CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 4.4 and Version 4.5  
ID

Differences between Version 4.4 and Version 4.5

Summary
Summary
Total weaknesses/chains/composites (Version 4.5) 922
Total weaknesses/chains/composites (Version 4.4) 918
Total new 5
Total deprecated 0
Total with major changes 139
Total with only minor changes 2
Total unchanged 1197

Summary of Entry Types

Type Version 4.4 Version 4.5
Weakness 918 922
Category 316 316
View 43 44
Deprecated 61 61
Total 1338 1343

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 11 0
Description 9 0
Relationships 38 0
Applicable_Platforms 0 0
Modes_of_Introduction 2 0
Detection_Factors 0 0
Potential_Mitigations 13 0
Demonstrative_Examples 19 0
Observed_Examples 35 2
Related_Attack_Patterns 34 0
Weakness_Ordinalities 0 0
Time_of_Introduction 0 0
Likelihood_of_Exploit 0 0
References 13 0
Common_Consequences 0 1
Terminology_Notes 0 0
Alternate_Terms 2 0
Relationship_Notes 0 0
Taxonomy_Mappings 0 0
Maintenance_Notes 21 0
Research_Gaps 1 0
Background_Details 2 0
Theoretical_Notes 0 0
Other_Notes 1 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Type 0 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1338

Status Changes

From To Total
Unchanged 1338

Relationship Changes

The "Version 4.5 Total" lists the total number of relationships in Version 4.5. The "Shared" value is the total number of relationships in entries that were in both Version 4.5 and Version 4.4. The "New" value is the total number of relationships involving entries that did not exist in Version 4.4. Thus, the total number of relationships in Version 4.5 would combine stats from Shared entries and New entries.

Relationship Version 4.5 Total Version 4.4 Total Version 4.5 Shared Unchanged Added to Version 4.5 Removed from Version 4.4 Version 4.5 New
ALL 9658 9589 9590 9584 6 5 68
ChildOf 3989 3983 3983 3981 2 2 6
ParentOf 3989 3983 3983 3981 2 2 6
MemberOf 589 564 564 564 25
HasMember 589 564 564 564 25
CanPrecede 134 132 132 132 2
CanFollow 134 132 132 132 2
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 27 28 27 27 1
PeerOf 178 174 176 174 2 2

Nodes Removed from Version 4.4

CWE-ID CWE Name
None.

Software Nodes Added to Version 4.5

CWE-ID CWE Name
1335 Incorrect Bitwise Shift of Integer
1336 Improper Neutralization of Special Elements Used in a Template Engine
1337 Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
1339 Insufficient Precision or Accuracy of a Real Number

Hardware Nodes Added to Version 4.5

CWE-ID CWE Name
1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments

Nodes Deprecated in Version 4.5

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 20 Improper Input Validation
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
D R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
D 103 Struts: Incomplete validate() Method Definition
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 125 Out-of-bounds Read
N 132 DEPRECATED: Miscalculated Null Termination
R 189 Numeric Errors
R 190 Integer Overflow or Wraparound
R 200 Exposure of Sensitive Information to an Unauthorized Actor
R 209 Generation of Error Message Containing Sensitive Information
N 218 DEPRECATED: Failure to provide confidentiality for stored data
N 225 DEPRECATED: General Information Management Problems
N 247 DEPRECATED: Reliance on DNS Lookups in a Security Decision
DNR 256 Plaintext Storage of a Password
R 276 Incorrect Default Permissions
R 287 Improper Authentication
N 292 DEPRECATED: Trusting Self-reported DNS Name
R 306 Missing Authentication for Critical Function
DN 329 Generation of Predictable IV with CBC Mode
D 335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
D 336 Same Seed in Pseudo-Random Number Generator (PRNG)
D 339 Small Seed Space in PRNG
R 352 Cross-Site Request Forgery (CSRF)
R 391 Unchecked Error Condition
R 416 Use After Free
N 423 DEPRECATED: Proxied Trusted Channel
R 434 Unrestricted Upload of File with Dangerous Type
N 443 DEPRECATED: HTTP response splitting
R 476 NULL Pointer Dereference
R 502 Deserialization of Untrusted Data
N 516 DEPRECATED: Covert Timing Channel
R 522 Insufficiently Protected Credentials
D 598 Use of GET Request Method With Sensitive Query Strings
R 611 Improper Restriction of XML External Entity Reference
R 682 Incorrect Calculation
R 703 Improper Check or Handling of Exceptional Conditions
R 732 Incorrect Permission Assignment for Critical Resource
R 754 Improper Check for Unusual or Exceptional Conditions
R 787 Out-of-bounds Write
R 798 Use of Hard-coded Credentials
R 834 Excessive Iteration
R 862 Missing Authorization
R 918 Server-Side Request Forgery (SSRF)
R 1205 Security Primitives and Cryptography Issues
R 1243 Sensitive Non-Volatile Information Not Protected During Debug
R 1263 Improper Physical Access Control
N 1281 Sequence of Processor Instructions Leads to Unexpected Behavior
R 1295 Debug Messages Revealing Unnecessary Information
D 1329 Reliance on Component That is Not Updateable
Detailed Difference Report
Detailed Difference Report
20 Improper Input Validation
Major Related_Attack_Patterns, Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Relationships
Minor None
41 Improper Resolution of Path Equivalence
Major None
Minor Observed_Examples
42 Path Equivalence: 'filename.' (Trailing Dot)
Major None
Minor Observed_Examples
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Description, Observed_Examples, Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Observed_Examples, Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Relationships
Minor None
103 Struts: Incomplete validate() Method Definition
Major Background_Details, Description
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major Background_Details
Minor None
105 Struts: Form Field Without Validator
Major Potential_Mitigations
Minor None
106 Struts: Plug-in Framework not in Use
Major Potential_Mitigations
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Demonstrative_Examples, Observed_Examples, Potential_Mitigations, Relationships
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Potential_Mitigations
Minor None
121 Stack-based Buffer Overflow
Major Demonstrative_Examples
Minor None
122 Heap-based Buffer Overflow
Major Observed_Examples
Minor None
125 Out-of-bounds Read
Major Observed_Examples, Relationships
Minor None
132 DEPRECATED: Miscalculated Null Termination
Major Name
Minor None
171 DEPRECATED: Cleansing, Canonicalization, and Comparison Errors
Major References
Minor None
189 Numeric Errors
Major Relationships
Minor None
190 Integer Overflow or Wraparound
Major Relationships
Minor None
200 Exposure of Sensitive Information to an Unauthorized Actor
Major Relationships
Minor None
203 Observable Discrepancy
Major Demonstrative_Examples
Minor None
209 Generation of Error Message Containing Sensitive Information
Major Relationships
Minor None
218 DEPRECATED: Failure to provide confidentiality for stored data
Major Name
Minor None
225 DEPRECATED: General Information Management Problems
Major Name
Minor None
247 DEPRECATED: Reliance on DNS Lookups in a Security Decision
Major Name, References
Minor None
252 Unchecked Return Value
Major Observed_Examples
Minor None
256 Plaintext Storage of a Password
Major Description, Name, Relationships
Minor None
276 Incorrect Default Permissions
Major Relationships
Minor None
284 Improper Access Control
Major Observed_Examples
Minor None
285 Improper Authorization
Major Related_Attack_Patterns
Minor None
287 Improper Authentication
Major Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Related_Attack_Patterns
Minor None
290 Authentication Bypass by Spoofing
Major Related_Attack_Patterns
Minor None
292 DEPRECATED: Trusting Self-reported DNS Name
Major Name
Minor None
295 Improper Certificate Validation
Major Demonstrative_Examples, Observed_Examples
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major Demonstrative_Examples
Minor None
300 Channel Accessible by Non-Endpoint
Major Alternate_Terms, Observed_Examples
Minor None
306 Missing Authentication for Critical Function
Major Observed_Examples, Relationships
Minor None
318 Cleartext Storage of Sensitive Information in Executable
Major Observed_Examples
Minor None
329 Generation of Predictable IV with CBC Mode
Major Description, Maintenance_Notes, Name, References
Minor None
330 Use of Insufficiently Random Values
Major Demonstrative_Examples, Maintenance_Notes, Observed_Examples
Minor None
331 Insufficient Entropy
Major Maintenance_Notes, Observed_Examples
Minor None
332 Insufficient Entropy in PRNG
Major Maintenance_Notes
Minor None
333 Improper Handling of Insufficient Entropy in TRNG
Major Maintenance_Notes
Minor None
334 Small Space of Random Values
Major Maintenance_Notes
Minor None
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Major Description, Maintenance_Notes, Observed_Examples
Minor Common_Consequences
336 Same Seed in Pseudo-Random Number Generator (PRNG)
Major Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, References
Minor None
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
Major Maintenance_Notes, Observed_Examples, Potential_Mitigations, References
Minor None
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major Maintenance_Notes
Minor None
339 Small Seed Space in PRNG
Major Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References
Minor None
340 Generation of Predictable Numbers or Identifiers
Major Maintenance_Notes
Minor None
341 Predictable from Observable State
Major Maintenance_Notes
Minor None
342 Predictable Exact Value from Previous Values
Major Maintenance_Notes
Minor None
343 Predictable Value Range from Previous Values
Major Maintenance_Notes
Minor None
345 Insufficient Verification of Data Authenticity
Major Related_Attack_Patterns
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Relationships
Minor None
353 Missing Support for Integrity Check
Major Related_Attack_Patterns
Minor None
391 Unchecked Error Condition
Major Relationships
Minor None
393 Return of Wrong Status Code
Major Observed_Examples
Minor None
404 Improper Resource Shutdown or Release
Major Related_Attack_Patterns
Minor None
407 Inefficient Algorithmic Complexity
Major References
Minor None
416 Use After Free
Major Relationships
Minor None
423 DEPRECATED: Proxied Trusted Channel
Major Name
Minor None
425 Direct Request ('Forced Browsing')
Major Related_Attack_Patterns
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Relationships
Minor None
443 DEPRECATED: HTTP response splitting
Major Name
Minor None
457 Use of Uninitialized Variable
Major Observed_Examples
Minor None
476 NULL Pointer Dereference
Major Relationships
Minor None
489 Active Debug Code
Major Alternate_Terms
Minor None
494 Download of Code Without Integrity Check
Major Demonstrative_Examples
Minor None
502 Deserialization of Untrusted Data
Major Relationships
Minor None
516 DEPRECATED: Covert Timing Channel
Major Name
Minor None
522 Insufficiently Protected Credentials
Major Relationships
Minor None
560 Use of umask() with chmod-style Argument
Major Other_Notes
Minor None
561 Dead Code
Major Observed_Examples
Minor None
598 Use of GET Request Method With Sensitive Query Strings
Major Description
Minor None
611 Improper Restriction of XML External Entity Reference
Major Relationships
Minor None
682 Incorrect Calculation
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Related_Attack_Patterns
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Relationships
Minor None
705 Incorrect Control Flow Scoping
Major Observed_Examples
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Observed_Examples, Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Relationships
Minor None
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Observed_Examples
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Maintenance_Notes
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Observed_Examples
Minor None
787 Out-of-bounds Write
Major Demonstrative_Examples, Potential_Mitigations, Relationships
Minor None
788 Access of Memory Location After End of Buffer
Major Demonstrative_Examples
Minor None
798 Use of Hard-coded Credentials
Major Relationships
Minor None
805 Buffer Access with Incorrect Length Value
Major Demonstrative_Examples, Potential_Mitigations
Minor None
806 Buffer Access Using Size of Source Buffer
Major Potential_Mitigations
Minor None
833 Deadlock
Major Observed_Examples
Minor None
834 Excessive Iteration
Major Observed_Examples, Relationships
Minor None
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major Observed_Examples
Minor None
862 Missing Authorization
Major Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
863 Incorrect Authorization
Major Observed_Examples
Minor None
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Major References
Minor None
918 Server-Side Request Forgery (SSRF)
Major References, Related_Attack_Patterns, Relationships
Minor None
940 Improper Verification of Source of a Communication Channel
Major Potential_Mitigations
Minor None
1022 Use of Web Link to Untrusted Target with window.opener Access
Major Potential_Mitigations
Minor None
1188 Insecure Default Initialization of Resource
Major Related_Attack_Patterns
Minor None
1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
Major Demonstrative_Examples
Minor None
1204 Generation of Weak Initialization Vector (IV)
Major Maintenance_Notes, Observed_Examples, References
Minor None
1205 Security Primitives and Cryptography Issues
Major Relationships
Minor None
1220 Insufficient Granularity of Access Control
Major Demonstrative_Examples
Minor None
1221 Incorrect Register Defaults or Module Parameters
Major Related_Attack_Patterns
Minor None
1240 Use of a Risky Cryptographic Primitive
Major Maintenance_Notes, Research_Gaps
Minor None
1241 Use of Predictable Algorithm in Random Number Generator
Major Maintenance_Notes
Minor None
1243 Sensitive Non-Volatile Information Not Protected During Debug
Major Relationships
Minor None
1246 Improper Write Handling in Limited-write Non-Volatile Memories
Major Related_Attack_Patterns
Minor None
1253 Incorrect Selection of Fuse Values
Major Related_Attack_Patterns
Minor None
1254 Incorrect Comparison Logic Granularity
Major Related_Attack_Patterns
Minor None
1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
Major Demonstrative_Examples, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns
Minor None
1256 Hardware Features Enable Physical Attacks from Software
Major Demonstrative_Examples, Observed_Examples
Minor None
1263 Improper Physical Access Control
Major Relationships
Minor None
1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels
Major Related_Attack_Patterns
Minor None
1267 Policy Uses Obsolete Encoding
Major Related_Attack_Patterns
Minor None
1270 Generation of Incorrect Security Tokens
Major Related_Attack_Patterns
Minor None
1277 Firmware Not Updateable
Major Demonstrative_Examples, Maintenance_Notes
Minor None
1281 Sequence of Processor Instructions Leads to Unexpected Behavior
Major Name, Observed_Examples
Minor None
1282 Assumed-Immutable Data is Stored in Writable Memory
Major Related_Attack_Patterns
Minor None
1290 Incorrect Decoding of Security Identifiers
Major Related_Attack_Patterns
Minor None
1292 Incorrect Conversion of Security Identifiers
Major Related_Attack_Patterns
Minor None
1294 Insecure Security Identifier Mechanism
Major Related_Attack_Patterns
Minor None
1295 Debug Messages Revealing Unnecessary Information
Major Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
1296 Incorrect Chaining or Granularity of Debug Components
Major Related_Attack_Patterns
Minor None
1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors
Major Related_Attack_Patterns
Minor None
1298 Hardware Logic Contains Race Conditions
Major Related_Attack_Patterns
Minor None
1299 Missing Protection Mechanism for Alternate Hardware Interface
Major Observed_Examples, Related_Attack_Patterns
Minor None
1300 Improper Protection Against Physical Side Channels
Major Related_Attack_Patterns
Minor None
1301 Insufficient or Incomplete Data Removal within Hardware Component
Major Related_Attack_Patterns
Minor None
1302 Missing Security Identifier
Major Related_Attack_Patterns
Minor None
1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
Major Related_Attack_Patterns
Minor None
1310 Missing Ability to Patch ROM Code
Major Demonstrative_Examples, Maintenance_Notes
Minor None
1325 Improperly Controlled Sequential Memory Allocation
Major Observed_Examples
Minor None
1328 Security Version Number Mutable to Older Versions
Major Related_Attack_Patterns
Minor None
1329 Reliance on Component That is Not Updateable
Major Demonstrative_Examples, Description, References
Minor None
1333 Inefficient Regular Expression Complexity
Major References
Minor None
More information is available — Please select a different filter.
Page Last Updated: July 20, 2021