CWE - Differences between Version 2.5 and Version 2.6

Home > CWE List > Reports > Differences between Version 2.5 and Version 2.6

Differences between Version 2.5 and Version 2.6

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 2.6)	943
Total (Version 2.5)	940
Total new	3
Total deprecated	0
Total shared	940
Total important changes	19
Total major changes	73
Total minor changes	1
Total minor changes (no major)
Total unchanged	867

Summary of Entry Types

Type	Version 2.5	Version 2.6
Category	186	186
Chain	3	3
Composite	5	5
Deprecated	14	14
View	31	31
Weakness	701	704

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	4	0
Description	8	0
Applicable_Platforms	7	0
Time_of_Introduction	0	0
Demonstrative_Examples	22	0
Detection_Factors	1	0
Likelihood_of_Exploit	0	0
Common_Consequences	2	0
Relationships	14	0
References	18	0
Potential_Mitigations	22	1
Observed_Examples	3	0
Terminology_Notes	3	0
Alternate_Terms	2	0
Related_Attack_Patterns	22	0
Relationship_Notes	1	0
Taxonomy_Mappings	0	0
Maintenance_Notes	3	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	1	0
Background_Details	1	0
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	3	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	0	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		940

Status Changes

From	To	Total
Unchanged		939
Draft	Incomplete	1

Relationship Changes

The "Version 2.6 Total" lists the total number of relationships in Version 2.6. The "Shared" value is the total number of relationships in entries that were in both Version 2.6 and Version 2.5. The "New" value is the total number of relationships involving entries that did not exist in Version 2.5. Thus, the total number of relationships in Version 2.6 would combine stats from Shared entries and New entries.

Relationship	Version 2.6 Total	Version 2.5 Total	Version 2.6 Shared	Unchanged	Added to Version 2.6	Removed from Version 2.5	Version 2.6 New
ALL	7509	7491	7497	7479	18	12	12
ChildOf	3183	3174	3178	3169	9	5	5
ParentOf	3183	3174	3178	3169	9	5	5
MemberOf	344	344	344	344
HasMember	344	344	344	344
CanPrecede	121	121	120	120		1	1
CanFollow	121	121	120	120		1	1
StartsWith	3	3	3	3
Requires	17	17	17	17
RequiredBy	17	17	17	17
CanAlsoBe	34	34	34	34
PeerOf	142	142	142	142

Nodes Removed from Version 2.5

CWE-ID	CWE Name
None.

Nodes Added to Version 2.6

CWE-ID	CWE Name
939	Improper Authorization in Handler for Custom URL Scheme
940	Improper Verification of Source of a Communication Channel
941	Incorrectly Specified Destination in a Communication Channel

Nodes Deprecated in Version 2.6

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	284	Improper Access Control
		R	287	Improper Authentication
		R	291	Reliance on IP Address for Authentication
		R	300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
		R	304	Missing Critical Step in Authentication
		R	346	Origin Validation Error
D		R	350	Reliance on Reverse DNS Resolution for a Security-Critical Action
D	N		359	Exposure of Private Information ('Privacy Violation')
		R	406	Insufficient Control of Network Message Volume (Network Amplification)
D	N	R	451	User Interface (UI) Misrepresentation of Critical Information
		R	682	Incorrect Calculation
		R	684	Incorrect Provision of Specified Functionality
		R	839	Numeric Range Comparison Without Minimum Check
		R	862	Missing Authorization
D	N	R	923	Improper Restriction of Communication Channel to Intended Endpoints
D			925	Improper Verification of Intent by Broadcast Receiver
D	N		926	Improper Export of Android Application Components
D			927	Use of Implicit Intent for Sensitive Communication

Detailed Difference Report

19	Data Handling
	Major	Related_Attack_Patterns
	Minor	None
20	Improper Input Validation
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
21	Pathname Traversal and Equivalence Errors
	Major	Potential_Mitigations
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Related_Attack_Patterns
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes, Terminology_Notes
	Minor	Potential_Mitigations
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Applicable_Platforms, Demonstrative_Examples, Terminology_Notes
	Minor	None
91	XML Injection (aka Blind XPath Injection)
	Major	Related_Attack_Patterns
	Minor	None
112	Missing XML Validation
	Major	Related_Attack_Patterns
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Potential_Mitigations, References
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Potential_Mitigations, References
	Minor	None
129	Improper Validation of Array Index
	Major	Potential_Mitigations, References
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Potential_Mitigations, References
	Minor	None
201	Information Exposure Through Sent Data
	Major	Related_Attack_Patterns
	Minor	None
216	Containment Errors (Container Errors)
	Major	Related_Attack_Patterns
	Minor	None
228	Improper Handling of Syntactically Invalid Structure
	Major	Demonstrative_Examples
	Minor	None
230	Improper Handling of Missing Values
	Major	Demonstrative_Examples
	Minor	None
233	Improper Handling of Parameters
	Major	Demonstrative_Examples
	Minor	None
250	Execution with Unnecessary Privileges
	Major	Demonstrative_Examples
	Minor	None
266	Incorrect Privilege Assignment
	Major	Applicable_Platforms, Demonstrative_Examples
	Minor	None
270	Privilege Context Switching Error
	Major	Related_Attack_Patterns
	Minor	None
284	Improper Access Control
	Major	Related_Attack_Patterns, Relationships
	Minor	None
287	Improper Authentication
	Major	Relationships
	Minor	None
290	Authentication Bypass by Spoofing
	Major	Related_Attack_Patterns
	Minor	None
291	Reliance on IP Address for Authentication
	Major	Relationships
	Minor	None
300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
	Major	Relationships
	Minor	None
304	Missing Critical Step in Authentication
	Major	Relationships
	Minor	None
310	Cryptographic Issues
	Major	Related_Attack_Patterns
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Related_Attack_Patterns
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Related_Attack_Patterns
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Related_Attack_Patterns
	Minor	None
328	Reversible One-Way Hash
	Major	Potential_Mitigations, References
	Minor	None
330	Use of Insufficiently Random Values
	Major	Related_Attack_Patterns
	Minor	None
346	Origin Validation Error
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Maintenance_Notes, References, Relationship_Notes, Relationships, Terminology_Notes
	Minor	None
350	Reliance on Reverse DNS Resolution for a Security-Critical Action
	Major	Description, Relationships
	Minor	None
359	Exposure of Private Information ('Privacy Violation')
	Major	Alternate_Terms, Demonstrative_Examples, Description, Name, Other_Notes, References
	Minor	None
390	Detection of Error Condition Without Action
	Major	Related_Attack_Patterns
	Minor	None
401	Improper Release of Memory Before Removing Last Reference ('Memory Leak')
	Major	Potential_Mitigations, References
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Demonstrative_Examples
	Minor	None
406	Insufficient Control of Network Message Volume (Network Amplification)
	Major	Demonstrative_Examples, Observed_Examples, Relationships
	Minor	None
426	Untrusted Search Path
	Major	Demonstrative_Examples, Detection_Factors, Potential_Mitigations
	Minor	None
427	Uncontrolled Search Path Element
	Major	Demonstrative_Examples, Observed_Examples, Potential_Mitigations
	Minor	None
451	User Interface (UI) Misrepresentation of Critical Information
	Major	Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, Other_Notes, References, Relationships, Research_Gaps
	Minor	None
469	Use of Pointer Subtraction to Determine Size
	Major	Potential_Mitigations
	Minor	None
471	Modification of Assumed-Immutable Data (MAID)
	Major	Related_Attack_Patterns
	Minor	None
476	NULL Pointer Dereference
	Major	Demonstrative_Examples
	Minor	None
532	Information Exposure Through Log Files
	Major	Demonstrative_Examples
	Minor	None
590	Free of Memory not on the Heap
	Major	Potential_Mitigations
	Minor	None
642	External Control of Critical State Data
	Major	Potential_Mitigations
	Minor	None
672	Operation on a Resource after Expiration or Release
	Major	Applicable_Platforms
	Minor	None
674	Uncontrolled Recursion
	Major	Related_Attack_Patterns
	Minor	None
682	Incorrect Calculation
	Major	Relationships
	Minor	None
684	Incorrect Provision of Specified Functionality
	Major	Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Related_Attack_Patterns
	Minor	None
707	Improper Enforcement of Message or Data Structure
	Major	Related_Attack_Patterns
	Minor	None
713	OWASP Top Ten 2007 Category A2 - Injection Flaws
	Major	Related_Attack_Patterns
	Minor	None
749	Exposed Dangerous Method or Function
	Major	Demonstrative_Examples
	Minor	None
759	Use of a One-Way Hash without a Salt
	Major	Potential_Mitigations, References
	Minor	None
760	Use of a One-Way Hash with a Predictable Salt
	Major	Potential_Mitigations, References
	Minor	None
761	Free of Pointer not at Start of Buffer
	Major	Potential_Mitigations
	Minor	None
762	Mismatched Memory Management Routines
	Major	Demonstrative_Examples, Potential_Mitigations, References
	Minor	None
763	Release of Invalid Pointer or Reference
	Major	Potential_Mitigations
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Related_Attack_Patterns
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Applicable_Platforms, Demonstrative_Examples
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Potential_Mitigations, References
	Minor	None
806	Buffer Access Using Size of Source Buffer
	Major	Potential_Mitigations, References
	Minor	None
807	Reliance on Untrusted Inputs in a Security Decision
	Major	Potential_Mitigations
	Minor	None
839	Numeric Range Comparison Without Minimum Check
	Major	Relationships
	Minor	None
862	Missing Authorization
	Major	Relationships
	Minor	None
916	Use of Password Hash With Insufficient Computational Effort
	Major	Potential_Mitigations, References
	Minor	None
923	Improper Restriction of Communication Channel to Intended Endpoints
	Major	Description, Name, Relationships
	Minor	None
925	Improper Verification of Intent by Broadcast Receiver
	Major	Alternate_Terms, Demonstrative_Examples, Description, References
	Minor	None
926	Improper Export of Android Application Components
	Major	Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References
	Minor	None
927	Use of Implicit Intent for Sensitive Communication
	Major	Demonstrative_Examples, Description, References
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration