CWE - Differences between Version 4.3 and Version 4.4

Home > CWE List > Reports > Differences between Version 4.3 and Version 4.4

Differences between Version 4.3 and Version 4.4

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total weaknesses/chains/composites (Version 4.4)	918
Total weaknesses/chains/composites (Version 4.3)	916
Total new	3
Total deprecated	0
Total with major changes	241
Total with only minor changes	3
Total unchanged	1091

Summary of Entry Types

Type	Version 4.3	Version 4.4
Weakness	916	918
Category	316	316
View	42	43
Deprecated	61	61
Total	1335	1338

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	6	0
Description	22	1
Relationships	57	0
Applicable_Platforms	0	0
Modes_of_Introduction	1	0
Detection_Factors	1	0
Potential_Mitigations	28	1
Demonstrative_Examples	79	2
Observed_Examples	15	0
Related_Attack_Patterns	6	0
Weakness_Ordinalities	3	0
Time_of_Introduction	0	0
Likelihood_of_Exploit	1	0
References	21	0
Common_Consequences	2	0
Terminology_Notes	1	0
Alternate_Terms	8	0
Relationship_Notes	3	0
Taxonomy_Mappings	10	0
Maintenance_Notes	51	0
Research_Gaps	1	0
Background_Details	1	0
Theoretical_Notes	4	0
Other_Notes	4	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Type	1	0
Source_Taxonomy	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged		1334
Weakness/Class	Weakness/Base	1	1271

Status Changes

From	To	Total
Unchanged		1331
Incomplete	Draft	4

Relationship Changes

The "Version 4.4 Total" lists the total number of relationships in Version 4.4. The "Shared" value is the total number of relationships in entries that were in both Version 4.4 and Version 4.3. The "New" value is the total number of relationships involving entries that did not exist in Version 4.3. Thus, the total number of relationships in Version 4.4 would combine stats from Shared entries and New entries.

Relationship	Version 4.4 Total	Version 4.3 Total	Version 4.4 Shared	Unchanged	Added to Version 4.4	Removed from Version 4.3	Version 4.4 New
ALL	9589	9533	9581	9513	68	20	8
ChildOf	3983	3956	3979	3946	33	10	4
ParentOf	3983	3956	3979	3946	33	10	4
MemberOf	564	564	564	564
HasMember	564	564	564	564
CanPrecede	132	132	132	132
CanFollow	132	132	132	132
StartsWith	3	3	3	3
Requires	13	13	13	13
RequiredBy	13	13	13	13
CanAlsoBe	28	28	28	28
PeerOf	174	172	174	172	2

Nodes Removed from Version 4.3

CWE-ID	CWE Name
None.

Nodes Added to Version 4.4

CWE-ID	CWE Name
1081	Entries with Maintenance Notes
1204	Generation of Weak Initialization Vector (IV)
1333	Inefficient Regular Expression Complexity

Nodes Deprecated in Version 4.4

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			20	Improper Input Validation
		R	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
		R	59	Improper Link Resolution Before File Access ('Link Following')
		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
D			79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
		R	95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
D			111	Direct Use of Unsafe JNI
		R	116	Improper Encoding or Escaping of Output
		R	129	Improper Validation of Array Index
		R	134	Use of Externally-Controlled Format String
		R	185	Incorrect Regular Expression
		R	189	Numeric Errors
D			217	DEPRECATED: Failure to Protect Stored Data from Modification
		R	248	Uncaught Exception
D			249	DEPRECATED: Often Misused: Path Manipulation
		R	252	Unchecked Return Value
		R	284	Improper Access Control
D			301	Reflection Attack in an Authentication Protocol
D	N	R	329	Not Using an Unpredictable IV with CBC Mode
		R	330	Use of Insufficiently Random Values
		R	375	Returning a Mutable Object to an Untrusted Caller
D		R	391	Unchecked Error Condition
		R	394	Unexpected Status Code or Return Value
		R	401	Missing Release of Memory after Effective Lifetime
		R	407	Inefficient Algorithmic Complexity
D			427	Uncontrolled Search Path Element
		R	456	Missing Initialization of a Variable
		R	457	Use of Uninitialized Variable
		R	460	Improper Cleanup on Thrown Exception
		R	477	Use of Obsolete Function
		R	480	Use of Incorrect Operator
		R	488	Exposure of Data Element to Wrong Session
		R	498	Cloneable Class Containing Sensitive Information
		R	499	Serializable Class Containing Sensitive Data
		R	561	Dead Code
		R	563	Assignment to Variable without Use
D		R	597	Use of Wrong Operator in String Comparison
		R	603	Use of Client-Side Authentication
		R	628	Function Call with Incorrectly Specified Arguments
		R	656	Reliance on Security Through Obscurity
		R	664	Improper Control of a Resource Through its Lifetime
		R	668	Exposure of Resource to Wrong Sphere
		R	681	Incorrect Conversion between Numeric Types
		R	687	Function Call With Incorrectly Specified Argument Value
		R	690	Unchecked Return Value to NULL Pointer Dereference
		R	705	Incorrect Control Flow Scoping
D			711	Weaknesses in OWASP Top Ten (2004)
D			734	Weaknesses Addressed by the CERT C Secure Coding Standard (2008)
		R	754	Improper Check for Unusual or Exceptional Conditions
		R	762	Mismatched Memory Management Routines
		R	767	Access to Critical Private Variable via Public Method
		R	783	Operator Precedence Logic Error
		R	789	Memory Allocation with Excessive Size Value
D			868	Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version)
		R	969	SFP Secondary Cluster: Faulty Memory Release
		R	977	SFP Secondary Cluster: Design
		R	982	SFP Secondary Cluster: Failure to Release Resource
		R	998	SFP Secondary Cluster: Glitch in Computation
D			1000	Research Concepts
D	N		1129	CISQ Quality Measures (2016) - Reliability
D	N		1130	CISQ Quality Measures (2016) - Maintainability
D	N		1131	CISQ Quality Measures (2016) - Security
D	N		1132	CISQ Quality Measures (2016) - Performance Efficiency
		R	1179	SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS)
		R	1180	SEI CERT Perl Coding Standard - Guidelines 02. Declarations and Initialization (DCL)
		R	1181	SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP)
		R	1182	SEI CERT Perl Coding Standard - Guidelines 04. Integers (INT)
		R	1184	SEI CERT Perl Coding Standard - Guidelines 06. Object-Oriented Programming (OOP)
		R	1185	SEI CERT Perl Coding Standard - Guidelines 07. File Input and Output (FIO)
		R	1186	SEI CERT Perl Coding Standard - Guidelines 50. Miscellaneous (MSC)
D			1232	Improper Lock Behavior After Power State Transition
D			1236	Improper Neutralization of Formula Elements in a CSV File
D			1243	Sensitive Non-Volatile Information Not Protected During Debug
		R	1255	Comparison Logic is Vulnerable to Power Side-Channel Attacks
	N		1271	Uninitialized Value on Reset for Registers Holding Security Settings
		R	1327	Binding to an Unrestricted IP Address
D			1332	Insufficient Protection Against Instruction Skipping Via Fault Injection

Detailed Difference Report

13	ASP.NET Misconfiguration: Password in Configuration File
	Major	Demonstrative_Examples
	Minor	None
20	Improper Input Validation
	Major	Description, Potential_Mitigations
	Minor	None
21	DEPRECATED: Pathname Traversal and Equivalence Errors
	Major	Taxonomy_Mappings
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Demonstrative_Examples, Relationships
	Minor	None
23	Relative Path Traversal
	Major	Demonstrative_Examples
	Minor	None
32	Path Traversal: '...' (Triple Dot)
	Major	Potential_Mitigations
	Minor	None
33	Path Traversal: '....' (Multiple Dot)
	Major	Potential_Mitigations
	Minor	None
34	Path Traversal: '....//'
	Major	Potential_Mitigations
	Minor	None
35	Path Traversal: '.../...//'
	Major	Potential_Mitigations
	Minor	None
36	Absolute Path Traversal
	Major	Demonstrative_Examples
	Minor	None
37	Path Traversal: '/absolute/pathname/here'
	Major	Potential_Mitigations
	Minor	None
38	Path Traversal: '\absolute\pathname\here'
	Major	Potential_Mitigations
	Minor	None
39	Path Traversal: 'C:dirname'
	Major	Potential_Mitigations
	Minor	None
40	Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
	Major	Potential_Mitigations
	Minor	None
59	Improper Link Resolution Before File Access ('Link Following')
	Major	Relationships
	Minor	None
60	DEPRECATED: UNIX Path Link Problems
	Major	Taxonomy_Mappings
	Minor	None
68	DEPRECATED: Windows Virtual File Problems
	Major	Taxonomy_Mappings
	Minor	None
70	DEPRECATED: Mac Virtual File Problems
	Major	Taxonomy_Mappings
	Minor	None
71	DEPRECATED: Apple '.DS_Store'
	Major	Taxonomy_Mappings
	Minor	None
73	External Control of File Name or Path
	Major	Maintenance_Notes, Potential_Mitigations
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Relationships
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Demonstrative_Examples, Description
	Minor	None
87	Improper Neutralization of Alternate XSS Syntax
	Major	Demonstrative_Examples
	Minor	None
94	Improper Control of Generation of Code ('Code Injection')
	Major	Demonstrative_Examples
	Minor	None
95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
	Major	Relationships
	Minor	None
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
	Major	Demonstrative_Examples
	Minor	None
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
	Major	Potential_Mitigations
	Minor	None
111	Direct Use of Unsafe JNI
	Major	Description
	Minor	None
114	Process Control
	Major	Maintenance_Notes
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Relationships, Terminology_Notes
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Demonstrative_Examples
	Minor	None
121	Stack-based Buffer Overflow
	Major	Demonstrative_Examples, References
	Minor	None
122	Heap-based Buffer Overflow
	Major	References
	Minor	None
123	Write-what-where Condition
	Major	References
	Minor	None
124	Buffer Underwrite ('Buffer Underflow')
	Major	Potential_Mitigations
	Minor	None
128	Wrap-around Error
	Major	Potential_Mitigations, References
	Minor	None
129	Improper Validation of Array Index
	Major	References, Relationships
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
134	Use of Externally-Controlled Format String
	Major	Potential_Mitigations, Relationships
	Minor	None
135	Incorrect Calculation of Multi-Byte String Length
	Major	References
	Minor	None
159	Improper Handling of Invalid Use of Special Elements
	Major	Maintenance_Notes
	Minor	None
171	DEPRECATED: Cleansing, Canonicalization, and Comparison Errors
	Major	Taxonomy_Mappings
	Minor	None
178	Improper Handling of Case Sensitivity
	Major	Demonstrative_Examples
	Minor	None
185	Incorrect Regular Expression
	Major	Relationships
	Minor	None
188	Reliance on Data/Memory Layout
	Major	References
	Minor	None
189	Numeric Errors
	Major	Relationships
	Minor	None
190	Integer Overflow or Wraparound
	Major	Potential_Mitigations
	Minor	None
191	Integer Underflow (Wrap or Wraparound)
	Major	Demonstrative_Examples
	Minor	None
192	Integer Coercion Error
	Major	Demonstrative_Examples, Maintenance_Notes, References
	Minor	None
193	Off-by-one Error
	Major	Demonstrative_Examples
	Minor	None
194	Unexpected Sign Extension
	Major	Potential_Mitigations, References
	Minor	None
195	Signed to Unsigned Conversion Error
	Major	Demonstrative_Examples, References
	Minor	None
196	Unsigned to Signed Conversion Error
	Major	References
	Minor	None
217	DEPRECATED: Failure to Protect Stored Data from Modification
	Major	Description
	Minor	None
228	Improper Handling of Syntactically Invalid Structure
	Major	Demonstrative_Examples, Maintenance_Notes, Theoretical_Notes
	Minor	None
230	Improper Handling of Missing Values
	Major	Demonstrative_Examples
	Minor	None
233	Improper Handling of Parameters
	Major	Demonstrative_Examples
	Minor	None
242	Use of Inherently Dangerous Function
	Major	Demonstrative_Examples
	Minor	None
247	DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
	Major	Taxonomy_Mappings
	Minor	None
248	Uncaught Exception
	Major	Relationships
	Minor	None
249	DEPRECATED: Often Misused: Path Manipulation
	Major	Description, Maintenance_Notes
	Minor	None
252	Unchecked Return Value
	Major	Demonstrative_Examples, Observed_Examples, Relationships, Weakness_Ordinalities
	Minor	None
256	Unprotected Storage of Credentials
	Major	Demonstrative_Examples
	Minor	None
257	Storing Passwords in a Recoverable Format
	Major	Demonstrative_Examples, Maintenance_Notes
	Minor	None
259	Use of Hard-coded Password
	Major	Demonstrative_Examples, Maintenance_Notes
	Minor	None
260	Password in Configuration File
	Major	Demonstrative_Examples
	Minor	None
266	Incorrect Privilege Assignment
	Major	Demonstrative_Examples
	Minor	None
267	Privilege Defined With Unsafe Actions
	Major	Maintenance_Notes
	Minor	None
269	Improper Privilege Management
	Major	Demonstrative_Examples
	Minor	None
272	Least Privilege Violation
	Major	Demonstrative_Examples
	Minor	None
274	Improper Handling of Insufficient Privileges
	Major	Relationship_Notes, Theoretical_Notes
	Minor	None
280	Improper Handling of Insufficient Permissions or Privileges
	Major	Maintenance_Notes
	Minor	None
284	Improper Access Control
	Major	Maintenance_Notes, Relationships
	Minor	None
285	Improper Authorization
	Major	Alternate_Terms
	Minor	None
287	Improper Authentication
	Major	Alternate_Terms, Demonstrative_Examples
	Minor	None
290	Authentication Bypass by Spoofing
	Major	None
	Minor	Demonstrative_Examples
292	DEPRECATED (Duplicate): Trusting Self-reported DNS Name
	Major	Likelihood_of_Exploit, Taxonomy_Mappings
	Minor	None
293	Using Referer Field for Authentication
	Major	References
	Minor	None
300	Channel Accessible by Non-Endpoint
	Major	Alternate_Terms, Related_Attack_Patterns
	Minor	None
301	Reflection Attack in an Authentication Protocol
	Major	Description, Other_Notes
	Minor	None
302	Authentication Bypass by Assumed-Immutable Data
	Major	Demonstrative_Examples
	Minor	None
308	Use of Single-factor Authentication
	Major	Demonstrative_Examples
	Minor	None
309	Use of Password System for Primary Authentication
	Major	Demonstrative_Examples
	Minor	None
312	Cleartext Storage of Sensitive Information
	Major	Demonstrative_Examples
	Minor	None
313	Cleartext Storage in a File or on Disk
	Major	Demonstrative_Examples
	Minor	None
324	Use of a Key Past its Expiration Date
	Major	References
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	References
	Minor	None
328	Reversible One-Way Hash
	Major	Demonstrative_Examples
	Minor	None
329	Not Using an Unpredictable IV with CBC Mode
	Major	Background_Details, Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships
	Minor	None
330	Use of Insufficiently Random Values
	Major	Maintenance_Notes, Relationships
	Minor	None
332	Insufficient Entropy in PRNG
	Major	References
	Minor	None
338	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
	Major	Demonstrative_Examples
	Minor	None
339	Small Seed Space in PRNG
	Major	Maintenance_Notes
	Minor	None
350	Reliance on Reverse DNS Resolution for a Security-Critical Action
	Major	Demonstrative_Examples
	Minor	None
359	Exposure of Private Personal Information to an Unauthorized Actor
	Major	References
	Minor	None
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
	Major	Demonstrative_Examples
	Minor	None
364	Signal Handler Race Condition
	Major	Potential_Mitigations
	Minor	None
366	Race Condition within a Thread
	Major	Potential_Mitigations
	Minor	None
375	Returning a Mutable Object to an Untrusted Caller
	Major	Relationships
	Minor	None
378	Creation of Temporary File With Insecure Permissions
	Major	Demonstrative_Examples
	Minor	None
379	Creation of Temporary File in Directory with Insecure Permissions
	Major	Demonstrative_Examples
	Minor	None
387	Signal Errors
	Major	Maintenance_Notes
	Minor	None
391	Unchecked Error Condition
	Major	Description, Relationships
	Minor	None
393	Return of Wrong Status Code
	Major	Maintenance_Notes
	Minor	None
394	Unexpected Status Code or Return Value
	Major	Relationships
	Minor	None
401	Missing Release of Memory after Effective Lifetime
	Major	Relationships
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Demonstrative_Examples
	Minor	None
407	Inefficient Algorithmic Complexity
	Major	References, Relationships
	Minor	None
413	Improper Resource Locking
	Major	Demonstrative_Examples
	Minor	None
415	Double Free
	Major	Maintenance_Notes, Theoretical_Notes
	Minor	None
426	Untrusted Search Path
	Major	Demonstrative_Examples
	Minor	None
427	Uncontrolled Search Path Element
	Major	Alternate_Terms, Description, Maintenance_Notes, References, Theoretical_Notes
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Demonstrative_Examples
	Minor	None
446	UI Discrepancy for Security Feature
	Major	Maintenance_Notes, Relationship_Notes, Weakness_Ordinalities
	Minor	None
451	User Interface (UI) Misrepresentation of Critical Information
	Major	Maintenance_Notes, Observed_Examples
	Minor	None
456	Missing Initialization of a Variable
	Major	Demonstrative_Examples, Observed_Examples, Relationships
	Minor	None
457	Use of Uninitialized Variable
	Major	Demonstrative_Examples, Observed_Examples, Relationships
	Minor	None
460	Improper Cleanup on Thrown Exception
	Major	Relationships
	Minor	None
469	Use of Pointer Subtraction to Determine Size
	Major	Potential_Mitigations
	Minor	None
476	NULL Pointer Dereference
	Major	Demonstrative_Examples, Observed_Examples
	Minor	None
477	Use of Obsolete Function
	Major	Relationships
	Minor	None
480	Use of Incorrect Operator
	Major	Demonstrative_Examples, Relationships
	Minor	None
481	Assigning instead of Comparing
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
488	Exposure of Data Element to Wrong Session
	Major	Relationships
	Minor	None
489	Active Debug Code
	Major	Related_Attack_Patterns
	Minor	None
490	DEPRECATED: Mobile Code Issues
	Major	Other_Notes
	Minor	None
494	Download of Code Without Integrity Check
	Major	References, Related_Attack_Patterns
	Minor	None
497	Exposure of Sensitive System Information to an Unauthorized Control Sphere
	Major	Demonstrative_Examples
	Minor	None
498	Cloneable Class Containing Sensitive Information
	Major	Relationships
	Minor	None
499	Serializable Class Containing Sensitive Data
	Major	Relationships
	Minor	None
502	Deserialization of Untrusted Data
	Major	None
	Minor	Demonstrative_Examples
503	DEPRECATED: Byte/Object Code
	Major	Taxonomy_Mappings
	Minor	None
504	DEPRECATED: Motivation/Intent
	Major	Taxonomy_Mappings
	Minor	None
522	Insufficiently Protected Credentials
	Major	Demonstrative_Examples
	Minor	None
541	Inclusion of Sensitive Information in an Include File
	Major	Demonstrative_Examples
	Minor	None
561	Dead Code
	Major	Relationships
	Minor	None
563	Assignment to Variable without Use
	Major	Relationships
	Minor	None
587	Assignment of a Fixed Address to a Pointer
	Major	Common_Consequences, Weakness_Ordinalities
	Minor	Description
590	Free of Memory not on the Heap
	Major	Maintenance_Notes, Other_Notes
	Minor	None
595	Comparison of Object References Instead of Object Contents
	Major	Demonstrative_Examples
	Minor	None
597	Use of Wrong Operator in String Comparison
	Major	Demonstrative_Examples, Description, Potential_Mitigations, Relationships
	Minor	None
600	Uncaught Exception in Servlet
	Major	Demonstrative_Examples
	Minor	None
603	Use of Client-Side Authentication
	Major	Maintenance_Notes, Relationships
	Minor	None
625	Permissive Regular Expression
	Major	Demonstrative_Examples
	Minor	None
628	Function Call with Incorrectly Specified Arguments
	Major	Detection_Factors, Relationships
	Minor	None
635	Weaknesses Originally Used by NVD from 2008 to 2016
	Major	Maintenance_Notes
	Minor	None
639	Authorization Bypass Through User-Controlled Key
	Major	Alternate_Terms
	Minor	None
642	External Control of Critical State Data
	Major	Demonstrative_Examples
	Minor	None
654	Reliance on a Single Factor in a Security Decision
	Major	Alternate_Terms, Maintenance_Notes
	Minor	None
656	Reliance on Security Through Obscurity
	Major	Relationships
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Maintenance_Notes, Relationships
	Minor	None
665	Improper Initialization
	Major	Observed_Examples
	Minor	None
667	Improper Locking
	Major	Demonstrative_Examples
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
674	Uncontrolled Recursion
	Major	Potential_Mitigations
	Minor	None
676	Use of Potentially Dangerous Function
	Major	Demonstrative_Examples
	Minor	None
681	Incorrect Conversion between Numeric Types
	Major	Relationships
	Minor	None
687	Function Call With Incorrectly Specified Argument Value
	Major	Relationships
	Minor	None
690	Unchecked Return Value to NULL Pointer Dereference
	Major	Demonstrative_Examples, Relationships
	Minor	None
691	Insufficient Control Flow Management
	Major	Maintenance_Notes
	Minor	None
693	Protection Mechanism Failure
	Major	Maintenance_Notes
	Minor	None
696	Incorrect Behavior Order
	Major	Observed_Examples
	Minor	None
705	Incorrect Control Flow Scoping
	Major	Relationships
	Minor	None
711	Weaknesses in OWASP Top Ten (2004)
	Major	Description, Maintenance_Notes, Relationship_Notes
	Minor	None
734	Weaknesses Addressed by the CERT C Secure Coding Standard (2008)
	Major	Description, Maintenance_Notes
	Minor	None
754	Improper Check for Unusual or Exceptional Conditions
	Major	Demonstrative_Examples, Relationships
	Minor	None
756	Missing Custom Error Page
	Major	Demonstrative_Examples
	Minor	None
759	Use of a One-Way Hash without a Salt
	Major	Demonstrative_Examples
	Minor	None
761	Free of Pointer not at Start of Buffer
	Major	Observed_Examples
	Minor	None
762	Mismatched Memory Management Routines
	Major	Relationships
	Minor	None
763	Release of Invalid Pointer or Reference
	Major	Maintenance_Notes
	Minor	None
767	Access to Critical Private Variable via Public Method
	Major	Relationships
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Demonstrative_Examples
	Minor	None
782	Exposed IOCTL with Insufficient Access Control
	Major	Observed_Examples
	Minor	None
783	Operator Precedence Logic Error
	Major	Relationships
	Minor	None
785	Use of Path Manipulation Function without Maximum-sized Buffer
	Major	Maintenance_Notes
	Minor	None
787	Out-of-bounds Write
	Major	Demonstrative_Examples
	Minor	None
789	Memory Allocation with Excessive Size Value
	Major	Demonstrative_Examples, Relationships
	Minor	None
795	Only Filtering Special Elements at a Specified Location
	Major	Demonstrative_Examples
	Minor	None
798	Use of Hard-coded Credentials
	Major	Demonstrative_Examples
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	None
	Minor	Potential_Mitigations
825	Expired Pointer Dereference
	Major	Observed_Examples
	Minor	None
828	Signal Handler with Functionality that is not Asynchronous-Safe
	Major	Demonstrative_Examples
	Minor	None
829	Inclusion of Functionality from Untrusted Control Sphere
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
835	Loop with Unreachable Exit Condition ('Infinite Loop')
	Major	Observed_Examples
	Minor	None
862	Missing Authorization
	Major	Alternate_Terms, Observed_Examples
	Minor	None
863	Incorrect Authorization
	Major	Alternate_Terms
	Minor	None
868	Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version)
	Major	Description, Maintenance_Notes
	Minor	None
908	Use of Uninitialized Resource
	Major	Demonstrative_Examples, Observed_Examples
	Minor	None
909	Missing Initialization of Resource
	Major	Demonstrative_Examples, Observed_Examples
	Minor	None
922	Insecure Storage of Sensitive Information
	Major	Maintenance_Notes
	Minor	None
923	Improper Restriction of Communication Channel to Intended Endpoints
	Major	Maintenance_Notes
	Minor	None
924	Improper Enforcement of Message Integrity During Transmission in a Communication Channel
	Major	Maintenance_Notes
	Minor	None
927	Use of Implicit Intent for Sensitive Communication
	Major	Maintenance_Notes
	Minor	None
939	Improper Authorization in Handler for Custom URL Scheme
	Major	Demonstrative_Examples
	Minor	None
941	Incorrectly Specified Destination in a Communication Channel
	Major	Maintenance_Notes
	Minor	None
943	Improper Neutralization of Special Elements in Data Query Logic
	Major	Maintenance_Notes
	Minor	None
969	SFP Secondary Cluster: Faulty Memory Release
	Major	Relationships
	Minor	None
977	SFP Secondary Cluster: Design
	Major	Relationships
	Minor	None
982	SFP Secondary Cluster: Failure to Release Resource
	Major	Relationships
	Minor	None
998	SFP Secondary Cluster: Glitch in Computation
	Major	Relationships
	Minor	None
1000	Research Concepts
	Major	Description, Other_Notes
	Minor	None
1003	Weaknesses for Simplified Mapping of Published Vulnerabilities
	Major	Maintenance_Notes
	Minor	None
1023	Incomplete Comparison with Missing Factors
	Major	Demonstrative_Examples
	Minor	None
1025	Comparison Using Wrong Factors
	Major	Demonstrative_Examples
	Minor	None
1037	Processor Optimization Removal or Modification of Security-critical Code
	Major	Related_Attack_Patterns
	Minor	None
1129	CISQ Quality Measures (2016) - Reliability
	Major	Description, Name
	Minor	None
1130	CISQ Quality Measures (2016) - Maintainability
	Major	Description, Name
	Minor	None
1131	CISQ Quality Measures (2016) - Security
	Major	Description, Name
	Minor	None
1132	CISQ Quality Measures (2016) - Performance Efficiency
	Major	Description, Name
	Minor	None
1179	SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS)
	Major	Relationships
	Minor	None
1180	SEI CERT Perl Coding Standard - Guidelines 02. Declarations and Initialization (DCL)
	Major	Relationships
	Minor	None
1181	SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP)
	Major	Relationships
	Minor	None
1182	SEI CERT Perl Coding Standard - Guidelines 04. Integers (INT)
	Major	Relationships
	Minor	None
1184	SEI CERT Perl Coding Standard - Guidelines 06. Object-Oriented Programming (OOP)
	Major	Relationships
	Minor	None
1185	SEI CERT Perl Coding Standard - Guidelines 07. File Input and Output (FIO)
	Major	Relationships
	Minor	None
1186	SEI CERT Perl Coding Standard - Guidelines 50. Miscellaneous (MSC)
	Major	Relationships
	Minor	None
1191	Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization
	Major	Maintenance_Notes
	Minor	None
1232	Improper Lock Behavior After Power State Transition
	Major	Description
	Minor	None
1233	Improper Hardware Lock Protection for Security Sensitive Controls
	Major	Maintenance_Notes
	Minor	None
1235	Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
	Major	Demonstrative_Examples
	Minor	None
1236	Improper Neutralization of Formula Elements in a CSV File
	Major	Description, Potential_Mitigations
	Minor	None
1241	Use of Predictable Algorithm in Random Number Generator
	Major	Maintenance_Notes, Research_Gaps
	Minor	None
1243	Sensitive Non-Volatile Information Not Protected During Debug
	Major	Description
	Minor	None
1244	Improper Access to Sensitive Information Using Debug and Test Interfaces
	Major	Maintenance_Notes
	Minor	None
1247	Missing or Improperly Implemented Protection Against Voltage and Clock Glitches
	Major	Functional_Areas
	Minor	None
1251	Mirrored Regions with Different Values
	Major	Demonstrative_Examples
	Minor	None
1255	Comparison Logic is Vulnerable to Power Side-Channel Attacks
	Major	Functional_Areas, Maintenance_Notes, Relationships
	Minor	None
1256	Hardware Features Enable Physical Attacks from Software
	Major	Demonstrative_Examples, Functional_Areas, Maintenance_Notes
	Minor	None
1259	Improper Restriction of Security Token Assignment
	Major	Maintenance_Notes
	Minor	None
1271	Uninitialized Value on Reset for Registers Holding Security Settings
	Major	Name, Type
	Minor	None
1272	Sensitive Information Uncleared Before Debug/Power State Transition
	Major	Functional_Areas
	Minor	None
1277	Firmware Not Updateable
	Major	Maintenance_Notes
	Minor	None
1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
	Major	Maintenance_Notes
	Minor	None
1279	Cryptographic Operations are run Before Supporting Units are Ready
	Major	Maintenance_Notes
	Minor	None
1281	Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)
	Major	Potential_Mitigations
	Minor	None
1282	Assumed-Immutable Data is Stored in Writable Memory
	Major	Maintenance_Notes
	Minor	None
1285	Improper Validation of Specified Index, Position, or Offset in Input
	Major	Demonstrative_Examples
	Minor	None
1300	Improper Protection Against Physical Side Channels
	Major	Functional_Areas, Maintenance_Notes
	Minor	None
1303	Non-Transparent Sharing of Microarchitectural Resources
	Major	Related_Attack_Patterns
	Minor	None
1304	Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
	Major	Functional_Areas
	Minor	None
1310	Missing Ability to Patch ROM Code
	Major	Maintenance_Notes
	Minor	None
1327	Binding to an Unrestricted IP Address
	Major	Relationships
	Minor	None
1332	Insufficient Protection Against Instruction Skipping Via Fault Injection
	Major	Description, Functional_Areas, Potential_Mitigations, References
	Minor	None

Page Last Updated: March 15, 2021


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration