CWE - Differences between Version 1.9 and Version 1.10

Home > CWE List > Reports > Differences between Version 1.9 and Version 1.10

Differences between Version 1.9 and Version 1.10

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 1.10)	828
Total (Version 1.9)	821
Total new	7
Total deprecated	0
Total shared	821
Total important changes	57
Total major changes	91
Total minor changes	6
Total minor changes (no major)	3
Total unchanged	727

Summary of Entry Types

Type	Version 1.9	Version 1.10
Category	119	119
Chain	3	3
Composite	6	6
Deprecated	11	11
View	24	24
Weakness	658	665

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	9	1
Description	15	2
Applicable_Platforms	1	0
Time_of_Introduction	0	0
Demonstrative_Examples	3	2
Detection_Factors	0	0
Likelihood_of_Exploit	0	0
Common_Consequences	2	0
Relationships	43	0
References	4	0
Potential_Mitigations	34	0
Observed_Examples	13	0
Terminology_Notes	1	0
Alternate_Terms	1	0
Related_Attack_Patterns	0	0
Relationship_Notes	3	0
Taxonomy_Mappings	2	0
Maintenance_Notes	1	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	0	0
Background_Details	1	1
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	5	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	0	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		821

Status Changes

From	To	Total
Unchanged		821

Relationship Changes

The "Version 1.10 Total" lists the total number of relationships in Version 1.10. The "Shared" value is the total number of relationships in entries that were in both Version 1.10 and Version 1.9. The "New" value is the total number of relationships involving entries that did not exist in Version 1.9. Thus, the total number of relationships in Version 1.10 would combine stats from Shared entries and New entries.

Relationship	Version 1.10 Total	Version 1.9 Total	Version 1.10 Shared	Unchanged	Added to Version 1.10	Removed from Version 1.9	Version 1.10 New
ALL	4956	4874	4878	4846	32	28	78
ChildOf	2124	2096	2097	2083	14	13	27
ParentOf	2124	2096	2097	2083	14	13	27
MemberOf	119	119	119	119
HasMember	119	119	119	119
CanPrecede	103	90	91	90	1		12
CanFollow	103	90	91	90	1		12
StartsWith	3	3	3	3
Requires	19	19	19	19
RequiredBy	19	19	19	19
CanAlsoBe	35	37	35	35		2
PeerOf	188	186	188	186	2

Nodes Removed from Version 1.9

CWE-ID	CWE Name
None.

Nodes Added to Version 1.10

CWE-ID	CWE Name
820	Missing Synchronization
821	Incorrect Synchronization
822	Untrusted Pointer Dereference
823	Use of Out-of-range Pointer Offset
824	Access of Uninitialized Pointer
825	Expired Pointer Dereference
826	Premature Release of Resource During Expected Lifetime

Nodes Deprecated in Version 1.10

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	20	Improper Input Validation
D			67	Improper Handling of Windows Device Names
		R	88	Argument Injection or Modification
		R	119	Failure to Constrain Operations within the Bounds of a Memory Buffer
		R	125	Out-of-bounds Read
		R	129	Improper Validation of Array Index
D	N		201	Information Exposure Through Sent Data
D	N		204	Response Discrepancy Information Exposure
		R	208	Timing Discrepancy Information Leak
		R	209	Information Exposure Through an Error Message
D	N		215	Information Exposure Through Debug Information
		R	226	Sensitive Information Uncleared Before Release
		R	259	Use of Hard-coded Password
D			285	Improper Access Control (Authorization)
		R	321	Use of Hard-coded Cryptographic Key
		R	327	Use of a Broken or Risky Cryptographic Algorithm
		R	362	Race Condition
		R	365	Race Condition in Switch
		R	366	Race Condition within a Thread
D		R	367	Time-of-check Time-of-use (TOCTOU) Race Condition
	N		375	Returning a Mutable Object to an Untrusted Caller
D			385	Covert Timing Channel
D	N		413	Improper Resource Locking
		R	415	Double Free
		R	416	Use After Free
D		R	426	Untrusted Search Path
D		R	427	Uncontrolled Search Path Element
D			433	Unparsed Raw Web Content Delivery
		R	465	Pointer Issues
		R	476	NULL Pointer Dereference
		R	479	Unsafe Function Call from a Signal Handler
		R	538	File and Directory Information Exposure
D			539	Information Leak Through Persistent Cookies
	N		543	Use of Singleton Pattern Without Synchronization in a Multithreaded Context
		R	552	Files or Directories Accessible to External Parties
		R	562	Return of Stack Variable Address
		R	572	Call to Thread run() instead of start()
		R	574	EJB Bad Practices: Use of Synchronization Primitives
		R	622	Unvalidated Function Hook Arguments
D	N		651	Information Exposure through WSDL File
	N	R	662	Improper Synchronization
	N	R	663	Use of a Non-reentrant Function in a Multithreaded Context
		R	666	Operation on Resource in Wrong Phase of Lifetime
		R	667	Insufficient Locking
		R	668	Exposure of Resource to Wrong Sphere
		R	671	Lack of Administrator Control over Security
		R	672	Operation on a Resource after Expiration or Release
		R	689	Permission Race Condition During Resource Copy
		R	691	Insufficient Control Flow Management
		R	732	Incorrect Permission Assignment for Critical Resource
D			756	Missing Custom Error Page
		R	761	Free of Pointer not at Start of Buffer
		R	763	Release of Invalid Pointer or Reference
D			768	Incorrect Short Circuit Evaluation
		R	781	Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
		R	787	Out-of-bounds Write
		R	815	OWASP Top Ten 2010 Category A6 - Security Misconfiguration

Detailed Difference Report

20	Improper Input Validation
	Major	Potential_Mitigations, Relationships
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Potential_Mitigations
	Minor	None
29	Path Traversal: '\..\filename'
	Major	None
	Minor	Description
47	Path Equivalence: ' filename' (Leading Space)
	Major	None
	Minor	Name
67	Improper Handling of Windows Device Names
	Major	Description
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Potential_Mitigations
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Potential_Mitigations
	Minor	Background_Details
88	Argument Injection or Modification
	Major	Relationships
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Potential_Mitigations
	Minor	None
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
	Major	Potential_Mitigations
	Minor	None
119	Failure to Constrain Operations within the Bounds of a Memory Buffer
	Major	Potential_Mitigations, Relationships
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Potential_Mitigations
	Minor	None
125	Out-of-bounds Read
	Major	Relationships
	Minor	None
129	Improper Validation of Array Index
	Major	Potential_Mitigations, Relationship_Notes, Relationships
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Potential_Mitigations
	Minor	None
190	Integer Overflow or Wraparound
	Major	Observed_Examples, Potential_Mitigations
	Minor	None
201	Information Exposure Through Sent Data
	Major	Common_Consequences, Description, Name
	Minor	None
204	Response Discrepancy Information Exposure
	Major	Description, Name, Observed_Examples
	Minor	None
208	Timing Discrepancy Information Leak
	Major	Relationships
	Minor	None
209	Information Exposure Through an Error Message
	Major	Potential_Mitigations, Relationships
	Minor	None
212	Improper Cross-boundary Removal of Sensitive Data
	Major	Potential_Mitigations
	Minor	None
215	Information Exposure Through Debug Information
	Major	Description, Name, Observed_Examples
	Minor	None
226	Sensitive Information Uncleared Before Release
	Major	Relationships
	Minor	None
247	Reliance on DNS Lookups in a Security Decision
	Major	Potential_Mitigations
	Minor	None
252	Unchecked Return Value
	Major	Observed_Examples
	Minor	None
259	Use of Hard-coded Password
	Major	Relationships
	Minor	None
285	Improper Access Control (Authorization)
	Major	Description
	Minor	None
292	Trusting Self-reported DNS Name
	Major	Potential_Mitigations
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Potential_Mitigations
	Minor	None
321	Use of Hard-coded Cryptographic Key
	Major	Relationships
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Potential_Mitigations, Relationships
	Minor	None
350	Improperly Trusted Reverse DNS
	Major	Potential_Mitigations
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Potential_Mitigations
	Minor	None
362	Race Condition
	Major	Observed_Examples, Potential_Mitigations, Relationships
	Minor	Description
364	Signal Handler Race Condition
	Major	Observed_Examples, References
	Minor	None
365	Race Condition in Switch
	Major	Relationships
	Minor	None
366	Race Condition within a Thread
	Major	Potential_Mitigations, Relationships
	Minor	None
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	Description, Relationships
	Minor	None
375	Returning a Mutable Object to an Untrusted Caller
	Major	Name, Taxonomy_Mappings
	Minor	Demonstrative_Examples
385	Covert Timing Channel
	Major	Common_Consequences, Description
	Minor	None
400	Uncontrolled Resource Consumption ('Resource Exhaustion')
	Major	Demonstrative_Examples
	Minor	None
413	Improper Resource Locking
	Major	Description, Name
	Minor	None
415	Double Free
	Major	Relationships
	Minor	None
416	Use After Free
	Major	Observed_Examples, Relationships
	Minor	None
426	Untrusted Search Path
	Major	Description, Relationships
	Minor	None
427	Uncontrolled Search Path Element
	Major	Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Observed_Examples, References, Relationship_Notes, Relationships
	Minor	None
433	Unparsed Raw Web Content Delivery
	Major	Description, Potential_Mitigations
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Potential_Mitigations
	Minor	None
465	Pointer Issues
	Major	Relationships
	Minor	None
476	NULL Pointer Dereference
	Major	Demonstrative_Examples, Observed_Examples, Relationships
	Minor	None
479	Unsafe Function Call from a Signal Handler
	Major	Relationships
	Minor	None
488	Data Leak Between Sessions
	Major	Potential_Mitigations
	Minor	None
494	Download of Code Without Integrity Check
	Major	Potential_Mitigations, References
	Minor	None
506	Embedded Malicious Code
	Major	Other_Notes, Terminology_Notes
	Minor	None
538	File and Directory Information Exposure
	Major	Relationships
	Minor	None
539	Information Leak Through Persistent Cookies
	Major	Description, Other_Notes
	Minor	None
543	Use of Singleton Pattern Without Synchronization in a Multithreaded Context
	Major	Name
	Minor	None
552	Files or Directories Accessible to External Parties
	Major	Relationships
	Minor	None
559	Often Misused: Arguments and Parameters
	Major	Other_Notes, Relationship_Notes
	Minor	None
562	Return of Stack Variable Address
	Major	Relationships
	Minor	None
567	Unsynchronized Access to Shared Data
	Major	Other_Notes
	Minor	None
572	Call to Thread run() instead of start()
	Major	Relationships
	Minor	None
574	EJB Bad Practices: Use of Synchronization Primitives
	Major	Relationships
	Minor	None
601	URL Redirection to Untrusted Site ('Open Redirect')
	Major	Potential_Mitigations
	Minor	None
611	Information Leak Through XML External Entity File Disclosure
	Major	Background_Details, Other_Notes
	Minor	None
613	Insufficient Session Expiration
	Major	Taxonomy_Mappings
	Minor	None
622	Unvalidated Function Hook Arguments
	Major	Relationships
	Minor	None
651	Information Exposure through WSDL File
	Major	Description, Name
	Minor	None
662	Improper Synchronization
	Major	Name, Relationships
	Minor	None
663	Use of a Non-reentrant Function in a Multithreaded Context
	Major	Name, Observed_Examples, Potential_Mitigations, References, Relationships
	Minor	None
665	Improper Initialization
	Major	Observed_Examples
	Minor	None
666	Operation on Resource in Wrong Phase of Lifetime
	Major	Relationships
	Minor	None
667	Insufficient Locking
	Major	Relationships
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
671	Lack of Administrator Control over Security
	Major	Relationships
	Minor	None
672	Operation on a Resource after Expiration or Release
	Major	Observed_Examples, Relationships
	Minor	None
682	Incorrect Calculation
	Major	Potential_Mitigations
	Minor	None
689	Permission Race Condition During Resource Copy
	Major	Relationships
	Minor	None
690	Unchecked Return Value to NULL Pointer Dereference
	Major	Observed_Examples
	Minor	None
691	Insufficient Control Flow Management
	Major	Relationships
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Potential_Mitigations, Relationships
	Minor	None
754	Improper Check for Unusual or Exceptional Conditions
	Major	Potential_Mitigations
	Minor	None
756	Missing Custom Error Page
	Major	Description
	Minor	None
761	Free of Pointer not at Start of Buffer
	Major	Relationships
	Minor	None
763	Release of Invalid Pointer or Reference
	Major	Relationships
	Minor	None
768	Incorrect Short Circuit Evaluation
	Major	Description
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	None
	Minor	Demonstrative_Examples
781	Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
	Major	Relationships
	Minor	None
787	Out-of-bounds Write
	Major	Relationships
	Minor	None
798	Use of Hard-coded Credentials
	Major	Potential_Mitigations
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Potential_Mitigations
	Minor	None
807	Reliance on Untrusted Inputs in a Security Decision
	Major	Potential_Mitigations
	Minor	None
815	OWASP Top Ten 2010 Category A6 - Security Misconfiguration
	Major	Relationships
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration