CWE - Differences between Version 4.16 and Version 4.17

Home > CWE List > Reports > Differences between Version 4.16 and Version 4.17

Differences between Version 4.16 and Version 4.17

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total weaknesses/chains/composites (Version 4.17)	943
Total weaknesses/chains/composites (Version 4.16)	940
Total new	3
Total deprecated	0
Total with major changes	135
Total with only minor changes	1
Total unchanged	1293

Summary of Entry Types

Type	Version 4.16	Version 4.17
Weakness	940	943
Category	374	374
View	51	51
Deprecated	64	64
Total	1429	1432

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	1	0
Description	23	0
Diagram	22	0
Relationships	30	0
Common_Consequences	20	0
Applicable_Platforms	18	0
Modes_of_Introduction	4	0
Detection_Factors	1	0
Potential_Mitigations	4	0
Demonstrative_Examples	51	2
Observed_Examples	11	0
Related_Attack_Patterns	0	0
Weakness_Ordinalities	0	0
Time_of_Introduction	2	0
Likelihood_of_Exploit	0	0
References	6	0
Mapping_Notes	10	0
Terminology_Notes	1	0
Alternate_Terms	5	0
Relationship_Notes	1	0
Taxonomy_Mappings	0	0
Maintenance_Notes	2	0
Research_Gaps	0	0
Background_Details	0	0
Theoretical_Notes	1	0
Other_Notes	8	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Type	1	0
Source_Taxonomy	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged		1428
Weakness/Base	Weakness/Class	1	410

Status Changes

From	To	Total
Unchanged		1429

Relationship Changes

The "Version 4.17 Total" lists the total number of relationships in Version 4.17. The "Shared" value is the total number of relationships in entries that were in both Version 4.17 and Version 4.16. The "New" value is the total number of relationships involving entries that did not exist in Version 4.16. Thus, the total number of relationships in Version 4.17 would combine stats from Shared entries and New entries.

Relationship	Version 4.17 Total	Version 4.16 Total	Version 4.17 Shared	Unchanged	Added to Version 4.17	Removed from Version 4.16	Version 4.17 New
ALL	12534	12516	12514	12496	18	20	20
ChildOf	5295	5289	5287	5279	8	10	8
ParentOf	5295	5289	5287	5279	8	10	8
MemberOf	715	715	715	715
HasMember	715	715	715	715
CanPrecede	142	141	142	141	1
CanFollow	142	141	142	141	1
StartsWith	3	3	3	3
Requires	13	13	13	13
RequiredBy	13	13	13	13
CanAlsoBe	27	27	27	27
PeerOf	174	170	170	170			4

Nodes Removed in Version 4.17

CWE-ID	CWE Name
None.

Nodes Added to Version 4.17

CWE-ID	CWE Name
1428	Reliance on HTTP instead of HTTPS
1429	Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
1431	Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

Nodes Deprecated in Version 4.17

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			20	Improper Input Validation
		R	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
D			79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
D			94	Improper Control of Generation of Code ('Code Injection')
D			95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
D			117	Improper Output Neutralization for Logs
		R	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
		R	120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
		R	123	Write-what-where Condition
D			126	Buffer Over-read
D			134	Use of Externally-Controlled Format String
		R	182	Collapse of Data into Unsafe Value
		R	200	Exposure of Sensitive Information to an Unauthorized Actor
D			204	Observable Response Discrepancy
		R	223	Omission of Security-relevant Information
D			259	Use of Hard-coded Password
		R	284	Improper Access Control
		R	291	Reliance on IP Address for Authentication
D			311	Missing Encryption of Sensitive Data
D			312	Cleartext Storage of Sensitive Information
D		R	319	Cleartext Transmission of Sensitive Information
D			321	Use of Hard-coded Cryptographic Key
D			352	Cross-Site Request Forgery (CSRF)
		R	392	Missing Report of Error Condition
D			393	Return of Wrong Status Code
D			397	Declaration of Throws for Generic Exception
D			400	Uncontrolled Resource Consumption
D			401	Missing Release of Memory after Effective Lifetime
D			415	Double Free
		R	471	Modification of Assumed-Immutable Data (MAID)
		R	497	Exposure of Sensitive System Information to an Unauthorized Control Sphere
D			548	Exposure of Information Through Directory Listing
D			565	Reliance on Cookies without Validation and Integrity Checking
D			598	Use of GET Request Method With Sensitive Query Strings
		R	668	Exposure of Resource to Wrong Sphere
		R	691	Insufficient Control Flow Management
		R	693	Protection Mechanism Failure
		R	696	Incorrect Behavior Order
		R	707	Improper Neutralization
		R	778	Insufficient Logging
		R	787	Out-of-bounds Write
		R	912	Hidden Functionality
D	N		1039	Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism
		R	1205	Security Primitives and Cryptography Issues
		R	1208	Cross-Cutting Problems
		R	1242	Inclusion of Undocumented Features or Chicken Bits
		R	1279	Cryptographic Operations are run Before Supporting Units are Ready
		R	1329	Reliance on Component That is Not Updateable
		R	1357	Reliance on Insufficiently Trustworthy Component
		R	1402	Comprehensive Categorization: Encryption
		R	1413	Comprehensive Categorization: Protection Mechanism Failure
		R	1417	Comprehensive Categorization: Sensitive Information Exposure

Detailed Difference Report

20	Improper Input Validation
	Major	Common_Consequences, Description, Diagram, Mapping_Notes, Potential_Mitigations, Relationship_Notes, Terminology_Notes
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Relationships
	Minor	None
23	Relative Path Traversal
	Major	Demonstrative_Examples
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Alternate_Terms, Common_Consequences, Description, Diagram, Other_Notes
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Applicable_Platforms, Demonstrative_Examples, References
	Minor	None
93	Improper Neutralization of CRLF Sequences ('CRLF Injection')
	Major	Diagram, References
	Minor	None
94	Improper Control of Generation of Code ('Code Injection')
	Major	Alternate_Terms, Common_Consequences, Description, Diagram, Theoretical_Notes
	Minor	None
95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
	Major	Common_Consequences, Description, Diagram
	Minor	None
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
	Major	Demonstrative_Examples
	Minor	None
114	Process Control
	Major	Maintenance_Notes, Mapping_Notes
	Minor	None
117	Improper Output Neutralization for Logs
	Major	Alternate_Terms, Description, Diagram
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Relationships
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Applicable_Platforms, Relationships
	Minor	None
121	Stack-based Buffer Overflow
	Major	Applicable_Platforms
	Minor	None
122	Heap-based Buffer Overflow
	Major	Applicable_Platforms
	Minor	None
123	Write-what-where Condition
	Major	Relationships
	Minor	None
126	Buffer Over-read
	Major	Common_Consequences, Description, Diagram, Other_Notes
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Observed_Examples
	Minor	None
134	Use of Externally-Controlled Format String
	Major	Common_Consequences, Demonstrative_Examples, Description, Diagram, Other_Notes
	Minor	None
182	Collapse of Data into Unsafe Value
	Major	Relationships
	Minor	None
190	Integer Overflow or Wraparound
	Major	Applicable_Platforms, Observed_Examples
	Minor	None
193	Off-by-one Error
	Major	Applicable_Platforms, Demonstrative_Examples
	Minor	None
195	Signed to Unsigned Conversion Error
	Major	Observed_Examples
	Minor	None
200	Exposure of Sensitive Information to an Unauthorized Actor
	Major	Relationships
	Minor	None
203	Observable Discrepancy
	Major	Demonstrative_Examples
	Minor	None
204	Observable Response Discrepancy
	Major	Description, Diagram, Modes_of_Introduction
	Minor	None
208	Observable Timing Discrepancy
	Major	Demonstrative_Examples
	Minor	None
223	Omission of Security-relevant Information
	Major	Relationships
	Minor	None
226	Sensitive Information in Resource Not Removed Before Reuse
	Major	Demonstrative_Examples
	Minor	None
245	J2EE Bad Practices: Direct Management of Connections
	Major	Demonstrative_Examples
	Minor	None
259	Use of Hard-coded Password
	Major	Common_Consequences, Description, Diagram, Maintenance_Notes, Other_Notes
	Minor	Demonstrative_Examples
284	Improper Access Control
	Major	Relationships
	Minor	None
287	Improper Authentication
	Major	Observed_Examples
	Minor	None
291	Reliance on IP Address for Authentication
	Major	Relationships
	Minor	None
306	Missing Authentication for Critical Function
	Major	Observed_Examples
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Description, Diagram
	Minor	None
312	Cleartext Storage of Sensitive Information
	Major	Common_Consequences, Description, Diagram, Other_Notes, Potential_Mitigations
	Minor	None
315	Cleartext Storage of Sensitive Information in a Cookie
	Major	None
	Minor	Demonstrative_Examples
319	Cleartext Transmission of Sensitive Information
	Major	Common_Consequences, Description, Diagram, Other_Notes, Relationships
	Minor	None
321	Use of Hard-coded Cryptographic Key
	Major	Common_Consequences, Description, Diagram
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Alternate_Terms, Common_Consequences, Description, Diagram
	Minor	None
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
	Major	Affected_Resources
	Minor	None
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	Affected_Resources, Observed_Examples
	Minor	None
369	Divide By Zero
	Major	Demonstrative_Examples
	Minor	None
392	Missing Report of Error Condition
	Major	Relationships
	Minor	None
393	Return of Wrong Status Code
	Major	Description
	Minor	None
396	Declaration of Catch for Generic Exception
	Major	Common_Consequences, Demonstrative_Examples
	Minor	None
397	Declaration of Throws for Generic Exception
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description
	Minor	None
400	Uncontrolled Resource Consumption
	Major	Common_Consequences, Description, Diagram, Modes_of_Introduction, Other_Notes, Time_of_Introduction
	Minor	None
401	Missing Release of Memory after Effective Lifetime
	Major	Description, Diagram, Modes_of_Introduction
	Minor	None
403	Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
	Major	Applicable_Platforms
	Minor	None
406	Insufficient Control of Network Message Volume (Network Amplification)
	Major	Mapping_Notes
	Minor	None
410	Insufficient Resource Pool
	Major	Type
	Minor	None
415	Double Free
	Major	Common_Consequences, Description, Diagram
	Minor	None
416	Use After Free
	Major	Observed_Examples
	Minor	None
426	Untrusted Search Path
	Major	Mapping_Notes
	Minor	None
427	Uncontrolled Search Path Element
	Major	Mapping_Notes
	Minor	None
456	Missing Initialization of a Variable
	Major	Demonstrative_Examples, Observed_Examples, References
	Minor	None
464	Addition of Data Structure Sentinel
	Major	Demonstrative_Examples
	Minor	None
467	Use of sizeof() on a Pointer Type
	Major	Demonstrative_Examples
	Minor	None
471	Modification of Assumed-Immutable Data (MAID)
	Major	Relationships
	Minor	None
476	NULL Pointer Dereference
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
479	Signal Handler Use of a Non-reentrant Function
	Major	Demonstrative_Examples
	Minor	None
492	Use of Inner Class Containing Sensitive Data
	Major	Demonstrative_Examples
	Minor	None
497	Exposure of Sensitive System Information to an Unauthorized Control Sphere
	Major	Demonstrative_Examples, Relationships
	Minor	None
548	Exposure of Information Through Directory Listing
	Major	Description, Diagram, References
	Minor	None
564	SQL Injection: Hibernate
	Major	Applicable_Platforms
	Minor	None
565	Reliance on Cookies without Validation and Integrity Checking
	Major	Common_Consequences, Description, Diagram
	Minor	None
566	Authorization Bypass Through User-Controlled SQL Primary Key
	Major	Applicable_Platforms
	Minor	None
570	Expression is Always False
	Major	Demonstrative_Examples
	Minor	None
585	Empty Synchronized Block
	Major	Demonstrative_Examples
	Minor	None
590	Free of Memory not on the Heap
	Major	Demonstrative_Examples
	Minor	None
595	Comparison of Object References Instead of Object Contents
	Major	Demonstrative_Examples
	Minor	None
597	Use of Wrong Operator in String Comparison
	Major	Demonstrative_Examples
	Minor	None
598	Use of GET Request Method With Sensitive Query Strings
	Major	Description, Diagram, Other_Notes
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	Demonstrative_Examples
	Minor	None
609	Double-Checked Locking
	Major	Demonstrative_Examples
	Minor	None
610	Externally Controlled Reference to a Resource in Another Sphere
	Major	Common_Consequences
	Minor	None
619	Dangling Database Cursor ('Cursor Injection')
	Major	Applicable_Platforms
	Minor	None
637	Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
	Major	Mapping_Notes
	Minor	None
655	Insufficient Psychological Acceptability
	Major	Mapping_Notes
	Minor	None
656	Reliance on Security Through Obscurity
	Major	Mapping_Notes
	Minor	None
663	Use of a Non-reentrant Function in a Concurrent Context
	Major	Demonstrative_Examples
	Minor	None
667	Improper Locking
	Major	Demonstrative_Examples
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Common_Consequences, Relationships
	Minor	None
681	Incorrect Conversion between Numeric Types
	Major	Applicable_Platforms
	Minor	None
691	Insufficient Control Flow Management
	Major	Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Relationships
	Minor	None
696	Incorrect Behavior Order
	Major	Relationships
	Minor	None
703	Improper Check or Handling of Exceptional Conditions
	Major	Demonstrative_Examples
	Minor	None
707	Improper Neutralization
	Major	Relationships
	Minor	None
763	Release of Invalid Pointer or Reference
	Major	Applicable_Platforms
	Minor	None
778	Insufficient Logging
	Major	Relationships
	Minor	None
786	Access of Memory Location Before Start of Buffer
	Major	Applicable_Platforms
	Minor	None
787	Out-of-bounds Write
	Major	Observed_Examples, Relationships
	Minor	None
788	Access of Memory Location After End of Buffer
	Major	Applicable_Platforms
	Minor	None
824	Access of Uninitialized Pointer
	Major	Applicable_Platforms, Observed_Examples
	Minor	None
825	Expired Pointer Dereference
	Major	Applicable_Platforms
	Minor	None
863	Incorrect Authorization
	Major	Diagram
	Minor	None
911	Improper Update of Reference Count
	Major	Common_Consequences
	Minor	None
912	Hidden Functionality
	Major	Relationships
	Minor	None
939	Improper Authorization in Handler for Custom URL Scheme
	Major	Demonstrative_Examples
	Minor	None
943	Improper Neutralization of Special Elements in Data Query Logic
	Major	Alternate_Terms, Observed_Examples, References
	Minor	None
1025	Comparison Using Wrong Factors
	Major	Demonstrative_Examples
	Minor	None
1039	Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism
	Major	Common_Consequences, Description, Detection_Factors, Mapping_Notes, Modes_of_Introduction, Name, Potential_Mitigations, Time_of_Introduction
	Minor	None
1071	Empty Code Block
	Major	Demonstrative_Examples
	Minor	None
1073	Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
	Major	Applicable_Platforms
	Minor	None
1189	Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
	Major	Demonstrative_Examples
	Minor	None
1205	Security Primitives and Cryptography Issues
	Major	Relationships
	Minor	None
1208	Cross-Cutting Problems
	Major	Relationships
	Minor	None
1220	Insufficient Granularity of Access Control
	Major	Demonstrative_Examples
	Minor	None
1223	Race Condition for Write-Once Attributes
	Major	Demonstrative_Examples
	Minor	None
1231	Improper Prevention of Lock Bit Modification
	Major	Demonstrative_Examples
	Minor	None
1233	Security-Sensitive Hardware Controls with Missing Lock Bit Protection
	Major	Demonstrative_Examples
	Minor	None
1236	Improper Neutralization of Formula Elements in a CSV File
	Major	Demonstrative_Examples
	Minor	None
1240	Use of a Cryptographic Primitive with a Risky Implementation
	Major	Demonstrative_Examples
	Minor	None
1241	Use of Predictable Algorithm in Random Number Generator
	Major	Demonstrative_Examples
	Minor	None
1242	Inclusion of Undocumented Features or Chicken Bits
	Major	Relationships
	Minor	None
1243	Sensitive Non-Volatile Information Not Protected During Debug
	Major	Demonstrative_Examples
	Minor	None
1246	Improper Write Handling in Limited-write Non-Volatile Memories
	Major	Demonstrative_Examples, References
	Minor	None
1256	Improper Restriction of Software Interfaces to Hardware Features
	Major	Demonstrative_Examples
	Minor	None
1269	Product Released in Non-Release Configuration
	Major	Demonstrative_Examples
	Minor	None
1272	Sensitive Information Uncleared Before Debug/Power State Transition
	Major	Demonstrative_Examples
	Minor	None
1273	Device Unlock Credential Sharing
	Major	Demonstrative_Examples
	Minor	None
1274	Improper Access Control for Volatile Memory Containing Boot Code
	Major	Demonstrative_Examples
	Minor	None
1279	Cryptographic Operations are run Before Supporting Units are Ready
	Major	Relationships
	Minor	None
1300	Improper Protection of Physical Side Channels
	Major	Demonstrative_Examples
	Minor	None
1320	Improper Protection for Outbound Error Messages and Alert Signals
	Major	Demonstrative_Examples
	Minor	None
1329	Reliance on Component That is Not Updateable
	Major	Relationships
	Minor	None
1332	Improper Handling of Faults that Lead to Instruction Skips
	Major	Demonstrative_Examples
	Minor	None
1339	Insufficient Precision or Accuracy of a Real Number
	Major	Demonstrative_Examples
	Minor	None
1357	Reliance on Insufficiently Trustworthy Component
	Major	Relationships
	Minor	None
1395	Dependency on Vulnerable Third-Party Component
	Major	Mapping_Notes
	Minor	None
1402	Comprehensive Categorization: Encryption
	Major	Relationships
	Minor	None
1413	Comprehensive Categorization: Protection Mechanism Failure
	Major	Relationships
	Minor	None
1417	Comprehensive Categorization: Sensitive Information Exposure
	Major	Relationships
	Minor	None

Page Last Updated: April 03, 2025


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration