time_of_Introduction, Node_Relationship
Minor Type
327 Use of a Broken or Risky Cryptographic Algorithm
Major Name, Time_of_Introduction
Minor Type, Node_Relationship
328 Reversible One-Way Hash
Major Description, Time_of_Introduction
Minor Type
329 Not Using a Random IV with CBC Mode
Major Description, Potential_Mitigations, Time_of_Introduction, Common_Consequences, Node_Relationship
Minor None
330 Use of Insufficiently Random Values
Major Name, Type, Node_Relationship
Minor None
331 Insufficient Entropy
Major None
Minor Type
332 Insufficient Entropy in PRNG
Major Description
Minor None
333 Failure to Handle Insufficient Entropy in TRNG
Major Name
Minor None
334 Small Space of Random Values
Major Node_Relationship
Minor Type
335 PRNG Seed Error
Major Description
Minor Type
336 Same Seed in PRNG
Major None
Minor Type
337 Predictable Seed in PRNG
Major None
Minor Type
338 Use of Cryptographically Weak PRNG
Major Name, Description
Minor Type
339 Small Seed Space in PRNG
Major None
Minor Type, Node_Relationship
340 Predictability Problems
Major None
Minor Type, Node_Relationship
341 Predictable from Observable State
Major Node_Relationship
Minor Type
342 Predictable Exact Value from Previous Values
Major Node_Relationship
Minor Type
343 Predictable Value Range from Previous Values
Major Description, Node_Relationship
Minor Type
344 Use of Invariant Value in Dynamically Changing Context
Major Name, Description, Relevant_Properties, Node_Relationship
Minor Type
345 Insufficient Verification of Data Authenticity
Major Name, Description, Node_Relationship
Minor Type
346 Origin Validation Error
Major None
Minor Type, Node_Relationship
347 Improperly Verified Signature
Major None
Minor Type
348 Use of Less Trusted Source
Major None
Minor Type, Node_Relationship
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Name, Description
Minor Type
350 Improperly Trusted Reverse DNS
Major Time_of_Introduction
Minor Type
351 Insufficient Type Distinction
Major None
Minor Type, Node_Relationship
352 Cross-Site Request Forgery (CSRF)
Major Type, Time_of_Introduction
Minor Node_Relationship
353 Failure to Add Integrity Check Value
Major Time_of_Introduction
Minor Type, Node_Relationship
354 Failure to Check Integrity Check Value
Major None
Minor Type, Node_Relationship
355 User Interface Security Issues
Major None
Minor Type, Description
356 Product UI does not Warn User of Unsafe Actions
Major Context_Notes
Minor Type
357 Insufficient UI Warning of Dangerous Operations
Major Node_Relationship
Minor Type
358 Improperly Implemented Security Check for Standard
Major Node_Relationship
Minor Type
359 Privacy Violation
Major Node_Relationship
Minor Type
360 Trust of System Event Data
Major Node_Relationship
Minor Type
361 Time and State
Major Node_Relationship
Minor Type
362 Race Condition
Major Name, Description, Node_Relationship
Minor Type
363 Race Condition Enabling Link Following
Major None
Minor Type, Description
364 Signal Handler Race Condition
Major Context_Notes
Minor Type, Node_Relationship
365 Race Condition in Switch
Major Description
Minor Type, Node_Relationship
366 Race Condition within a Thread
Major None
Minor Type, Node_Relationship
367 Time-of-check Time-of-use Race Condition
Major None
Minor Type, Node_Relationship
368 Context Switching Race Condition
Major None
Minor Type
370 Race Condition in Checking for Certificate Revocation
Major None
Minor Type, Node_Relationship
371 State Issues
Major None
Minor Type, Description, Node_Relationship
372 Incomplete Internal State Distinction
Major None
Minor Type
373 State Synchronization Error
Major Node_Relationship
Minor Type
374 Mutable Objects Passed by Reference
Major Node_Relationship
Minor Type
375 Passing Mutable Objects to an Untrusted Method
Major Description, Node_Relationship
Minor Type
376 Temporary File Issues
Major None
Minor Type, Description
377 Insecure Temporary File
Major None
Minor Type
378 Creation of Temporary File With Insecure Permissions
Major Name, Node_Relationship
Minor Type
379 Creation of Temporary File in Directory with Insecure Permissions
Major Name, Context_Notes, Source_Taxonomy, Node_Relationship
Minor Type
380 Technology-Specific Time and State Issues
Major None
Minor Type, Description
381 J2EE Time and State Issues
Major None
Minor Type, Description
382 J2EE Bad Practices: Use of System.exit()
Major Name, Description, Node_Relationship
Minor None
383 J2EE Bad Practices: Direct Use of Threads
Major Name
Minor None
384 Session Fixation
Major Type
Minor None
385 Covert Timing Channel
Major None
Minor Type
386 Symbolic Name not Mapping to Correct Object
Major Description, Node_Relationship
Minor Type
387 Signal Errors
Major None
Minor Type
388 Error Handling
Major None
Minor Type, Node_Relationship
389 Error Conditions, Return Values, Status Codes
Major Context_Notes, Node_Relationship
Minor Type
390 Detection of Error Condition Without Action
Major Name
Minor Type, Node_Relationship
391 Unchecked Error Condition
Major None
Minor Type, Node_Relationship
392 Failure to Report Error in Status Code
Major Name
Minor Type
393 Return of Wrong Status Code
Major Name, Description, Observed_Example, CVEs_Mentioned
Minor Type
394 Unexpected Status Code or Return Value
Major Description
Minor Type
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Name, Node_Relationship
Minor Type
396 Declaration of Catch for Generic Exception
Major Name
Minor Type
397 Declaration of Throws for Generic Exception
Major Name
Minor Type
398 Indicator of Poor Code Quality
Major Name, Type, Description, Node_Relationship
Minor None
399 Resource Management Errors
Major Node_Relationship
Minor Type, Description
400 Resource Exhaustion
Major None
Minor Type
401 Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')
Major Name, Node_Relationship
Minor Type
402 Transmission of Private Resources into a New Sphere (aka 'Resource Leak')
Major Name, Description, Node_Relationship
Minor Type
403 UNIX File Descriptor Leak
Major None
Minor Type
404 Improper Resource Shutdown or Release
Major Description, Node_Relationship
Minor Type
405 Asymmetric Resource Consumption (Amplification)
Major None
Minor Type, Node_Relationship
406 Network Amplification
Major None
Minor Type
407 Algorithmic Complexity
Major None
Minor Type
408 Incorrect Behavior Order: Early Amplification
Major Name, Description
Minor Type
409 Failure to Handle Highly Compressed Data (Data Amplification)
Major Name
Minor Type
410 Insufficient Resource Pool
Major None
Minor Type
411 Resource Locking Problems
Major None
Minor Type, Description
412 Unrestricted Lock on Critical Resource
Major Name, Node_Relationship
Minor Type
413 Insufficient Resource Locking
Major Node_Relationship
Minor Type
414 Missing Lock Check
Major Node_Relationship
Minor Type
415 Double Free
Major Description, Context_Notes, Common_Consequences, Node_Relationship
Minor None
416 Use After Free
Major Description, Node_Relationship
Minor Type
417 Channel and Path Errors
Major None
Minor Type, Description
418 Channel Errors
Major None
Minor Type, Description
419 Unprotected Primary Channel
Major Node_Relationship
Minor Type
420 Unprotected Alternate Channel
Major Node_Relationship
Minor Type
421 Race Condition During Access to Alternate Channel
Major Name, Description
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major Node_Relationship
Minor None
423 Proxied Trusted Channel
Major None
Minor Type
424 Failure to Protect Alternate Path
Major Name, Description, Node_Relationship
Minor Type
425 Direct Request ('Forced Browsing')
Major None
Minor Type, Node_Relationship
426 Untrusted Search Path
Major Type, Context_Notes, Demonstrative_Example, Node_Relationship
Minor Observed_Example
427 Uncontrolled Search Path Element
Major None
Minor Type
428 Unquoted Search Path or Element
Major Description, Context_Notes, Demonstrative_Example
Minor Type
429 Handler Errors
Major Node_Relationship
Minor Type, Description
430 Deployment of Wrong Handler
Major Name, Node_Relationship
Minor Type
431 Missing Handler
Major Node_Relationship
Minor Type
432 Dangerous Handler not Disabled During Sensitive Operations
Major Name
Minor Type
433 Unparsed Raw Web Content Delivery
Major Node_Relationship
Minor None
434 Unrestricted File Upload
Major Type, Context_Notes, Node_Relationship
Minor None
435 Interaction Error
Major Name, Type
Minor None
436 Interpretation Conflict
Major Name, Node_Relationship
Minor Type
437 Incomplete Model of Endpoint Features
Major Name, Description, Context_Notes, Demonstrative_Example
Minor Type
438 Behavioral Problems
Major None
Minor Type, Description
439 Behavioral Change in New Version or Environment
Major Name
Minor Type
440 Expected Behavior Violation
Major Node_Relationship
Minor Type
441 Unintended Proxy/Intermediary
Major Node_Relationship
Minor Type
442 Web Problems
Major None
Minor Type, Description, Node_Relationship
443 DEPRECATED (Duplicate): HTTP response splitting
Major Description
Minor None
444 Interpretation Conflict in Web Traffic (aka 'HTTP Request Smuggling')
Major Name, Node_Relationship
Minor Type
445 User Interface Errors
Major Name
Minor Type, Description
446 UI Discrepancy for Security Feature
Major Name, Node_Relationship
Minor Type
447 Unimplemented or Unsupported Feature in UI
Major Node_Relationship
Minor Type
448 Obsolete Feature in UI
Major None
Minor Type
449 The UI Performs the Wrong Action
Major Observed_Example
Minor Type
450 Multiple Interpretations of UI Input
Major Description, Node_Relationship
Minor Type
451 UI Misrepresentation of Critical Information
Major Observed_Example, Node_Relationship
Minor Type
452 Initialization and Cleanup Errors
Major Node_Relationship
Minor Type, Description
453 Insecure Default Variable Initialization
Major Node_Relationship
Minor Type
454 External Initialization of Trusted Variables
Major Name, Description, Observed_Example, Node_Relationship
Minor Type
455 Non-exit on Failed Initialization
Major Description, Node_Relationship
Minor Type
456 Missing Initialization
Major Node_Relationship
Minor Type
457 Use of Uninitialized Variable
Major Name, Description, Potential_Mitigations
Minor None
458 DEPRECATED: Incorrect Initialization
Major Name, Type, Description, Context_Notes, Observed_Example, Source_Taxonomy, Applicable_Platforms, CVEs_Mentioned, Node_Relationship
Minor None
459 Incomplete Cleanup
Major Node_Relationship
Minor Type
460 Improper Cleanup on Thrown Exception
Major Description, Node_Relationship
Minor None
461 Data Structure Issues
Major None
Minor Type, Description
462 Duplicate Key in Associative List (Alist)
Major Node_Relationship
Minor Type
463 Deletion of Data Structure Sentinel
Major Name
Minor Type
464 Addition of Data Structure Sentinel
Major Name, Node_Relationship
Minor Type
465 Pointer Issues
Major None
Minor Type, Description
466 Return of Pointer Value Outside of Expected Range
Major Name, Description, Node_Relationship
Minor Type
467 Use of sizeof() on a Pointer Type
Major Description, Node_Relationship
Minor None
468 Incorrect Pointer Scaling
Major Name, Node_Relationship
Minor Type
469 Use of Pointer Subtraction to Determine Size
Major Name, Description, Node_Relationship
Minor Type
470 Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')
Major Name, Description, Node_Relationship
Minor Type
471 Modification of Assumed-Immutable Data (MAID)
Major None
Minor Type, Node_Relationship
472 External Control of Assumed-Immutable Web Parameter
Major Name, Description
Minor Type, Node_Relationship
473 PHP External Variable Modification
Major None
Minor Node_Relationship
474 Use of Function with Inconsistent Implementations
Major Name, Description, Node_Relationship
Minor Type
475 Undefined Behavior for Input to API
Major Name, Node_Relationship
Minor Type
476 NULL Pointer Dereference
Major Description, Node_Relationship
Minor Type
477 Use of Obsolete Functions
Major Description
Minor Type
478 Failure to Use Default Case in Switch
Major Name
Minor None
479 Unsafe Function Call from a Signal Handler
Major Description
Minor Node_Relationship
480 Use of Incorrect Operator
Major Name, Description
Minor Type
481 Assigning instead of Comparing
Major Description
Minor None
482 Comparing instead of Assigning
Major Description
Minor None
483 Incorrect Block Delimitation
Major Description, Node_Relationship
Minor None
484 Omitted Break Statement
Major Description, Detection_Factor, Node_Relationship
Minor Type
485 Insufficient Encapsulation
Major Name, Description
Minor Type
486 Comparison of Classes by Name
Major Name, Description
Minor Demonstrative_Example, Node_Relationship
487 Reliance on Package-level Scope
Major Name
Minor None
488 Data Leak Between Sessions
Major Name, Description, Node_Relationship
Minor None
489 Leftover Debug Code
Major Description
Minor Type
490 Mobile Code Issues
Major Description
Minor Type
491 Public cloneable() Method Without Final (aka 'Object Hijack')
Major Name, Description
Minor None
492 Use of Inner Class Containing Sensitive Data
Major Name, Node_Relationship
Minor None
493 Critical Public Variable Without Final Modifier
Major Name, Description, Node_Relationship
Minor None
494 Download of Untrusted Mobile Code Without Integrity Check
Major Name, Description, Node_Relationship
Minor None
495 Private Array-Typed Field Returned From A Public Method
Major Description
Minor None
497 Information Leak of System Data
Major Name
Minor Type
498 Information Leak through Class Cloning
Major Description
Minor None
499 Serializable Class Containing Sensitive Data
Major Name, Description, Context_Notes, Common_Consequences
Minor None
500 Static Field Not Marked Final
Major Name, Description
Minor None
501 Trust Boundary Violation
Major Description
Minor Type
502 Deserialization of Untrusted Data
Major Description
Minor None
503 Byte/Object Code
Major Description, Node_Relationship
Minor Type
504 Motivation/Intent
Major Description, Node_Relationship
Minor Type
505 Intentionally Introduced Weakness
Major Description
Minor Type
506 Embedded Malicious Code
Major Type, Description
Minor None
507 Trojan Horse
Major Description
Minor Type
508 Non-Replicating Malicious Code
Major None
Minor Type
509 Replicating Malicious Code (Virus or Worm)
Major Name
Minor Type
510 Trapdoor
Major None
Minor Type
511 Logic/Time Bomb
Major None
Minor Type
512 Spyware
Major None
Minor Type
513 Intentionally Introduced Nonmalicious Weakness
Major None
Minor Type
514 Covert Channel
Major None
Minor Type
515 Covert Storage Channel
Major None
Minor Type
516 DEPRECATED (Duplicate): Covert Timing Channel
Major Description
Minor None
517 Other Intentional, Nonmalicious Weakness
Major None
Minor Type
518 Inadvertently Introduced Weakness
Major None
Minor Type
519 .NET Environment Issues
Major Description
Minor Type
520 .NET Misconfiguration: Use of Impersonation
Major Name
Minor None
521 Weak Password Requirements
Major Description, Node_Relationship
Minor Type
522 Insufficiently Protected Credentials
Major Node_Relationship
Minor Type
528 Information Leak Through Core Dump Files
Major Description
Minor None
531 Information Leak Through Test Code
Major Description
Minor None
534 Information Leak Through Debug Log Files
Major Description
Minor None
538 File and Directory Information Leaks
Major None
Minor Type
542 Information Leak Through Cleanup Log Files
Major Description
Minor None
543 Use of Singleton Pattern in a Non-thread-safe Manner
Major Node_Relationship
Minor None
544 Missing Error Handling Mechanism
Major Description
Minor Type
545 Use of Dynamic Class Loading
Major Name
Minor None
546 Suspicious Comment
Major Description
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Name, Description
Minor None
549 Missing Password Field Masking
Major Node_Relationship
Minor Description
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Name
Minor None
552 Files or Directories Accessible to External Parties
Major Name, Node_Relationship
Minor Type
553 Command Shell in Externally Accessible Directory
Major Name, Description
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Name, Description
Minor Type, Context_Notes
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Name, Description, Node_Relationship
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Name
Minor None
557 Concurrency Issues
Major Description
Minor Type, Node_Relationship
558 Use of getlogin() in Multithreaded Application
Major Name, Description, Node_Relationship
Minor None
559 Often Misused: Arguments and Parameters
Major Context_Notes, Node_Relationship
Minor Type, Description
560 Use of umask() with chmod-style Argument
Major Name, Description, Applicable_Platforms, Time_of_Introduction, Node_Relationship
Minor None
561 Dead Code
Major Description
Minor None
562 Return of Stack Variable Address
Major Name, Description, Node_Relationship
Minor Type
565 Use of Cookies in Security Decision
Major Name, Node_Relationship
Minor Type
567 Unsynchronized Access to Shared Data
Major Description, Node_Relationship
Minor Type
568 finalize() Method Without super.finalize()
Major Name, Node_Relationship
Minor None
569 Expression Issues
Major None
Minor Type, Description
572 Call to Thread run() instead of start()
Major Name, Description
Minor None
573 Failure to Follow Specification
Major Description, Node_Relationship
Minor Type
574 EJB Bad Practices: Use of Synchronization Primitives
Major Description
Minor None
575 EJB Bad Practices: Use of AWT Swing
Major Description
Minor None
576 EJB Bad Practices: Use of Java I/O
Major Description
Minor None
577 EJB Bad Practices: Use of Sockets
Major Description
Minor None
578 EJB Bad Practices: Use of Class Loader
Major Description
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Description
Minor None
580 clone() Method Without super.clone()
Major Name
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Description
Minor Type
582 Array Declared Public, Final, and Static
Major Name, Description
Minor None
583 finalize() Method Declared Public
Major Name, Node_Relationship
Minor None
584 Return Inside Finally Block
Major Description, Node_Relationship
Minor Type
586 Explicit Call to Finalize
Major Node_Relationship
Minor None
587 Assignment of a Fixed Address to a Pointer
Major Description, Node_Relationship
Minor Type
588 Attempt to Access Child of a Non-structure Pointer
Major Description
Minor None
589 Call to Non-ubiquitous API
Major Name, Node_Relationship
Minor None
590 Free of Invalid Pointer Not on the Heap
Major Name
Minor None
591 Sensitive Data Storage in Improperly Locked Memory
Major Name, Description
Minor None
592 Authentication Bypass Issues
Major Description
Minor Type, Node_Relationship
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Node_Relationship
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Name
Minor None
595 Incorrect Syntactic Object Comparison
Major Name
Minor Type
596 Incorrect Semantic Object Comparison
Major Name
Minor Type
597 Use of Wrong Operator in String Comparison
Major Name, Description
Minor None
598 Information Leak Through Query Strings in GET Request
Major Name, Description
Minor None
599 Trust of OpenSSL Certificate Without Validation
Major Name
Minor None
600 Failure to Catch All Exceptions (Missing Catch Block)
Major Name, Description, Node_Relationship
Minor Type
601 URL Redirection to Untrusted Site
Major Name, Description, Node_Relationship
Minor None
602 Design Principle Violation: Client-Side Enforcement of Server-Side Security
Major Name, Description, Node_Relationship
Minor Type
603 Use of Client-Side Authentication
Major Name, Description
Minor Type, Node_Relationship
604 Deprecated
Major Type, Description, Node_Relationship
Minor None
605 Multiple Binds to the Same Port
Major Name, Node_Relationship
Minor Type
606 Unchecked Input for Loop Condition
Major Description
Minor None
607 Public Static Final Field References Mutable Object
Major Description
Minor None
608 Struts: Non-private Field in ActionForm Class
Major Description
Minor None
609 Double-Checked Locking
Major Name, Description, References, Context_Notes, Potential_Mitigations, Time_of_Introduction, Node_Relationship
Minor Type
610 Externally Controlled Reference to a Resource in Another Sphere
Major Name, Type, Description, Context_Notes, Time_of_Introduction, Node_Relationship
Minor None
611 Information Leak Through XML External Entity File Disclosure
Major Description, Relevant_Properties, Node_Relationship
Minor None
612 Information Leak Through Indexing of Private Data
Major Name, Description, Node_Relationship
Minor None
613 Insufficient Session Expiration
Major Node_Relationship
Minor Type
614 Sensitive Cookie in HTTPS Session Without "Secure" Attribute
Major Name, Description
Minor None
616 Incomplete Identification of Uploaded File Variables (PHP)
Major None
Minor Node_Relationship
617 Reachable Assertion
Major Node_Relationship
Minor None
618 Exposed Unsafe ActiveX Method
Major Node_Relationship
Minor None
619 Dangling Database Cursor (aka 'Cursor Injection')
Major Name, Node_Relationship
Minor Type
621 Variable Extraction Error
Major None
Minor Type, Node_Relationship
623 Unsafe ActiveX Control Marked Safe For Scripting
Major Description, Node_Relationship
Minor None
624 Executable Regular Expression Error
Major Node_Relationship
Minor Type
625 Permissive Regular Expression
Major None
Minor Type, Node_Relationship
626 Null Byte Interaction Error (Poison Null Byte)
Major Description
Minor None
627 Dynamic Variable Evaluation
Major Node_Relationship
Minor Type
628 Function Call with Incorrectly Specified Arguments
Major Name, Description, Context_Notes, Time_of_Introduction, Node_Relationship
Minor Type
629 Weaknesses in OWASP Top Ten
Major Type
Minor None
630 Weaknesses Examined by SAMATE
Major Type, References
Minor None
631 Resource-specific Weaknesses
Major Type, Description
Minor None
632 Weaknesses that Affect Files or Directories
Major None
Minor Type, Description
633 Weaknesses that Affect Memory
Major None
Minor Type, Description
634 Weaknesses that Affect System Processes
Major None
Minor Type, Description
635 Weaknesses Used by NVD
Major Type
Minor None
636 Design Principle Violation: Not Failing Securely
Major Node_Relationship
Minor Type
637 Design Principle Violation: Not Using Economy of Mechanism
Major None
Minor Type
638 Design Principle Violation: Not Using Complete Mediation
Major None
Minor Type
640 Weak Password Recovery Mechanism
Major None
Minor Type
642 External Control of User State Data
Major Name, Relevant_Properties, Node_Relationship
Minor Type
643 Unsafe Treatment of XPath Input
Major None
Minor Type
645 Overly Restrictive Account Lockout Mechanism
Major None
Minor Type
648 Improper Use of Privileged APIs
Major Node_Relationship
Minor Type
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Name
Minor Type
652 Unsafe Treatment of XQuery Input
Major None
Minor Type
653 Design Principle Violation: Insufficient Compartmentalization
Major None
Minor Type
654 Design Principle Violation: Reliance on a Single Factor in a Security Decision
Major None
Minor Type, Context_Notes
655 Design Principle Violation: Failure to Satisfy Psychological Acceptability
Major None
Minor Type
656 Design Principle Violation: Reliance on Security through Obscurity
Major None
Minor Type, Node_Relationship
657 Violation of Secure Design Principles
Major Node_Relationship
Minor Type
Back to top
Page Last Updated: January 05, 2017
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.