Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 2.11 Total" lists the total number of relationships
in Version 2.11. The "Shared" value is the total number of
relationships in entries that were in both Version 2.11 and Version 2.10. The
"New" value is the total number of relationships involving
entries that did not exist in Version 2.10. Thus, the total number of
relationships in Version 2.11 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
| 19 |
Data Processing Errors |
|
Major |
Name, Relationships |
|
Minor |
None |
| 20 |
Improper Input Validation |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
| 22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
| 71 |
Apple '.DS_Store' |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Potential_Mitigations, Related_Attack_Patterns |
|
Minor |
None |
| 75 |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
|
Major |
Potential_Mitigations, Related_Attack_Patterns |
|
Minor |
None |
| 76 |
Improper Neutralization of Equivalent Special Elements |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
Potential_Mitigations, Related_Attack_Patterns, Relationships |
|
Minor |
None |
| 79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
| 80 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
Major |
Potential_Mitigations, Related_Attack_Patterns |
|
Minor |
None |
| 81 |
Improper Neutralization of Script in an Error Message Web Page |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 82 |
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 83 |
Improper Neutralization of Script in Attributes in a Web Page |
|
Major |
Potential_Mitigations, Related_Attack_Patterns |
|
Minor |
None |
| 84 |
Improper Neutralization of Encoded URI Schemes in a Web Page |
|
Major |
Potential_Mitigations, Related_Attack_Patterns |
|
Minor |
None |
| 85 |
Doubled Character XSS Manipulations |
|
Major |
Potential_Mitigations, Related_Attack_Patterns |
|
Minor |
None |
| 86 |
Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 87 |
Improper Neutralization of Alternate XSS Syntax |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
Relationships |
|
Minor |
None |
| 96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 97 |
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 99 |
Improper Control of Resource Identifiers ('Resource Injection') |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
| 109 |
Struts: Validator Turned Off |
|
Major |
None |
|
Minor |
Demonstrative_Examples |
| 113 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 116 |
Improper Encoding or Escaping of Output |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 117 |
Improper Output Neutralization for Logs |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 118 |
Incorrect Access of Indexable Resource ('Range Error') |
|
Major |
Name, Relationships |
|
Minor |
None |
| 119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
Relationships |
|
Minor |
None |
| 138 |
Improper Neutralization of Special Elements |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 140 |
Improper Neutralization of Delimiters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 141 |
Improper Neutralization of Parameter/Argument Delimiters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 142 |
Improper Neutralization of Value Delimiters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 143 |
Improper Neutralization of Record Delimiters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 144 |
Improper Neutralization of Line Delimiters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 145 |
Improper Neutralization of Section Delimiters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 147 |
Improper Neutralization of Input Terminators |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 148 |
Improper Neutralization of Input Leaders |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 149 |
Improper Neutralization of Quoting Syntax |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 150 |
Improper Neutralization of Escape, Meta, or Control Sequences |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 151 |
Improper Neutralization of Comment Delimiters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 152 |
Improper Neutralization of Macro Symbols |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 153 |
Improper Neutralization of Substitution Characters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 154 |
Improper Neutralization of Variable Name Delimiters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 155 |
Improper Neutralization of Wildcards or Matching Symbols |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 156 |
Improper Neutralization of Whitespace |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 157 |
Failure to Sanitize Paired Delimiters |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 158 |
Improper Neutralization of Null Byte or NUL Character |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 159 |
Failure to Sanitize Special Element |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 160 |
Improper Neutralization of Leading Special Elements |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 161 |
Improper Neutralization of Multiple Leading Special Elements |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 162 |
Improper Neutralization of Trailing Special Elements |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 163 |
Improper Neutralization of Multiple Trailing Special Elements |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 164 |
Improper Neutralization of Internal Special Elements |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 165 |
Improper Neutralization of Multiple Internal Special Elements |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 166 |
Improper Handling of Missing Special Element |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 167 |
Improper Handling of Additional Special Element |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 168 |
Improper Handling of Inconsistent Special Elements |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 184 |
Incomplete Blacklist |
|
Major |
Potential_Mitigations, Related_Attack_Patterns |
|
Minor |
None |
| 193 |
Off-by-one Error |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
| 200 |
Information Exposure |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 202 |
Exposure of Sensitive Data Through Data Queries |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 208 |
Information Exposure Through Timing Discrepancy |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 227 |
Improper Fulfillment of API Contract ('API Abuse') |
|
Major |
Observed_Examples, Related_Attack_Patterns |
|
Minor |
None |
| 232 |
Improper Handling of Undefined Values |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
| 259 |
Use of Hard-coded Password |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 276 |
Incorrect Default Permissions |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 279 |
Incorrect Execution-Assigned Permissions |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 287 |
Improper Authentication |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
| 288 |
Authentication Bypass Using an Alternate Path or Channel |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
| 289 |
Authentication Bypass by Alternate Name |
|
Major |
Relationships |
|
Minor |
None |
| 290 |
Authentication Bypass by Spoofing |
|
Major |
Relationships |
|
Minor |
None |
| 294 |
Authentication Bypass by Capture-replay |
|
Major |
Relationships |
|
Minor |
None |
| 302 |
Authentication Bypass by Assumed-Immutable Data |
|
Major |
Relationships |
|
Minor |
None |
| 305 |
Authentication Bypass by Primary Weakness |
|
Major |
Relationships |
|
Minor |
None |
| 311 |
Missing Encryption of Sensitive Data |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 312 |
Cleartext Storage of Sensitive Information |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 319 |
Cleartext Transmission of Sensitive Information |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 345 |
Insufficient Verification of Data Authenticity |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 348 |
Use of Less Trusted Source |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 372 |
Incomplete Internal State Distinction |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 398 |
Indicator of Poor Code Quality |
|
Major |
Relationships |
|
Minor |
None |
| 404 |
Improper Resource Shutdown or Release |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 471 |
Modification of Assumed-Immutable Data (MAID) |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 485 |
Insufficient Encapsulation |
|
Major |
Relationships |
|
Minor |
None |
| 497 |
Exposure of System Data to an Unauthorized Control Sphere |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 502 |
Deserialization of Untrusted Data |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References |
|
Minor |
None |
| 505 |
Intentionally Introduced Weakness |
|
Major |
Maintenance_Notes |
|
Minor |
None |
| 510 |
Trapdoor |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 522 |
Insufficiently Protected Credentials |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 538 |
File and Directory Information Exposure |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 545 |
DEPRECATED: Use of Dynamic Class Loading |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
| 564 |
SQL Injection: Hibernate |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 569 |
Expression Issues |
|
Major |
Relationships |
|
Minor |
None |
| 592 |
DEPRECATED: Authentication Bypass Issues |
|
Major |
Common_Consequences, Description, Name, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
| 593 |
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
|
Major |
Potential_Mitigations, Relationships |
|
Minor |
None |
| 602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 603 |
Use of Client-Side Authentication |
|
Major |
Relationships |
|
Minor |
None |
| 641 |
Improper Restriction of Names for Files and Other Resources |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 667 |
Improper Locking |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 676 |
Use of Potentially Dangerous Function |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 692 |
Incomplete Blacklist to Cross-Site Scripting |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 693 |
Protection Mechanism Failure |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 696 |
Incorrect Behavior Order |
|
Major |
Observed_Examples |
|
Minor |
None |
| 697 |
Insufficient Comparison |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 699 |
Development Concepts |
|
Major |
Relationships |
|
Minor |
None |
| 700 |
Seven Pernicious Kingdoms |
|
Major |
Relationships |
|
Minor |
None |
| 713 |
OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 721 |
OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 724 |
OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management |
|
Major |
Relationships |
|
Minor |
None |
| 770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 788 |
Access of Memory Location After End of Buffer |
|
Major |
Description |
|
Minor |
None |
| 829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 833 |
Deadlock |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 839 |
Numeric Range Comparison Without Minimum Check |
|
Major |
None |
|
Minor |
Demonstrative_Examples |
| 884 |
CWE Cross-section |
|
Major |
Relationships |
|
Minor |
None |
| 915 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes |
|
Major |
Potential_Mitigations |
|
Minor |
None |
| 947 |
SFP Secondary Cluster: Authentication Bypass |
|
Major |
Relationships |
|
Minor |
None |
| 991 |
SFP Secondary Cluster: Tainted Input to Environment |
|
Major |
Relationships |
|
Minor |
None |
