CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

2021 CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 4.6 and Version 4.7  
ID

Differences between Version 4.6 and Version 4.7

Summary
Summary
Total weaknesses/chains/composites (Version 4.7) 926
Total weaknesses/chains/composites (Version 4.6) 924
Total new 29
Total deprecated 1
Total with major changes 142
Total with only minor changes 2
Total unchanged 1212

Summary of Entry Types

Type Version 4.6 Version 4.7
Weakness 924 926
Category 326 351
View 46 47
Deprecated 61 62
Total 1357 1386

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 2 0
Description 6 0
Relationships 54 0
Applicable_Platforms 31 0
Modes_of_Introduction 1 0
Detection_Factors 2 0
Potential_Mitigations 8 0
Demonstrative_Examples 9 0
Observed_Examples 8 0
Related_Attack_Patterns 37 0
Weakness_Ordinalities 1 0
Time_of_Introduction 3 0
Likelihood_of_Exploit 1 0
References 8 1
Common_Consequences 5 0
Terminology_Notes 0 0
Alternate_Terms 1 0
Relationship_Notes 0 0
Taxonomy_Mappings 2 0
Maintenance_Notes 1 0
Research_Gaps 27 2
Background_Details 0 0
Theoretical_Notes 0 0
Other_Notes 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Type 1 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1356
Weakness/Base Deprecated 1 365

Status Changes

From To Total
Unchanged 1356
Draft Deprecated 1

Relationship Changes

The "Version 4.7 Total" lists the total number of relationships in Version 4.7. The "Shared" value is the total number of relationships in entries that were in both Version 4.7 and Version 4.6. The "New" value is the total number of relationships involving entries that did not exist in Version 4.6. Thus, the total number of relationships in Version 4.7 would combine stats from Shared entries and New entries.

Relationship Version 4.7 Total Version 4.6 Total Version 4.7 Shared Unchanged Added to Version 4.7 Removed from Version 4.6 Version 4.7 New
ALL 10232 10110 10092 10080 12 30 140
ChildOf 4250 4191 4185 4179 6 12 65
ParentOf 4250 4191 4185 4179 6 12 65
MemberOf 616 611 611 611 5
HasMember 616 611 611 611 5
CanPrecede 135 135 135 135
CanFollow 135 135 135 135
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 27 27 27 27
PeerOf 174 180 174 174 6

Nodes Removed from Version 4.6

CWE-ID CWE Name
None.

Nodes Added to Version 4.7

CWE-ID CWE Name
1357 Reliance on Uncontrolled Component
1358 Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS
1359 ICS Communications
1360 ICS Dependencies (& Architecture)
1361 ICS Supply Chain
1362 ICS Engineering (Constructions/Deployment)
1363 ICS Operations (& Maintenance)
1364 ICS Communications: Zone Boundary Failures
1365 ICS Communications: Unreliability
1366 ICS Communications: Frail Security in Protocols
1367 ICS Dependencies (& Architecture): External Physical Systems
1368 ICS Dependencies (& Architecture): External Digital Systems
1369 ICS Supply Chain: IT/OT Convergence/Expansion
1370 ICS Supply Chain: Common Mode Frailties
1371 ICS Supply Chain: Poorly Documented or Undocumented Features
1372 ICS Supply Chain: OT Counterfeit and Malicious Corruption
1373 ICS Engineering (Construction/Deployment): Trust Model Problems
1374 ICS Engineering (Construction/Deployment): Maker Breaker Blindness
1375 ICS Engineering (Construction/Deployment): Gaps in Details/Data
1376 ICS Engineering (Construction/Deployment): Security Gaps in Commissioning
1377 ICS Engineering (Construction/Deployment): Inherent Predictability in Design
1378 ICS Operations (& Maintenance): Gaps in obligations and training
1379 ICS Operations (& Maintenance): Human factors in ICS environments
1380 ICS Operations (& Maintenance): Post-analysis changes
1381 ICS Operations (& Maintenance): Exploitable Standard Operational Procedures
1382 ICS Operations (& Maintenance): Emerging Energy Technologies
1383 ICS Operations (& Maintenance): Compliance/Conformance with Regulatory Requirements
1384 Improper Handling of Extreme Physical Environment Conditions
1385 Missing Origin Validation in WebSockets

Nodes Deprecated in Version 4.7

CWE-ID CWE Name
365 DEPRECATED: Race Condition in Switch
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 20 Improper Input Validation
R 107 Struts: Unused Validation Form
R 110 Struts: Validator Without Form Field
R 269 Improper Privilege Management
R 276 Incorrect Default Permissions
R 285 Improper Authorization
R 295 Improper Certificate Validation
R 296 Improper Following of a Certificate's Chain of Trust
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 329 Generation of Predictable IV with CBC Mode
R 346 Origin Validation Error
R 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 358 Improperly Implemented Security Check for Standard
R 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
R 364 Signal Handler Race Condition
DNR 365 DEPRECATED: Race Condition in Switch
R 366 Race Condition within a Thread
R 367 Time-of-check Time-of-use (TOCTOU) Race Condition
R 406 Insufficient Control of Network Message Volume (Network Amplification)
R 451 User Interface (UI) Misrepresentation of Critical Information
R 506 Embedded Malicious Code
R 557 Concurrency Issues
R 601 URL Redirection to Untrusted Site ('Open Redirect')
R 610 Externally Controlled Reference to a Resource in Another Sphere
R 636 Not Failing Securely ('Failing Open')
R 655 Insufficient Psychological Acceptability
R 668 Exposure of Resource to Wrong Sphere
R 669 Incorrect Resource Transfer Between Spheres
R 684 Incorrect Provision of Specified Functionality
R 703 Improper Check or Handling of Exceptional Conditions
R 710 Improper Adherence to Coding Standards
R 754 Improper Check for Unusual or Exceptional Conditions
R 755 Improper Handling of Exceptional Conditions
D 788 Access of Memory Location After End of Buffer
R 807 Reliance on Untrusted Inputs in a Security Decision
R 912 Hidden Functionality
R 986 SFP Secondary Cluster: Missing Lock
DNR 1059 Insufficient Technical Documentation
R 1104 Use of Unmaintained Third Party Components
R 1164 Irrelevant Code
R 1195 Manufacturing and Life Cycle Management Concerns
R 1198 Privilege Separation and Access Control Issues
R 1208 Cross-Cutting Problems
D 1225 Documentation Issues
R 1231 Improper Prevention of Lock Bit Modification
R 1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
R 1242 Inclusion of Undocumented Features or Chicken Bits
R 1247 Improper Protection Against Voltage and Clock Glitches
R 1261 Improper Handling of Single Event Upsets
R 1277 Firmware Not Updateable
R 1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
R 1310 Missing Ability to Patch ROM Code
D R 1329 Reliance on Component That is Not Updateable
R 1332 Improper Handling of Faults that Lead to Instruction Skips
R 1338 Improper Protections Against Hardware Overheating
D 1341 Multiple Releases of Same Resource or Handle
R 1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments
Detailed Difference Report
Detailed Difference Report
20 Improper Input Validation
Major Relationships
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major None
Minor Research_Gaps
59 Improper Link Resolution Before File Access ('Link Following')
Major Research_Gaps
Minor None
61 UNIX Symbolic Link (Symlink) Following
Major Research_Gaps
Minor None
62 UNIX Hard Link
Major Research_Gaps
Minor None
65 Windows Hard Link
Major Research_Gaps
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Demonstrative_Examples, Related_Attack_Patterns
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Demonstrative_Examples
Minor None
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Major Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Research_Gaps
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Research_Gaps
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Research_Gaps
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Research_Gaps
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major Research_Gaps
Minor None
107 Struts: Unused Validation Form
Major Relationships
Minor None
110 Struts: Validator Without Form Field
Major Relationships
Minor None
124 Buffer Underwrite ('Buffer Underflow')
Major Research_Gaps
Minor None
125 Out-of-bounds Read
Major Research_Gaps
Minor None
138 Improper Neutralization of Special Elements
Major Related_Attack_Patterns
Minor None
191 Integer Underflow (Wrap or Wraparound)
Major Research_Gaps
Minor None
193 Off-by-one Error
Major Research_Gaps
Minor None
250 Execution with Unnecessary Privileges
Major Observed_Examples
Minor None
268 Privilege Chaining
Major Research_Gaps
Minor None
269 Improper Privilege Management
Major Relationships
Minor None
270 Privilege Context Switching Error
Major Related_Attack_Patterns
Minor None
276 Incorrect Default Permissions
Major Relationships
Minor None
285 Improper Authorization
Major Relationships
Minor None
295 Improper Certificate Validation
Major Relationships
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Relationships
Minor None
329 Generation of Predictable IV with CBC Mode
Major Relationships
Minor None
346 Origin Validation Error
Major Relationships
Minor None
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Relationships
Minor None
358 Improperly Implemented Security Check for Standard
Major Relationships
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Observed_Examples, Relationships
Minor None
364 Signal Handler Race Condition
Major Relationships, Research_Gaps
Minor None
365 DEPRECATED: Race Condition in Switch
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
366 Race Condition within a Thread
Major Relationships
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
400 Uncontrolled Resource Consumption
Major Related_Attack_Patterns
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Relationships
Minor None
415 Double Free
Major Demonstrative_Examples, Observed_Examples
Minor None
426 Untrusted Search Path
Major Research_Gaps
Minor None
427 Uncontrolled Search Path Element
Major Demonstrative_Examples
Minor None
428 Unquoted Search Path or Element
Major Research_Gaps
Minor None
429 Handler Errors
Major Research_Gaps
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Research_Gaps
Minor None
436 Interpretation Conflict
Major Related_Attack_Patterns
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Related_Attack_Patterns
Minor None
451 User Interface (UI) Misrepresentation of Critical Information
Major Relationships
Minor None
476 NULL Pointer Dereference
Major Alternate_Terms
Minor None
506 Embedded Malicious Code
Major Relationships
Minor None
557 Concurrency Issues
Major Relationships
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Relationships
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Research_Gaps
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Relationships
Minor None
612 Improper Authorization of Index Containing Sensitive Information
Major None
Minor Research_Gaps
621 Variable Extraction Error
Major Research_Gaps
Minor None
623 Unsafe ActiveX Control Marked Safe For Scripting
Major Research_Gaps
Minor None
636 Not Failing Securely ('Failing Open')
Major Relationships
Minor None
655 Insufficient Psychological Acceptability
Major Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Relationships
Minor None
684 Incorrect Provision of Specified Functionality
Major Relationships
Minor None
697 Incorrect Comparison
Major Related_Attack_Patterns
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Relationships
Minor None
707 Improper Neutralization
Major Related_Attack_Patterns
Minor None
710 Improper Adherence to Coding Standards
Major Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Relationships
Minor None
755 Improper Handling of Exceptional Conditions
Major Relationships
Minor None
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Major Related_Attack_Patterns
Minor None
788 Access of Memory Location After End of Buffer
Major Description
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Relationships
Minor None
822 Untrusted Pointer Dereference
Major Research_Gaps
Minor None
823 Use of Out-of-range Pointer Offset
Major Research_Gaps
Minor None
824 Access of Uninitialized Pointer
Major Research_Gaps
Minor None
825 Expired Pointer Dereference
Major Research_Gaps
Minor None
828 Signal Handler with Functionality that is not Asynchronous-Safe
Major Observed_Examples
Minor None
841 Improper Enforcement of Behavioral Workflow
Major Demonstrative_Examples
Minor None
843 Access of Resource Using Incompatible Type ('Type Confusion')
Major Research_Gaps
Minor None
912 Hidden Functionality
Major Relationships
Minor None
943 Improper Neutralization of Special Elements in Data Query Logic
Major Related_Attack_Patterns
Minor None
986 SFP Secondary Cluster: Missing Lock
Major Relationships
Minor None
1059 Insufficient Technical Documentation
Major Applicable_Platforms, Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships, Time_of_Introduction
Minor None
1104 Use of Unmaintained Third Party Components
Major References, Relationships
Minor None
1164 Irrelevant Code
Major Relationships
Minor None
1191 On-Chip Debug and Test Interface With Improper Access Control
Major Related_Attack_Patterns
Minor None
1195 Manufacturing and Life Cycle Management Concerns
Major Relationships
Minor None
1198 Privilege Separation and Access Control Issues
Major Relationships
Minor None
1208 Cross-Cutting Problems
Major Relationships
Minor None
1222 Insufficient Granularity of Address Regions Protected by Register Locks
Major Related_Attack_Patterns
Minor None
1224 Improper Restriction of Write-Once Bit Fields
Major Related_Attack_Patterns
Minor None
1225 Documentation Issues
Major Description
Minor None
1231 Improper Prevention of Lock Bit Modification
Major Related_Attack_Patterns, Relationships
Minor None
1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
Major Related_Attack_Patterns, Relationships
Minor None
1234 Hardware Internal or Debug Modes Allow Override of Locks
Major Related_Attack_Patterns
Minor None
1242 Inclusion of Undocumented Features or Chicken Bits
Major Relationships
Minor None
1244 Internal Asset Exposed to Unsafe Debug Access Level or State
Major Related_Attack_Patterns
Minor None
1246 Improper Write Handling in Limited-write Non-Volatile Memories
Major Applicable_Platforms
Minor None
1247 Improper Protection Against Voltage and Clock Glitches
Major Applicable_Platforms, Relationships
Minor None
1250 Improper Preservation of Consistency Between Independent Representations of Shared State
Major Applicable_Platforms
Minor None
1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
Major Applicable_Platforms, Related_Attack_Patterns
Minor None
1256 Improper Restriction of Software Interfaces to Hardware Features
Major Applicable_Platforms
Minor None
1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
Major Applicable_Platforms, Related_Attack_Patterns
Minor None
1259 Improper Restriction of Security Token Assignment
Major Applicable_Platforms, Related_Attack_Patterns
Minor None
1260 Improper Handling of Overlap Between Protected Memory Ranges
Major Applicable_Platforms, Related_Attack_Patterns
Minor None
1261 Improper Handling of Single Event Upsets
Major Relationships
Minor None
1262 Improper Access Control for Register Interface
Major Related_Attack_Patterns
Minor None
1267 Policy Uses Obsolete Encoding
Major Related_Attack_Patterns
Minor None
1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents
Major Related_Attack_Patterns
Minor None
1270 Generation of Incorrect Security Tokens
Major Related_Attack_Patterns
Minor None
1274 Improper Access Control for Volatile Memory Containing Boot Code
Major Related_Attack_Patterns
Minor None
1277 Firmware Not Updateable
Major Detection_Factors, Observed_Examples, Potential_Mitigations, Relationships
Minor None
1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
Major Relationships
Minor None
1279 Cryptographic Operations are run Before Supporting Units are Ready
Major Applicable_Platforms
Minor None
1282 Assumed-Immutable Data is Stored in Writable Memory
Major Related_Attack_Patterns
Minor None
1283 Mutable Attestation or Measurement Reporting Data
Major Related_Attack_Patterns
Minor None
1286 Improper Validation of Syntactic Correctness of Input
Major Related_Attack_Patterns
Minor None
1290 Incorrect Decoding of Security Identifiers
Major Applicable_Platforms
Minor None
1292 Incorrect Conversion of Security Identifiers
Major Applicable_Platforms
Minor None
1294 Insecure Security Identifier Mechanism
Major Applicable_Platforms, Related_Attack_Patterns
Minor None
1296 Incorrect Chaining or Granularity of Debug Components
Major Applicable_Platforms, Related_Attack_Patterns
Minor None
1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors
Major Applicable_Platforms
Minor None
1299 Missing Protection Mechanism for Alternate Hardware Interface
Major Applicable_Platforms, Common_Consequences, Related_Attack_Patterns
Minor None
1302 Missing Security Identifier
Major Related_Attack_Patterns
Minor None
1310 Missing Ability to Patch ROM Code
Major Applicable_Platforms, Common_Consequences, Potential_Mitigations, Relationships
Minor None
1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
Major Related_Attack_Patterns
Minor None
1313 Hardware Allows Activation of Test or Debug Logic at Runtime
Major Related_Attack_Patterns
Minor None
1314 Missing Write Protection for Parametric Data Values
Major Applicable_Platforms
Minor None
1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
Major Applicable_Platforms, Related_Attack_Patterns
Minor None
1317 Missing Security Checks in Fabric Bridge
Major Applicable_Platforms
Minor None
1318 Missing Support for Security Features in On-chip Fabrics or Buses
Major Applicable_Platforms
Minor None
1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
Major Applicable_Platforms
Minor None
1320 Improper Protection for Out of Bounds Signal Level Alerts
Major Applicable_Platforms
Minor None
1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
Major Applicable_Platforms
Minor None
1326 Missing Immutable Root of Trust in Hardware
Major Applicable_Platforms, Related_Attack_Patterns
Minor None
1328 Security Version Number Mutable to Older Versions
Major Applicable_Platforms
Minor None
1329 Reliance on Component That is Not Updateable
Major Common_Consequences, Description, Detection_Factors, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
1330 Remanent Data Readable after Memory Erase
Major Applicable_Platforms
Minor None
1331 Improper Isolation of Shared Resources in Network On Chip (NoC)
Major Applicable_Platforms, References
Minor None
1332 Improper Handling of Faults that Lead to Instruction Skips
Major Potential_Mitigations, References, Relationships
Minor None
1333 Inefficient Regular Expression Complexity
Major Observed_Examples, Potential_Mitigations
Minor None
1338 Improper Protections Against Hardware Overheating
Major Applicable_Platforms, Relationships
Minor None
1341 Multiple Releases of Same Resource or Handle
Major Demonstrative_Examples, Description, Potential_Mitigations
Minor None
1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments
Major Relationships
Minor References
More information is available — Please select a different filter.
Page Last Updated: April 28, 2022