CWE - Differences between Version 4.4 and Version 4.5

Home > CWE List > Reports > Differences between Version 4.4 and Version 4.5

Differences between Version 4.4 and Version 4.5

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total weaknesses/chains/composites (Version 4.5)	922
Total weaknesses/chains/composites (Version 4.4)	918
Total new	5
Total deprecated	0
Total with major changes	139
Total with only minor changes	2
Total unchanged	1197

Summary of Entry Types

Type	Version 4.4	Version 4.5
Weakness	918	922
Category	316	316
View	43	44
Deprecated	61	61
Total	1338	1343

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	11	0
Description	9	0
Relationships	38	0
Applicable_Platforms	0	0
Modes_of_Introduction	2	0
Detection_Factors	0	0
Potential_Mitigations	13	0
Demonstrative_Examples	19	0
Observed_Examples	35	2
Related_Attack_Patterns	34	0
Weakness_Ordinalities	0	0
Time_of_Introduction	0	0
Likelihood_of_Exploit	0	0
References	13	0
Common_Consequences	0	1
Terminology_Notes	0	0
Alternate_Terms	2	0
Relationship_Notes	0	0
Taxonomy_Mappings	0	0
Maintenance_Notes	21	0
Research_Gaps	1	0
Background_Details	2	0
Theoretical_Notes	0	0
Other_Notes	1	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Type	0	0
Source_Taxonomy	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged		1338

Status Changes

From	To	Total
Unchanged		1338

Relationship Changes

The "Version 4.5 Total" lists the total number of relationships in Version 4.5. The "Shared" value is the total number of relationships in entries that were in both Version 4.5 and Version 4.4. The "New" value is the total number of relationships involving entries that did not exist in Version 4.4. Thus, the total number of relationships in Version 4.5 would combine stats from Shared entries and New entries.

Relationship	Version 4.5 Total	Version 4.4 Total	Version 4.5 Shared	Unchanged	Added to Version 4.5	Removed from Version 4.4	Version 4.5 New
ALL	9658	9589	9590	9584	6	5	68
ChildOf	3989	3983	3983	3981	2	2	6
ParentOf	3989	3983	3983	3981	2	2	6
MemberOf	589	564	564	564			25
HasMember	589	564	564	564			25
CanPrecede	134	132	132	132			2
CanFollow	134	132	132	132			2
StartsWith	3	3	3	3
Requires	13	13	13	13
RequiredBy	13	13	13	13
CanAlsoBe	27	28	27	27		1
PeerOf	178	174	176	174	2		2

Nodes Removed from Version 4.4

CWE-ID	CWE Name
None.

Software Nodes Added to Version 4.5

CWE-ID	CWE Name
1335	Incorrect Bitwise Shift of Integer
1336	Improper Neutralization of Special Elements Used in a Template Engine
1337	Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
1339	Insufficient Precision or Accuracy of a Real Number

Hardware Nodes Added to Version 4.5

CWE-ID	CWE Name
1351	Improper Handling of Hardware Behavior in Exceptionally Cold Environments

Nodes Deprecated in Version 4.5

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	20	Improper Input Validation
		R	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
D		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
		R	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
		R	89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
		R	94	Improper Control of Generation of Code ('Code Injection')
D			103	Struts: Incomplete validate() Method Definition
		R	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
		R	125	Out-of-bounds Read
	N		132	DEPRECATED: Miscalculated Null Termination
		R	189	Numeric Errors
		R	190	Integer Overflow or Wraparound
		R	200	Exposure of Sensitive Information to an Unauthorized Actor
		R	209	Generation of Error Message Containing Sensitive Information
	N		218	DEPRECATED: Failure to provide confidentiality for stored data
	N		225	DEPRECATED: General Information Management Problems
	N		247	DEPRECATED: Reliance on DNS Lookups in a Security Decision
D	N	R	256	Plaintext Storage of a Password
		R	276	Incorrect Default Permissions
		R	287	Improper Authentication
	N		292	DEPRECATED: Trusting Self-reported DNS Name
		R	306	Missing Authentication for Critical Function
D	N		329	Generation of Predictable IV with CBC Mode
D			335	Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
D			336	Same Seed in Pseudo-Random Number Generator (PRNG)
D			339	Small Seed Space in PRNG
		R	352	Cross-Site Request Forgery (CSRF)
		R	391	Unchecked Error Condition
		R	416	Use After Free
	N		423	DEPRECATED: Proxied Trusted Channel
		R	434	Unrestricted Upload of File with Dangerous Type
	N		443	DEPRECATED: HTTP response splitting
		R	476	NULL Pointer Dereference
		R	502	Deserialization of Untrusted Data
	N		516	DEPRECATED: Covert Timing Channel
		R	522	Insufficiently Protected Credentials
D			598	Use of GET Request Method With Sensitive Query Strings
		R	611	Improper Restriction of XML External Entity Reference
		R	682	Incorrect Calculation
		R	703	Improper Check or Handling of Exceptional Conditions
		R	732	Incorrect Permission Assignment for Critical Resource
		R	754	Improper Check for Unusual or Exceptional Conditions
		R	787	Out-of-bounds Write
		R	798	Use of Hard-coded Credentials
		R	834	Excessive Iteration
		R	862	Missing Authorization
		R	918	Server-Side Request Forgery (SSRF)
		R	1205	Security Primitives and Cryptography Issues
		R	1243	Sensitive Non-Volatile Information Not Protected During Debug
		R	1263	Improper Physical Access Control
	N		1281	Sequence of Processor Instructions Leads to Unexpected Behavior
		R	1295	Debug Messages Revealing Unnecessary Information
D			1329	Reliance on Component That is Not Updateable

Detailed Difference Report

20	Improper Input Validation
	Major	Related_Attack_Patterns, Relationships
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Relationships
	Minor	None
41	Improper Resolution of Path Equivalence
	Major	None
	Minor	Observed_Examples
42	Path Equivalence: 'filename.' (Trailing Dot)
	Major	None
	Minor	Observed_Examples
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Description, Observed_Examples, Relationships
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Observed_Examples, Relationships
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Relationships
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Relationships
	Minor	None
94	Improper Control of Generation of Code ('Code Injection')
	Major	Relationships
	Minor	None
103	Struts: Incomplete validate() Method Definition
	Major	Background_Details, Description
	Minor	None
104	Struts: Form Bean Does Not Extend Validation Class
	Major	Background_Details
	Minor	None
105	Struts: Form Field Without Validator
	Major	Potential_Mitigations
	Minor	None
106	Struts: Plug-in Framework not in Use
	Major	Potential_Mitigations
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Demonstrative_Examples, Observed_Examples, Potential_Mitigations, Relationships
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Potential_Mitigations
	Minor	None
121	Stack-based Buffer Overflow
	Major	Demonstrative_Examples
	Minor	None
122	Heap-based Buffer Overflow
	Major	Observed_Examples
	Minor	None
125	Out-of-bounds Read
	Major	Observed_Examples, Relationships
	Minor	None
132	DEPRECATED: Miscalculated Null Termination
	Major	Name
	Minor	None
171	DEPRECATED: Cleansing, Canonicalization, and Comparison Errors
	Major	References
	Minor	None
189	Numeric Errors
	Major	Relationships
	Minor	None
190	Integer Overflow or Wraparound
	Major	Relationships
	Minor	None
200	Exposure of Sensitive Information to an Unauthorized Actor
	Major	Relationships
	Minor	None
203	Observable Discrepancy
	Major	Demonstrative_Examples
	Minor	None
209	Generation of Error Message Containing Sensitive Information
	Major	Relationships
	Minor	None
218	DEPRECATED: Failure to provide confidentiality for stored data
	Major	Name
	Minor	None
225	DEPRECATED: General Information Management Problems
	Major	Name
	Minor	None
247	DEPRECATED: Reliance on DNS Lookups in a Security Decision
	Major	Name, References
	Minor	None
252	Unchecked Return Value
	Major	Observed_Examples
	Minor	None
256	Plaintext Storage of a Password
	Major	Description, Name, Relationships
	Minor	None
276	Incorrect Default Permissions
	Major	Relationships
	Minor	None
284	Improper Access Control
	Major	Observed_Examples
	Minor	None
285	Improper Authorization
	Major	Related_Attack_Patterns
	Minor	None
287	Improper Authentication
	Major	Relationships
	Minor	None
288	Authentication Bypass Using an Alternate Path or Channel
	Major	Related_Attack_Patterns
	Minor	None
290	Authentication Bypass by Spoofing
	Major	Related_Attack_Patterns
	Minor	None
292	DEPRECATED: Trusting Self-reported DNS Name
	Major	Name
	Minor	None
295	Improper Certificate Validation
	Major	Demonstrative_Examples, Observed_Examples
	Minor	None
296	Improper Following of a Certificate's Chain of Trust
	Major	Demonstrative_Examples
	Minor	None
300	Channel Accessible by Non-Endpoint
	Major	Alternate_Terms, Observed_Examples
	Minor	None
306	Missing Authentication for Critical Function
	Major	Observed_Examples, Relationships
	Minor	None
318	Cleartext Storage of Sensitive Information in Executable
	Major	Observed_Examples
	Minor	None
329	Generation of Predictable IV with CBC Mode
	Major	Description, Maintenance_Notes, Name, References
	Minor	None
330	Use of Insufficiently Random Values
	Major	Demonstrative_Examples, Maintenance_Notes, Observed_Examples
	Minor	None
331	Insufficient Entropy
	Major	Maintenance_Notes, Observed_Examples
	Minor	None
332	Insufficient Entropy in PRNG
	Major	Maintenance_Notes
	Minor	None
333	Improper Handling of Insufficient Entropy in TRNG
	Major	Maintenance_Notes
	Minor	None
334	Small Space of Random Values
	Major	Maintenance_Notes
	Minor	None
335	Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
	Major	Description, Maintenance_Notes, Observed_Examples
	Minor	Common_Consequences
336	Same Seed in Pseudo-Random Number Generator (PRNG)
	Major	Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, References
	Minor	None
337	Predictable Seed in Pseudo-Random Number Generator (PRNG)
	Major	Maintenance_Notes, Observed_Examples, Potential_Mitigations, References
	Minor	None
338	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
	Major	Maintenance_Notes
	Minor	None
339	Small Seed Space in PRNG
	Major	Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References
	Minor	None
340	Generation of Predictable Numbers or Identifiers
	Major	Maintenance_Notes
	Minor	None
341	Predictable from Observable State
	Major	Maintenance_Notes
	Minor	None
342	Predictable Exact Value from Previous Values
	Major	Maintenance_Notes
	Minor	None
343	Predictable Value Range from Previous Values
	Major	Maintenance_Notes
	Minor	None
345	Insufficient Verification of Data Authenticity
	Major	Related_Attack_Patterns
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Relationships
	Minor	None
353	Missing Support for Integrity Check
	Major	Related_Attack_Patterns
	Minor	None
391	Unchecked Error Condition
	Major	Relationships
	Minor	None
393	Return of Wrong Status Code
	Major	Observed_Examples
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Related_Attack_Patterns
	Minor	None
407	Inefficient Algorithmic Complexity
	Major	References
	Minor	None
416	Use After Free
	Major	Relationships
	Minor	None
423	DEPRECATED: Proxied Trusted Channel
	Major	Name
	Minor	None
425	Direct Request ('Forced Browsing')
	Major	Related_Attack_Patterns
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Relationships
	Minor	None
443	DEPRECATED: HTTP response splitting
	Major	Name
	Minor	None
457	Use of Uninitialized Variable
	Major	Observed_Examples
	Minor	None
476	NULL Pointer Dereference
	Major	Relationships
	Minor	None
489	Active Debug Code
	Major	Alternate_Terms
	Minor	None
494	Download of Code Without Integrity Check
	Major	Demonstrative_Examples
	Minor	None
502	Deserialization of Untrusted Data
	Major	Relationships
	Minor	None
516	DEPRECATED: Covert Timing Channel
	Major	Name
	Minor	None
522	Insufficiently Protected Credentials
	Major	Relationships
	Minor	None
560	Use of umask() with chmod-style Argument
	Major	Other_Notes
	Minor	None
561	Dead Code
	Major	Observed_Examples
	Minor	None
598	Use of GET Request Method With Sensitive Query Strings
	Major	Description
	Minor	None
611	Improper Restriction of XML External Entity Reference
	Major	Relationships
	Minor	None
682	Incorrect Calculation
	Major	Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Related_Attack_Patterns
	Minor	None
703	Improper Check or Handling of Exceptional Conditions
	Major	Relationships
	Minor	None
705	Incorrect Control Flow Scoping
	Major	Observed_Examples
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Observed_Examples, Relationships
	Minor	None
754	Improper Check for Unusual or Exceptional Conditions
	Major	Relationships
	Minor	None
757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
	Major	Observed_Examples
	Minor	None
760	Use of a One-Way Hash with a Predictable Salt
	Major	Maintenance_Notes
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Observed_Examples
	Minor	None
787	Out-of-bounds Write
	Major	Demonstrative_Examples, Potential_Mitigations, Relationships
	Minor	None
788	Access of Memory Location After End of Buffer
	Major	Demonstrative_Examples
	Minor	None
798	Use of Hard-coded Credentials
	Major	Relationships
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
806	Buffer Access Using Size of Source Buffer
	Major	Potential_Mitigations
	Minor	None
833	Deadlock
	Major	Observed_Examples
	Minor	None
834	Excessive Iteration
	Major	Observed_Examples, Relationships
	Minor	None
835	Loop with Unreachable Exit Condition ('Infinite Loop')
	Major	Observed_Examples
	Minor	None
862	Missing Authorization
	Major	Observed_Examples, Related_Attack_Patterns, Relationships
	Minor	None
863	Incorrect Authorization
	Major	Observed_Examples
	Minor	None
917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
	Major	References
	Minor	None
918	Server-Side Request Forgery (SSRF)
	Major	References, Related_Attack_Patterns, Relationships
	Minor	None
940	Improper Verification of Source of a Communication Channel
	Major	Potential_Mitigations
	Minor	None
1022	Use of Web Link to Untrusted Target with window.opener Access
	Major	Potential_Mitigations
	Minor	None
1188	Insecure Default Initialization of Resource
	Major	Related_Attack_Patterns
	Minor	None
1189	Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
	Major	Demonstrative_Examples
	Minor	None
1204	Generation of Weak Initialization Vector (IV)
	Major	Maintenance_Notes, Observed_Examples, References
	Minor	None
1205	Security Primitives and Cryptography Issues
	Major	Relationships
	Minor	None
1220	Insufficient Granularity of Access Control
	Major	Demonstrative_Examples
	Minor	None
1221	Incorrect Register Defaults or Module Parameters
	Major	Related_Attack_Patterns
	Minor	None
1240	Use of a Risky Cryptographic Primitive
	Major	Maintenance_Notes, Research_Gaps
	Minor	None
1241	Use of Predictable Algorithm in Random Number Generator
	Major	Maintenance_Notes
	Minor	None
1243	Sensitive Non-Volatile Information Not Protected During Debug
	Major	Relationships
	Minor	None
1246	Improper Write Handling in Limited-write Non-Volatile Memories
	Major	Related_Attack_Patterns
	Minor	None
1253	Incorrect Selection of Fuse Values
	Major	Related_Attack_Patterns
	Minor	None
1254	Incorrect Comparison Logic Granularity
	Major	Related_Attack_Patterns
	Minor	None
1255	Comparison Logic is Vulnerable to Power Side-Channel Attacks
	Major	Demonstrative_Examples, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns
	Minor	None
1256	Hardware Features Enable Physical Attacks from Software
	Major	Demonstrative_Examples, Observed_Examples
	Minor	None
1263	Improper Physical Access Control
	Major	Relationships
	Minor	None
1264	Hardware Logic with Insecure De-Synchronization between Control and Data Channels
	Major	Related_Attack_Patterns
	Minor	None
1267	Policy Uses Obsolete Encoding
	Major	Related_Attack_Patterns
	Minor	None
1270	Generation of Incorrect Security Tokens
	Major	Related_Attack_Patterns
	Minor	None
1277	Firmware Not Updateable
	Major	Demonstrative_Examples, Maintenance_Notes
	Minor	None
1281	Sequence of Processor Instructions Leads to Unexpected Behavior
	Major	Name, Observed_Examples
	Minor	None
1282	Assumed-Immutable Data is Stored in Writable Memory
	Major	Related_Attack_Patterns
	Minor	None
1290	Incorrect Decoding of Security Identifiers
	Major	Related_Attack_Patterns
	Minor	None
1292	Incorrect Conversion of Security Identifiers
	Major	Related_Attack_Patterns
	Minor	None
1294	Insecure Security Identifier Mechanism
	Major	Related_Attack_Patterns
	Minor	None
1295	Debug Messages Revealing Unnecessary Information
	Major	Observed_Examples, Related_Attack_Patterns, Relationships
	Minor	None
1296	Incorrect Chaining or Granularity of Debug Components
	Major	Related_Attack_Patterns
	Minor	None
1297	Unprotected Confidential Information on Device is Accessible by OSAT Vendors
	Major	Related_Attack_Patterns
	Minor	None
1298	Hardware Logic Contains Race Conditions
	Major	Related_Attack_Patterns
	Minor	None
1299	Missing Protection Mechanism for Alternate Hardware Interface
	Major	Observed_Examples, Related_Attack_Patterns
	Minor	None
1300	Improper Protection Against Physical Side Channels
	Major	Related_Attack_Patterns
	Minor	None
1301	Insufficient or Incomplete Data Removal within Hardware Component
	Major	Related_Attack_Patterns
	Minor	None
1302	Missing Security Identifier
	Major	Related_Attack_Patterns
	Minor	None
1304	Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
	Major	Related_Attack_Patterns
	Minor	None
1310	Missing Ability to Patch ROM Code
	Major	Demonstrative_Examples, Maintenance_Notes
	Minor	None
1325	Improperly Controlled Sequential Memory Allocation
	Major	Observed_Examples
	Minor	None
1328	Security Version Number Mutable to Older Versions
	Major	Related_Attack_Patterns
	Minor	None
1329	Reliance on Component That is Not Updateable
	Major	Demonstrative_Examples, Description, References
	Minor	None
1333	Inefficient Regular Expression Complexity
	Major	References
	Minor	None

Page Last Updated: July 20, 2021


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration