CWE - Differences between Version 2.9 and Version 2.10

Home > CWE List > Reports > Differences between Version 2.9 and Version 2.10

Differences between Version 2.9 and Version 2.10

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 2.10)	1005
Total (Version 2.9)	1004
Total new	1
Total deprecated	1
Total shared	1004
Total important changes	127
Total major changes	142
Total minor changes	5
Total minor changes (no major)	4
Total unchanged	858

Summary of Entry Types

Type	Version 2.9	Version 2.10
Category	243	242
Chain	3	3
Composite	5	5
Deprecated	14	15
View	33	33
Weakness	706	707

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	1	0
Description	2	0
Applicable_Platforms	4	4
Time_of_Introduction	0	0
Demonstrative_Examples	0	1
Detection_Factors	0	0
Likelihood_of_Exploit	0	0
Common_Consequences	0	0
Relationships	126	0
References	0	0
Potential_Mitigations	0	0
Observed_Examples	0	0
Terminology_Notes	0	0
Alternate_Terms	0	0
Related_Attack_Patterns	16	0
Relationship_Notes	0	0
Taxonomy_Mappings	1	0
Maintenance_Notes	11	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	1	0
Background_Details	0	0
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	0	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	3	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		1001
Category	Deprecated	1
Weakness/Base	Weakness/Class	1
Weakness/Variant	Weakness/Base	1

Status Changes

From	To	Total
Unchanged		1003
Draft	Deprecated	1

Relationship Changes

The "Version 2.10 Total" lists the total number of relationships in Version 2.10. The "Shared" value is the total number of relationships in entries that were in both Version 2.10 and Version 2.9. The "New" value is the total number of relationships involving entries that did not exist in Version 2.9. Thus, the total number of relationships in Version 2.10 would combine stats from Shared entries and New entries.

Relationship	Version 2.10 Total	Version 2.9 Total	Version 2.10 Shared	Unchanged	Added to Version 2.10	Removed from Version 2.9	Version 2.10 New
ALL	7953	7915	7947	7791	156	124	6
ChildOf	3384	3383	3381	3327	54	56	3
ParentOf	3384	3383	3381	3327	54	56	3
MemberOf	365	347	365	341	24	6
HasMember	365	347	365	341	24	6
CanPrecede	121	121	121	121
CanFollow	121	121	121	121
StartsWith	3	3	3	3
Requires	17	17	17	17
RequiredBy	17	17	17	17
CanAlsoBe	34	34	34	34
PeerOf	142	142	142	142

Nodes Removed from Version 2.9

CWE-ID	CWE Name
None.

Nodes Added to Version 2.10

CWE-ID	CWE Name
1004	Sensitive Cookie Without 'HttpOnly' Flag

Nodes Deprecated in Version 2.10

CWE-ID	CWE Name
445	DEPRECATED: User Interface Errors

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	1	Location
		R	2	Environment
		R	3	Technology-specific Environment Issues
		R	4	J2EE Environment Issues
		R	14	Compiler Removal of Code to Clear Buffers
		R	15	External Control of System or Configuration Setting
		R	16	Configuration
		R	17	Code
		R	18	Source Code
		R	19	Data Handling
		R	20	Improper Input Validation
		R	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
		R	98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
		R	99	Improper Control of Resource Identifiers ('Resource Injection')
		R	100	Technology-Specific Input Validation Problems
		R	112	Missing XML Validation
		R	116	Improper Encoding or Escaping of Output
		R	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
		R	128	Wrap-around Error
		R	136	Type Errors
		R	138	Improper Neutralization of Special Elements
		R	171	Cleansing, Canonicalization, and Comparison Errors
		R	179	Incorrect Behavior Order: Early Validation
		R	180	Incorrect Behavior Order: Validate Before Canonicalize
		R	181	Incorrect Behavior Order: Validate Before Filter
		R	189	Numeric Errors
		R	190	Integer Overflow or Wraparound
		R	195	Signed to Unsigned Conversion Error
		R	227	Improper Fulfillment of API Contract ('API Abuse')
		R	228	Improper Handling of Syntactically Invalid Structure
		R	254	Security Features
		R	287	Improper Authentication
		R	295	Improper Certificate Validation
		R	310	Cryptographic Issues
		R	317	Cleartext Storage of Sensitive Information in GUI
		R	347	Improper Verification of Cryptographic Signature
		R	355	User Interface Security Issues
		R	361	Time and State
		R	388	Error Handling
		R	398	Indicator of Poor Code Quality
		R	399	Resource Management Errors
		R	400	Uncontrolled Resource Consumption ('Resource Exhaustion')
		R	404	Improper Resource Shutdown or Release
		R	417	Channel and Path Errors
		R	429	Handler Errors
		R	435	Interaction Error
		R	436	Interpretation Conflict
		R	438	Behavioral Problems
		R	441	Unintended Proxy or Intermediary ('Confused Deputy')
		R	442	Web Problems
D	N	R	445	DEPRECATED: User Interface Errors
		R	446	UI Discrepancy for Security Feature
		R	450	Multiple Interpretations of UI Input
		R	451	User Interface (UI) Misrepresentation of Critical Information
		R	452	Initialization and Cleanup Errors
		R	465	Pointer Issues
		R	476	NULL Pointer Dereference
		R	481	Assigning instead of Comparing
		R	482	Comparing instead of Assigning
		R	485	Insufficient Encapsulation
		R	490	Mobile Code Issues
		R	503	Byte/Object Code
		R	504	Motivation/Intent
		R	505	Intentionally Introduced Weakness
		R	518	Inadvertently Introduced Weakness
		R	519	.NET Environment Issues
		R	533	Information Exposure Through Server Log Files
		R	534	Information Exposure Through Debug Log Files
		R	542	Information Exposure Through Cleanup Log Files
		R	552	Files or Directories Accessible to External Parties
		R	554	ASP.NET Misconfiguration: Not Using Input Validation Framework
		R	569	Expression Issues
		R	573	Improper Following of Specification by Caller
		R	610	Externally Controlled Reference to a Resource in Another Sphere
		R	614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
		R	617	Reachable Assertion
		R	629	Weaknesses in OWASP Top Ten (2007)
		R	631	Resource-specific Weaknesses
D			635	Weaknesses Used by NVD
		R	642	External Control of Critical State Data
		R	650	Trusting HTTP Permission Methods on the Server Side
		R	657	Violation of Secure Design Principles
		R	664	Improper Control of a Resource Through its Lifetime
		R	668	Exposure of Resource to Wrong Sphere
		R	670	Always-Incorrect Control Flow Implementation
		R	675	Duplicate Operations on Resource
		R	680	Integer Overflow to Buffer Overflow
		R	690	Unchecked Return Value to NULL Pointer Dereference
		R	691	Insufficient Control Flow Management
		R	692	Incomplete Blacklist to Cross-Site Scripting
		R	693	Protection Mechanism Failure
		R	699	Development Concepts
		R	701	Weaknesses Introduced During Design
		R	702	Weaknesses Introduced During Implementation
		R	703	Improper Check or Handling of Exceptional Conditions
		R	704	Incorrect Type Conversion or Cast
		R	705	Incorrect Control Flow Scoping
		R	706	Use of Incorrectly-Resolved Name or Reference
		R	707	Improper Enforcement of Message or Data Structure
		R	710	Coding Standards Violation
		R	732	Incorrect Permission Assignment for Critical Resource
		R	733	Compiler Optimization Removal or Modification of Security-critical Code
		R	754	Improper Check for Unusual or Exceptional Conditions
		R	755	Improper Handling of Exceptional Conditions
		R	757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
		R	758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
		R	759	Use of a One-Way Hash without a Salt
		R	760	Use of a One-Way Hash with a Predictable Salt
		R	771	Missing Reference to Active Allocated Resource
		R	772	Missing Release of Resource after Effective Lifetime
		R	784	Reliance on Cookies without Validation and Integrity Checking in a Security Decision
		R	790	Improper Filtering of Special Elements
		R	791	Incomplete Filtering of Special Elements
		R	792	Incomplete Filtering of One or More Instances of Special Elements
		R	793	Only Filtering One Instance of a Special Element
		R	794	Incomplete Filtering of Multiple Instances of Special Elements
		R	795	Only Filtering Special Elements at a Specified Location
		R	796	Only Filtering Special Elements Relative to a Marker
		R	797	Only Filtering Special Elements at an Absolute Position
		R	829	Inclusion of Functionality from Untrusted Control Sphere
		R	840	Business Logic Errors
		R	862	Missing Authorization
		R	913	Improper Control of Dynamically-Managed Code Resources
		R	914	Improper Control of Dynamically-Identified Variables
		R	916	Use of Password Hash With Insufficient Computational Effort
		R	918	Server-Side Request Forgery (SSRF)
		R	939	Improper Authorization in Handler for Custom URL Scheme

Detailed Difference Report

1	Location
	Major	Maintenance_Notes, Relationships
	Minor	None
2	Environment
	Major	Maintenance_Notes, Relationships
	Minor	None
3	Technology-specific Environment Issues
	Major	Maintenance_Notes, Relationships
	Minor	None
4	J2EE Environment Issues
	Major	Relationships
	Minor	None
14	Compiler Removal of Code to Clear Buffers
	Major	Relationships
	Minor	None
15	External Control of System or Configuration Setting
	Major	Relationships
	Minor	None
16	Configuration
	Major	Maintenance_Notes, Relationships
	Minor	None
17	Code
	Major	Maintenance_Notes, Relationships
	Minor	None
18	Source Code
	Major	Maintenance_Notes, Relationships
	Minor	None
19	Data Handling
	Major	Relationships
	Minor	None
20	Improper Input Validation
	Major	Related_Attack_Patterns, Relationships
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Related_Attack_Patterns
	Minor	None
23	Relative Path Traversal
	Major	Related_Attack_Patterns
	Minor	None
36	Absolute Path Traversal
	Major	Related_Attack_Patterns
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Relationships
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Related_Attack_Patterns
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	None
	Minor	Demonstrative_Examples
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
	Major	Relationships
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	Relationships
	Minor	None
100	Technology-Specific Input Validation Problems
	Major	Relationships
	Minor	None
112	Missing XML Validation
	Major	Relationships
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Relationships
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Relationships
	Minor	None
128	Wrap-around Error
	Major	Relationships
	Minor	None
130	Improper Handling of Length Parameter Inconsistency
	Major	Type
	Minor	None
136	Type Errors
	Major	Relationships
	Minor	None
138	Improper Neutralization of Special Elements
	Major	Relationships
	Minor	None
171	Cleansing, Canonicalization, and Comparison Errors
	Major	Relationships
	Minor	None
179	Incorrect Behavior Order: Early Validation
	Major	Relationships
	Minor	None
180	Incorrect Behavior Order: Validate Before Canonicalize
	Major	Relationships
	Minor	None
181	Incorrect Behavior Order: Validate Before Filter
	Major	Relationships
	Minor	None
189	Numeric Errors
	Major	Applicable_Platforms, Relationships
	Minor	None
190	Integer Overflow or Wraparound
	Major	Relationships
	Minor	None
195	Signed to Unsigned Conversion Error
	Major	Relationships
	Minor	None
201	Information Exposure Through Sent Data
	Major	Related_Attack_Patterns
	Minor	None
227	Improper Fulfillment of API Contract ('API Abuse')
	Major	Relationships
	Minor	None
228	Improper Handling of Syntactically Invalid Structure
	Major	Relationships
	Minor	None
254	Security Features
	Major	Relationships
	Minor	None
259	Use of Hard-coded Password
	Major	Related_Attack_Patterns
	Minor	None
287	Improper Authentication
	Major	Relationships
	Minor	None
295	Improper Certificate Validation
	Major	Relationships
	Minor	None
310	Cryptographic Issues
	Major	Relationships
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Related_Attack_Patterns
	Minor	None
317	Cleartext Storage of Sensitive Information in GUI
	Major	Relationships
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Related_Attack_Patterns
	Minor	None
347	Improper Verification of Cryptographic Signature
	Major	Relationships
	Minor	None
355	User Interface Security Issues
	Major	Applicable_Platforms, Relationships
	Minor	None
361	Time and State
	Major	Relationships
	Minor	None
388	Error Handling
	Major	Relationships
	Minor	None
398	Indicator of Poor Code Quality
	Major	Relationships
	Minor	None
399	Resource Management Errors
	Major	Relationships
	Minor	None
400	Uncontrolled Resource Consumption ('Resource Exhaustion')
	Major	Relationships
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Relationships
	Minor	None
417	Channel and Path Errors
	Major	Relationships
	Minor	None
429	Handler Errors
	Major	Relationships
	Minor	None
435	Interaction Error
	Major	Relationships
	Minor	None
436	Interpretation Conflict
	Major	Relationships
	Minor	None
438	Behavioral Problems
	Major	Relationships
	Minor	None
441	Unintended Proxy or Intermediary ('Confused Deputy')
	Major	Relationships
	Minor	None
442	Web Problems
	Major	Relationships
	Minor	None
445	DEPRECATED: User Interface Errors
	Major	Applicable_Platforms, Description, Name, Relationships, Research_Gaps, Taxonomy_Mappings, Type
	Minor	None
446	UI Discrepancy for Security Feature
	Major	Relationships
	Minor	None
450	Multiple Interpretations of UI Input
	Major	Relationships
	Minor	None
451	User Interface (UI) Misrepresentation of Critical Information
	Major	Relationships
	Minor	None
452	Initialization and Cleanup Errors
	Major	Relationships
	Minor	None
465	Pointer Issues
	Major	Relationships
	Minor	None
476	NULL Pointer Dereference
	Major	Relationships
	Minor	None
481	Assigning instead of Comparing
	Major	Relationships
	Minor	None
482	Comparing instead of Assigning
	Major	Relationships
	Minor	None
485	Insufficient Encapsulation
	Major	Relationships
	Minor	None
490	Mobile Code Issues
	Major	Relationships
	Minor	None
503	Byte/Object Code
	Major	Maintenance_Notes, Relationships
	Minor	None
504	Motivation/Intent
	Major	Maintenance_Notes, Relationships
	Minor	None
505	Intentionally Introduced Weakness
	Major	Relationships
	Minor	None
518	Inadvertently Introduced Weakness
	Major	Maintenance_Notes, Relationships
	Minor	None
519	.NET Environment Issues
	Major	Relationships
	Minor	None
524	Information Exposure Through Caching
	Major	Related_Attack_Patterns
	Minor	None
533	Information Exposure Through Server Log Files
	Major	Relationships
	Minor	None
534	Information Exposure Through Debug Log Files
	Major	Relationships
	Minor	None
542	Information Exposure Through Cleanup Log Files
	Major	Relationships
	Minor	None
552	Files or Directories Accessible to External Parties
	Major	Relationships
	Minor	None
554	ASP.NET Misconfiguration: Not Using Input Validation Framework
	Major	Relationships
	Minor	None
569	Expression Issues
	Major	Relationships
	Minor	None
573	Improper Following of Specification by Caller
	Major	Relationships
	Minor	None
610	Externally Controlled Reference to a Resource in Another Sphere
	Major	Relationships
	Minor	None
614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
	Major	Relationships
	Minor	None
617	Reachable Assertion
	Major	Relationships
	Minor	None
629	Weaknesses in OWASP Top Ten (2007)
	Major	Relationships
	Minor	None
631	Resource-specific Weaknesses
	Major	Relationships
	Minor	None
635	Weaknesses Used by NVD
	Major	Description, Maintenance_Notes
	Minor	None
642	External Control of Critical State Data
	Major	Related_Attack_Patterns, Relationships
	Minor	None
650	Trusting HTTP Permission Methods on the Server Side
	Major	Relationships
	Minor	None
657	Violation of Secure Design Principles
	Major	Relationships
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Relationships
	Minor	None
665	Improper Initialization
	Major	Type
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
670	Always-Incorrect Control Flow Implementation
	Major	Relationships
	Minor	None
675	Duplicate Operations on Resource
	Major	Relationships
	Minor	None
680	Integer Overflow to Buffer Overflow
	Major	Relationships
	Minor	None
681	Incorrect Conversion between Numeric Types
	Major	None
	Minor	Applicable_Platforms
682	Incorrect Calculation
	Major	Applicable_Platforms
	Minor	None
690	Unchecked Return Value to NULL Pointer Dereference
	Major	Relationships
	Minor	None
691	Insufficient Control Flow Management
	Major	Relationships
	Minor	None
692	Incomplete Blacklist to Cross-Site Scripting
	Major	Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Relationships
	Minor	None
699	Development Concepts
	Major	Maintenance_Notes, Relationships
	Minor	None
701	Weaknesses Introduced During Design
	Major	Relationships
	Minor	None
702	Weaknesses Introduced During Implementation
	Major	Relationships
	Minor	None
703	Improper Check or Handling of Exceptional Conditions
	Major	Relationships
	Minor	None
704	Incorrect Type Conversion or Cast
	Major	Relationships
	Minor	None
705	Incorrect Control Flow Scoping
	Major	Relationships
	Minor	None
706	Use of Incorrectly-Resolved Name or Reference
	Major	Relationships
	Minor	None
707	Improper Enforcement of Message or Data Structure
	Major	Relationships
	Minor	None
710	Coding Standards Violation
	Major	Relationships
	Minor	None
728	OWASP Top Ten 2004 Category A7 - Improper Error Handling
	Major	Related_Attack_Patterns
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Related_Attack_Patterns, Relationships
	Minor	None
733	Compiler Optimization Removal or Modification of Security-critical Code
	Major	Relationships
	Minor	None
749	Exposed Dangerous Method or Function
	Major	None
	Minor	Applicable_Platforms
754	Improper Check for Unusual or Exceptional Conditions
	Major	Relationships
	Minor	None
755	Improper Handling of Exceptional Conditions
	Major	Relationships
	Minor	Applicable_Platforms
757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
	Major	Related_Attack_Patterns, Relationships
	Minor	None
758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
	Major	Relationships
	Minor	None
759	Use of a One-Way Hash without a Salt
	Major	Relationships
	Minor	None
760	Use of a One-Way Hash with a Predictable Salt
	Major	Relationships
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	None
	Minor	Applicable_Platforms
771	Missing Reference to Active Allocated Resource
	Major	Relationships
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Relationships
	Minor	None
784	Reliance on Cookies without Validation and Integrity Checking in a Security Decision
	Major	Relationships
	Minor	None
790	Improper Filtering of Special Elements
	Major	Relationships
	Minor	None
791	Incomplete Filtering of Special Elements
	Major	Relationships
	Minor	None
792	Incomplete Filtering of One or More Instances of Special Elements
	Major	Relationships
	Minor	None
793	Only Filtering One Instance of a Special Element
	Major	Relationships
	Minor	None
794	Incomplete Filtering of Multiple Instances of Special Elements
	Major	Relationships
	Minor	None
795	Only Filtering Special Elements at a Specified Location
	Major	Relationships
	Minor	None
796	Only Filtering Special Elements Relative to a Marker
	Major	Relationships
	Minor	None
797	Only Filtering Special Elements at an Absolute Position
	Major	Relationships
	Minor	None
798	Use of Hard-coded Credentials
	Major	Related_Attack_Patterns
	Minor	None
807	Reliance on Untrusted Inputs in a Security Decision
	Major	Related_Attack_Patterns
	Minor	None
829	Inclusion of Functionality from Untrusted Control Sphere
	Major	Relationships
	Minor	None
840	Business Logic Errors
	Major	Relationships
	Minor	None
862	Missing Authorization
	Major	Relationships
	Minor	None
913	Improper Control of Dynamically-Managed Code Resources
	Major	Relationships
	Minor	None
914	Improper Control of Dynamically-Identified Variables
	Major	Relationships
	Minor	None
916	Use of Password Hash With Insufficient Computational Effort
	Major	Relationships
	Minor	None
918	Server-Side Request Forgery (SSRF)
	Major	Relationships
	Minor	None
939	Improper Authorization in Handler for Custom URL Scheme
	Major	Relationships
	Minor	None

Page Last Updated: January 19, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration