CVE → CWE Mapping Guidance - Examples
The following captures some simple and complex CVEs and their appropriate CWE mapping(s) based on the information provided in CVE and/or references.
Description Information: Software is “vulnerable to an XML External Entity Processing (XXE) attack.”
Alternate Terms: XXE is an acronym used for the term “XML eXternal Entities”
Reasoning: Description says "vulnerable to an XML External Entity Processing (XXE) attack." There is additional information that focuses around technical impact, for instance, "attackers can do [X]", which is rarely useful for weaknesses, so that can be ignored. When you perform text search on CWE for "XML External Entity Processing (XXE) attack" and "XXE", it returns CWE-611. When you click the entry, you see that the entry lists XXE as an "Alternate Terms". Therefore, CWE-611 is the right mapping for this CVE.
CWE Mapping: CWE-611
Description Information: Improper access control allows - (it should be noted that “Improper” implies “missing or incorrect”)
Alternate Terms: Authorization
Reasoning: Description says "improper access control." When you search CWE, you find CWE-284 being a match, but it is a very high-level abstraction type of a Pillar. In order to find a narrower mapping, you can look at the references. In this case, Excellium reference says "does not perform the authorization checks" and "lack of authorization." This highlights that the CVE description is general, but the reference provided includes more detailed information. Now that you know the issue deals with "authorization", you can look at CWE-285 and its children. CWE-285 is Improper Authorization, which from the CWE glossary means "Incorrect" or "Missing" - and this CVE is about "lack of authorization" i.e. missing authorization. Therefore, if you click on CWE-285, and look at its children under the Research view - CWE-862: Missing Authorization is found. Now that we're at CWE-862, none of its lower-level children align more closely with the issue as described in the Excellium reference, so we can stop here.
Looking at the advisory, it also says "This lack of [authorization] can be easily exploited because an incremental numeric identifier... It’s easy to enumerate all potential existing identifiers." So, this sounds similar to Insecure Direct Object Reference (IDOR). Keyword search yields CWE-639 - Authorization Bypass Through User-Controlled Key" where in this CVE, the key is used to identify files. But why is it easy to "enumerate" these keys? Because of an "incremental numeric identifier" - that is, we can predict identifiers. A keyword search for "predictable" gets us to CWE-340.
Result - we have a combination of missing authorization and the use of predictable identifiers, so this CVE can be mapped to both CWE-340 and CWE-862.
Notice how our potential CWE mappings changed each step of the way, as we brought in more details from other references, and that we already had to know what "IDOR" was - and to infer that "incremental IDs" implied predictability.
Description Information: Stack-Based Buffer Over-Read
Alternate Terms: Buffer over-read
Reasoning: Description says "stack-based buffer over-read". This means: you can search for the entire string on the CWE site, and see what is returned, or focus you search on "stack-based" and "buffer over-read", and analyze the results. Notice that the "over-read" is the critical piece here. Search for "stack-based", returns CWE-121, which is called "Stack-based Buffer Overflow". Overflow implies a write, so that is inappropriate. Search for "buffer over read" returns, CWE-126: Buffer Over-read, which is perfect for our case. However, this CVE was mapped to CWE-125, which isn't precise, but it is close enough since it is a parent of CWE-126. This means, if you were using View-1003, you would have selected CWE-125 since CWE-126 isn't there. Remember though that View-1003 is meant to evolve overtime as needs change, while still being user friendly and easily digestable. Therefore, it cannot contain all CWEs.
CWE Mapping: CWE-126