CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 1.11 and Version 1.12  
ID

Differences between Version 1.11 and Version 1.12

Summary
Summary
Total (Version 1.12) 844
Total (Version 1.11) 835
Total new 9
Total deprecated 0
Total shared 835
Total important changes 113
Total major changes 236
Total minor changes 7
Total minor changes (no major) 6
Total unchanged 593

Summary of Entry Types

Type Version 1.11 Version 1.12
Category 119 120
Chain 3 3
Composite 6 6
Deprecated 12 12
View 24 24
Weakness 671 679

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 38 2
Description 37 3
Applicable_Platforms 4 0
Time_of_Introduction 0 0
Demonstrative_Examples 42 0
Detection_Factors 1 0
Likelihood_of_Exploit 0 0
Common_Consequences 8 2
Relationships 58 0
References 1 0
Potential_Mitigations 80 0
Observed_Examples 12 0
Terminology_Notes 0 0
Alternate_Terms 4 0
Related_Attack_Patterns 0 0
Relationship_Notes 3 0
Taxonomy_Mappings 0 0
Maintenance_Notes 6 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 3 0
Theoretical_Notes 0 0
Weakness_Ordinalities 2 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 13 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 835

Status Changes

From To Total
Unchanged 835

Relationship Changes

The "Version 1.12 Total" lists the total number of relationships in Version 1.12. The "Shared" value is the total number of relationships in entries that were in both Version 1.12 and Version 1.11. The "New" value is the total number of relationships involving entries that did not exist in Version 1.11. Thus, the total number of relationships in Version 1.12 would combine stats from Shared entries and New entries.

Relationship Version 1.12 Total Version 1.11 Total Version 1.12 Shared Unchanged Added to Version 1.12 Removed from Version 1.11 Version 1.12 New
ALL 5063 4974 4983 4923 60 51 80
ChildOf 2177 2136 2143 2113 30 23 34
ParentOf 2177 2136 2143 2113 30 23 34
MemberOf 119 119 119 119
HasMember 119 119 119 119
CanPrecede 112 107 107 107 5
CanFollow 112 107 107 107 5
StartsWith 3 3 3 3
Requires 19 19 19 19
RequiredBy 19 19 19 19
CanAlsoBe 34 35 34 34 1
PeerOf 172 174 170 170 4 2

Nodes Removed from Version 1.11

CWE-ID CWE Name
None.

Nodes Added to Version 1.12

CWE-ID CWE Name
834 Excessive Iteration
835 Loop with Unreachable Exit Condition ('Infinite Loop')
836 Use of Password Hash Instead of Password for Authentication
837 Improper Enforcement of a Single, Unique Action
838 Inappropriate Encoding for Output Context
839 Numeric Range Comparison Without Minimum Check
840 Business Logic Errors
841 Improper Enforcement of Behavioral Workflow
842 Placement of User into Incorrect Group

Nodes Deprecated in Version 1.12

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 67 Improper Handling of Windows Device Names
D 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
D 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
D 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
N 94 Improper Control of Generation of Code ('Code Injection')
R 116 Improper Encoding or Escaping of Output
D 117 Improper Output Neutralization for Logs
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
D 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 124 Buffer Underwrite ('Buffer Underflow')
D 159 Failure to Sanitize Special Element
R 187 Partial Comparison
R 189 Numeric Errors
R 195 Signed to Unsigned Conversion Error
D R 200 Information Exposure
N 202 Exposure of Sensitive Data Through Data Queries
N 206 Information Exposure of Internal State Through Behavioral Inconsistency
N 208 Information Exposure Through Timing Discrepancy
R 209 Information Exposure Through an Error Message
NR 210 Information Exposure Through Generated Error Message
N 211 Information Exposure Through External Error Message
N 213 Intentional Information Exposure
N 214 Information Exposure Through Process Environment
DN 227 Improper Fulfillment of API Contract ('API Abuse')
D R 248 Uncaught Exception
R 250 Execution with Unnecessary Privileges
R 261 Weak Cryptography for Passwords
R 262 Not Using Password Aging
D R 263 Password Aging with Long Expiration
R 264 Permissions, Privileges, and Access Controls
R 265 Privilege / Sandbox Issues
D R 269 Improper Privilege Management
R 271 Privilege Dropping / Lowering Errors
R 282 Improper Ownership Management
R 283 Unverified Ownership
DNR 284 Improper Access Control
DNR 285 Improper Authorization
R 286 Incorrect User Management
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
D 327 Use of a Broken or Risky Cryptographic Algorithm
D 352 Cross-Site Request Forgery (CSRF)
R 361 Time and State
D 385 Covert Timing Channel
R 395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
N 403 Exposure of File Descriptor to Unintended Control Sphere
R 408 Incorrect Behavior Order: Early Amplification
D 416 Use After Free
D R 425 Direct Request ('Forced Browsing')
R 438 Behavioral Problems
R 442 Web Problems
N 488 Exposure of Data Element to Wrong Session
N 498 Cloneable Class Containing Sensitive Information
R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
N 524 Information Exposure Through Caching
N 525 Information Exposure Through Browser Caching
N 526 Information Exposure Through Environmental Variables
N 531 Information Exposure Through Test Code
N 532 Information Exposure Through Log Files
N 533 Information Exposure Through Server Log Files
N 534 Information Exposure Through Debug Log Files
N 535 Information Exposure Through Shell Error Message
N 536 Information Exposure Through Servlet Runtime Error Message
N 537 Information Exposure Through Java Runtime Error Message
N 539 Information Exposure Through Persistent Cookies
DN 540 Information Exposure Through Source Code
N 541 Information Exposure Through Include Source Code
DN 542 Information Exposure Through Cleanup Log Files
N 548 Information Exposure Through Directory Listing
D 549 Missing Password Field Masking
NR 550 Information Exposure Through Server Error Message
D 554 ASP.NET Misconfiguration: Not Using Input Validation Framework
D 555 J2EE Misconfiguration: Plaintext Password in Configuration File
N 566 Authorization Bypass Through User-Controlled SQL Primary Key
DN 573 Improper Following of Specification by Caller
D 581 Object Model Violation: Just One of Equals and Hashcode Defined
R 596 Incorrect Semantic Object Comparison
D 597 Use of Wrong Operator in String Comparison
N 598 Information Exposure Through Query Strings in GET Request
R 600 Uncaught Exception in Servlet
R 602 Client-Side Enforcement of Server-Side Security
R 606 Unchecked Input for Loop Condition
N 611 Information Exposure Through XML External Entity Reference
N 612 Information Exposure Through Indexing of Private Data
N 615 Information Exposure Through Comments
D 627 Dynamic Variable Evaluation
DNR 639 Authorization Bypass Through User-Controlled Key
R 640 Weak Password Recovery Mechanism for Forgotten Password
D 644 Improper Neutralization of HTTP Headers for Scripting Syntax
D 646 Reliance on File Name or Extension of Externally-Supplied File
R 647 Use of Non-Canonical URL Paths for Authorization Decisions
D 648 Incorrect Use of Privileged APIs
R 664 Improper Control of a Resource Through its Lifetime
R 666 Operation on Resource in Wrong Phase of Lifetime
R 668 Exposure of Resource to Wrong Sphere
R 674 Uncontrolled Recursion
R 682 Incorrect Calculation
DN 684 Incorrect Provision of Specified Functionality
R 691 Insufficient Control Flow Management
R 693 Protection Mechanism Failure
R 696 Incorrect Behavior Order
D 697 Insufficient Comparison
R 703 Improper Check or Handling of Exceptional Conditions
R 705 Incorrect Control Flow Scoping
R 706 Use of Incorrectly-Resolved Name or Reference
D R 732 Incorrect Permission Assignment for Critical Resource
D R 754 Improper Check for Unusual or Exceptional Conditions
R 755 Improper Handling of Exceptional Conditions
R 770 Allocation of Resources Without Limits or Throttling
R 799 Improper Control of Interaction Frequency
D 822 Untrusted Pointer Dereference
R 827 Improper Control of Document Type Definition
Detailed Difference Report
Detailed Difference Report
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major Other_Notes
Minor None
20 Improper Input Validation
Major Observed_Examples
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Potential_Mitigations
Minor None
23 Relative Path Traversal
Major Potential_Mitigations
Minor None
24 Path Traversal: '../filedir'
Major Potential_Mitigations
Minor None
25 Path Traversal: '/../filedir'
Major Potential_Mitigations
Minor None
26 Path Traversal: '/dir/../filename'
Major Potential_Mitigations
Minor None
27 Path Traversal: 'dir/../../filename'
Major Potential_Mitigations
Minor None
28 Path Traversal: '..\filedir'
Major Potential_Mitigations
Minor None
29 Path Traversal: '\..\filename'
Major Potential_Mitigations
Minor None
30 Path Traversal: '\dir\..\filename'
Major Potential_Mitigations
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Potential_Mitigations
Minor None
32 Path Traversal: '...' (Triple Dot)
Major Maintenance_Notes, Potential_Mitigations
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Potential_Mitigations
Minor None
34 Path Traversal: '....//'
Major Potential_Mitigations
Minor None
35 Path Traversal: '.../...//'
Major Potential_Mitigations
Minor None
37 Path Traversal: '/absolute/pathname/here'
Major Potential_Mitigations
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Potential_Mitigations
Minor None
39 Path Traversal: 'C:dirname'
Major Potential_Mitigations
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Potential_Mitigations
Minor None
41 Improper Resolution of Path Equivalence
Major Other_Notes, Potential_Mitigations, Relationship_Notes
Minor None
67 Improper Handling of Windows Device Names
Major Description
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Demonstrative_Examples
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Demonstrative_Examples, Description
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Demonstrative_Examples, References
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Description, Potential_Mitigations
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Potential_Mitigations
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Potential_Mitigations
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Potential_Mitigations
Minor None
85 Doubled Character XSS Manipulations
Major Potential_Mitigations
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Potential_Mitigations
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Demonstrative_Examples
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Description
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Name
Minor None
102 Struts: Duplicate Validation Forms
Major Background_Details, Common_Consequences
Minor None
106 Struts: Plug-in Framework not in Use
Major Other_Notes
Minor None
108 Struts: Unvalidated Action Form
Major Other_Notes
Minor None
109 Struts: Validator Turned Off
Major Demonstrative_Examples
Minor None
111 Direct Use of Unsafe JNI
Major Demonstrative_Examples
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Potential_Mitigations
Minor None
116 Improper Encoding or Escaping of Output
Major Relationship_Notes, Relationships
Minor None
117 Improper Output Neutralization for Logs
Major Description, Potential_Mitigations
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Relationships
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Demonstrative_Examples, Description
Minor None
124 Buffer Underwrite ('Buffer Underflow')
Major Demonstrative_Examples, Relationships
Minor None
126 Buffer Over-read
Major Demonstrative_Examples
Minor None
129 Improper Validation of Array Index
Major Common_Consequences, Demonstrative_Examples, Weakness_Ordinalities
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Demonstrative_Examples
Minor None
131 Incorrect Calculation of Buffer Size
Major Maintenance_Notes
Minor None
138 Improper Neutralization of Special Elements
Major Potential_Mitigations
Minor None
140 Improper Neutralization of Delimiters
Major Potential_Mitigations
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major Potential_Mitigations
Minor None
142 Improper Neutralization of Value Delimiters
Major Potential_Mitigations
Minor None
143 Improper Neutralization of Record Delimiters
Major Potential_Mitigations
Minor None
144 Improper Neutralization of Line Delimiters
Major Potential_Mitigations
Minor None
145 Improper Neutralization of Section Delimiters
Major Potential_Mitigations
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major Potential_Mitigations
Minor None
147 Improper Neutralization of Input Terminators
Major Potential_Mitigations
Minor None
148 Improper Neutralization of Input Leaders
Major Potential_Mitigations
Minor None
149 Improper Neutralization of Quoting Syntax
Major Potential_Mitigations
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Potential_Mitigations
Minor None
151 Improper Neutralization of Comment Delimiters
Major Potential_Mitigations
Minor None
152 Improper Neutralization of Macro Symbols
Major Observed_Examples, Potential_Mitigations
Minor None
153 Improper Neutralization of Substitution Characters
Major Observed_Examples, Potential_Mitigations
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Observed_Examples, Potential_Mitigations
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Potential_Mitigations
Minor None
156 Improper Neutralization of Whitespace
Major Potential_Mitigations
Minor None
157 Failure to Sanitize Paired Delimiters
Major Potential_Mitigations
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Potential_Mitigations
Minor None
159 Failure to Sanitize Special Element
Major Description, Potential_Mitigations
Minor None
160 Improper Neutralization of Leading Special Elements
Major Potential_Mitigations
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Potential_Mitigations
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Potential_Mitigations
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Potential_Mitigations
Minor None
164 Improper Neutralization of Internal Special Elements
Major Potential_Mitigations
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Potential_Mitigations
Minor None
166 Improper Handling of Missing Special Element
Major Potential_Mitigations
Minor None
167 Improper Handling of Additional Special Element
Major Potential_Mitigations
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Potential_Mitigations
Minor None
169 Technology-Specific Special Elements
Major Other_Notes
Minor None
170 Improper Null Termination
Major Common_Consequences
Minor None
172 Encoding Error
Major Potential_Mitigations
Minor None
173 Improper Handling of Alternate Encoding
Major Potential_Mitigations
Minor None
174 Double Decoding of the Same Data
Major Potential_Mitigations
Minor None
175 Improper Handling of Mixed Encoding
Major Potential_Mitigations
Minor None
176 Improper Handling of Unicode Encoding
Major Potential_Mitigations
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Potential_Mitigations
Minor None
178 Improper Handling of Case Sensitivity
Major Potential_Mitigations
Minor None
179 Incorrect Behavior Order: Early Validation
Major Potential_Mitigations
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Potential_Mitigations
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Demonstrative_Examples
Minor None
182 Collapse of Data into Unsafe Value
Major Potential_Mitigations
Minor None
183 Permissive Whitelist
Major Potential_Mitigations
Minor None
185 Incorrect Regular Expression
Major Observed_Examples
Minor None
187 Partial Comparison
Major Relationships
Minor None
188 Reliance on Data/Memory Layout
Major Common_Consequences
Minor None
189 Numeric Errors
Major Relationships
Minor None
195 Signed to Unsigned Conversion Error
Major Relationships
Minor None
200 Information Exposure
Major Description, Relationships
Minor None
202 Exposure of Sensitive Data Through Data Queries
Major Name
Minor None
206 Information Exposure of Internal State Through Behavioral Inconsistency
Major Name
Minor None
208 Information Exposure Through Timing Discrepancy
Major Name
Minor None
209 Information Exposure Through an Error Message
Major Demonstrative_Examples, Observed_Examples, Relationships
Minor None
210 Information Exposure Through Generated Error Message
Major Name, Relationships
Minor None
211 Information Exposure Through External Error Message
Major Name
Minor None
213 Intentional Information Exposure
Major Name
Minor None
214 Information Exposure Through Process Environment
Major Name
Minor None
223 Omission of Security-relevant Information
Major Demonstrative_Examples
Minor None
224 Obscured Security-relevant Information by Alternate Name
Major Demonstrative_Examples
Minor None
227 Improper Fulfillment of API Contract ('API Abuse')
Major Description, Name
Minor None
241 Improper Handling of Unexpected Data Type
Major Potential_Mitigations
Minor None
248 Uncaught Exception
Major Description, Relationships
Minor None
250 Execution with Unnecessary Privileges
Major Relationships
Minor None
261 Weak Cryptography for Passwords
Major Relationships
Minor None
262 Not Using Password Aging
Major Relationships
Minor None
263 Password Aging with Long Expiration
Major Description, Other_Notes, Relationships
Minor None
264 Permissions, Privileges, and Access Controls
Major Relationships
Minor None
265 Privilege / Sandbox Issues
Major Relationships
Minor None
269 Improper Privilege Management
Major Description, Relationships
Minor None
271 Privilege Dropping / Lowering Errors
Major Relationships
Minor None
282 Improper Ownership Management
Major Relationships
Minor None
283 Unverified Ownership
Major Relationships
Minor None
284 Improper Access Control
Major Alternate_Terms, Background_Details, Description, Maintenance_Notes, Name, Relationships
Minor None
285 Improper Authorization
Major Background_Details, Demonstrative_Examples, Description, Name, Relationships
Minor None
286 Incorrect User Management
Major Applicable_Platforms, Maintenance_Notes, Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Relationships
Minor None
289 Authentication Bypass by Alternate Name
Major Potential_Mitigations
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Demonstrative_Examples
Minor None
311 Missing Encryption of Sensitive Data
Major Demonstrative_Examples
Minor None
319 Cleartext Transmission of Sensitive Information
Major Potential_Mitigations
Minor None
320 Key Management Errors
Major Observed_Examples
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Demonstrative_Examples, Description
Minor None
330 Use of Insufficiently Random Values
Major Demonstrative_Examples
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Description
Minor None
359 Privacy Violation
Major Other_Notes
Minor None
361 Time and State
Major Relationships
Minor None
363 Race Condition Enabling Link Following
Major Demonstrative_Examples
Minor None
385 Covert Timing Channel
Major Description
Minor None
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Other_Notes, Relationships
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major Alternate_Terms
Minor None
402 Transmission of Private Resources into a New Sphere ('Resource Leak')
Major Alternate_Terms
Minor None
403 Exposure of File Descriptor to Unintended Control Sphere
Major Name
Minor None
404 Improper Resource Shutdown or Release
Major Weakness_Ordinalities
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Demonstrative_Examples
Minor None
408 Incorrect Behavior Order: Early Amplification
Major Demonstrative_Examples, Observed_Examples, Relationships
Minor None
412 Unrestricted Externally Accessible Lock
Major Demonstrative_Examples
Minor None
416 Use After Free
Major Description
Minor None
425 Direct Request ('Forced Browsing')
Major Applicable_Platforms, Description, Relationships
Minor None
426 Untrusted Search Path
Major Demonstrative_Examples
Minor None
427 Uncontrolled Search Path Element
Major Potential_Mitigations
Minor None
428 Unquoted Search Path or Element
Major Potential_Mitigations
Minor None
431 Missing Handler
Major Demonstrative_Examples
Minor None
438 Behavioral Problems
Major Relationships
Minor None
442 Web Problems
Major Relationships
Minor None
446 UI Discrepancy for Security Feature
Major Other_Notes, Relationship_Notes
Minor None
450 Multiple Interpretations of UI Input
Major Potential_Mitigations
Minor None
454 External Initialization of Trusted Variables or Data Stores
Major Demonstrative_Examples
Minor None
456 Missing Initialization
Major Demonstrative_Examples
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Demonstrative_Examples
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Potential_Mitigations
Minor None
477 Use of Obsolete Functions
Major Demonstrative_Examples
Minor None
478 Missing Default Case in Switch Statement
Major Demonstrative_Examples
Minor None
488 Exposure of Data Element to Wrong Session
Major Name
Minor None
494 Download of Code Without Integrity Check
Major Demonstrative_Examples
Minor None
498 Cloneable Class Containing Sensitive Information
Major Name
Minor None
521 Weak Password Requirements
Major Potential_Mitigations, Relationships
Minor None
522 Insufficiently Protected Credentials
Major Relationships
Minor None
524 Information Exposure Through Caching
Major Name
Minor None
525 Information Exposure Through Browser Caching
Major Name
Minor None
526 Information Exposure Through Environmental Variables
Major Name
Minor None
531 Information Exposure Through Test Code
Major Name
Minor None
532 Information Exposure Through Log Files
Major Name
Minor None
533 Information Exposure Through Server Log Files
Major Name
Minor None
534 Information Exposure Through Debug Log Files
Major Name
Minor None
535 Information Exposure Through Shell Error Message
Major Name
Minor None
536 Information Exposure Through Servlet Runtime Error Message
Major Name
Minor None
537 Information Exposure Through Java Runtime Error Message
Major Demonstrative_Examples, Name
Minor None
539 Information Exposure Through Persistent Cookies
Major Name
Minor None
540 Information Exposure Through Source Code
Major Description, Name
Minor None
541 Information Exposure Through Include Source Code
Major Name
Minor None
542 Information Exposure Through Cleanup Log Files
Major Description, Name
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Demonstrative_Examples
Minor None
548 Information Exposure Through Directory Listing
Major Name
Minor None
549 Missing Password Field Masking
Major Description
Minor None
550 Information Exposure Through Server Error Message
Major Name, Relationships
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Common_Consequences, Description, Potential_Mitigations
Minor None
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Description
Minor None
566 Authorization Bypass Through User-Controlled SQL Primary Key
Major Applicable_Platforms, Demonstrative_Examples, Name
Minor None
568 finalize() Method Without super.finalize()
Major None
Minor Description
573 Improper Following of Specification by Caller
Major Description, Name
Minor None
580 clone() Method Without super.clone()
Major Demonstrative_Examples
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Description
Minor None
596 Incorrect Semantic Object Comparison
Major Relationships
Minor None
597 Use of Wrong Operator in String Comparison
Major Demonstrative_Examples, Description, Potential_Mitigations
Minor None
598 Information Exposure Through Query Strings in GET Request
Major Name
Minor None
600 Uncaught Exception in Servlet
Major Relationships
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Relationships
Minor None
606 Unchecked Input for Loop Condition
Major Demonstrative_Examples, Relationships
Minor None
607 Public Static Final Field References Mutable Object
Major None
Minor Description
611 Information Exposure Through XML External Entity Reference
Major Name
Minor None
612 Information Exposure Through Indexing of Private Data
Major Name
Minor None
615 Information Exposure Through Comments
Major Name
Minor None
616 Incomplete Identification of Uploaded File Variables (PHP)
Major Other_Notes
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Other_Notes
Minor None
627 Dynamic Variable Evaluation
Major Description
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Alternate_Terms, Applicable_Platforms, Description, Name, Potential_Mitigations, Relationships
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major Relationships
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Description
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Common_Consequences, Description
Minor None
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Relationships
Minor None
648 Incorrect Use of Privileged APIs
Major Description, Potential_Mitigations
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Common_Consequences
Minor None
651 Information Exposure Through WSDL File
Major None
Minor Name
656 Reliance on Security Through Obscurity
Major None
Minor Name
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor None
666 Operation on Resource in Wrong Phase of Lifetime
Major Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
674 Uncontrolled Recursion
Major Relationships
Minor None
681 Incorrect Conversion between Numeric Types
Major Demonstrative_Examples
Minor None
682 Incorrect Calculation
Major Relationships
Minor None
684 Incorrect Provision of Specified Functionality
Major Description, Name
Minor None
691 Insufficient Control Flow Management
Major Maintenance_Notes, Other_Notes, Relationships
Minor None
693 Protection Mechanism Failure
Major Maintenance_Notes, Other_Notes, Relationships
Minor None
696 Incorrect Behavior Order
Major Relationships
Minor None
697 Insufficient Comparison
Major Description
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Relationships
Minor None
705 Incorrect Control Flow Scoping
Major Relationships
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Demonstrative_Examples, Description, Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Description, Relationships
Minor None
755 Improper Handling of Exceptional Conditions
Major Relationships
Minor None
759 Use of a One-Way Hash without a Salt
Major Observed_Examples
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Observed_Examples
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Demonstrative_Examples, Detection_Factors, Relationships
Minor None
789 Uncontrolled Memory Allocation
Major Common_Consequences, Observed_Examples
Minor None
795 Only Filtering Special Elements at a Specified Location
Major None
Minor Description
799 Improper Control of Interaction Frequency
Major Observed_Examples, Relationships
Minor None
806 Buffer Access Using Size of Source Buffer
Major Demonstrative_Examples
Minor None
822 Untrusted Pointer Dereference
Major Description
Minor Common_Consequences
823 Use of Out-of-range Pointer Offset
Major None
Minor Common_Consequences
827 Improper Control of Document Type Definition
Major Relationships
Minor None
Page Last Updated: January 05, 2017