CWE - Differences between Version 1.11 and Version 1.12

Home > CWE List > Reports > Differences between Version 1.11 and Version 1.12

Differences between Version 1.11 and Version 1.12

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 1.12)	844
Total (Version 1.11)	835
Total new	9
Total deprecated	0
Total shared	835
Total important changes	113
Total major changes	236
Total minor changes	7
Total minor changes (no major)	6
Total unchanged	593

Summary of Entry Types

Type	Version 1.11	Version 1.12
Category	119	120
Chain	3	3
Composite	6	6
Deprecated	12	12
View	24	24
Weakness	671	679

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	38	2
Description	37	3
Applicable_Platforms	4	0
Time_of_Introduction	0	0
Demonstrative_Examples	42	0
Detection_Factors	1	0
Likelihood_of_Exploit	0	0
Common_Consequences	8	2
Relationships	58	0
References	1	0
Potential_Mitigations	80	0
Observed_Examples	12	0
Terminology_Notes	0	0
Alternate_Terms	4	0
Related_Attack_Patterns	0	0
Relationship_Notes	3	0
Taxonomy_Mappings	0	0
Maintenance_Notes	6	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	0	0
Background_Details	3	0
Theoretical_Notes	0	0
Weakness_Ordinalities	2	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	13	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	0	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		835

Status Changes

From	To	Total
Unchanged		835

Relationship Changes

The "Version 1.12 Total" lists the total number of relationships in Version 1.12. The "Shared" value is the total number of relationships in entries that were in both Version 1.12 and Version 1.11. The "New" value is the total number of relationships involving entries that did not exist in Version 1.11. Thus, the total number of relationships in Version 1.12 would combine stats from Shared entries and New entries.

Relationship	Version 1.12 Total	Version 1.11 Total	Version 1.12 Shared	Unchanged	Added to Version 1.12	Removed from Version 1.11	Version 1.12 New
ALL	5063	4974	4983	4923	60	51	80
ChildOf	2177	2136	2143	2113	30	23	34
ParentOf	2177	2136	2143	2113	30	23	34
MemberOf	119	119	119	119
HasMember	119	119	119	119
CanPrecede	112	107	107	107			5
CanFollow	112	107	107	107			5
StartsWith	3	3	3	3
Requires	19	19	19	19
RequiredBy	19	19	19	19
CanAlsoBe	34	35	34	34		1
PeerOf	172	174	170	170		4	2

Nodes Removed from Version 1.11

CWE-ID	CWE Name
None.

Nodes Added to Version 1.12

CWE-ID	CWE Name
834	Excessive Iteration
835	Loop with Unreachable Exit Condition ('Infinite Loop')
836	Use of Password Hash Instead of Password for Authentication
837	Improper Enforcement of a Single, Unique Action
838	Inappropriate Encoding for Output Context
839	Numeric Range Comparison Without Minimum Check
840	Business Logic Errors
841	Improper Enforcement of Behavioral Workflow
842	Placement of User into Incorrect Group

Nodes Deprecated in Version 1.12

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			67	Improper Handling of Windows Device Names
D			78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
D			80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
D			93	Improper Neutralization of CRLF Sequences ('CRLF Injection')
	N		94	Improper Control of Generation of Code ('Code Injection')
		R	116	Improper Encoding or Escaping of Output
D			117	Improper Output Neutralization for Logs
		R	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
D			120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
		R	124	Buffer Underwrite ('Buffer Underflow')
D			159	Failure to Sanitize Special Element
		R	187	Partial Comparison
		R	189	Numeric Errors
		R	195	Signed to Unsigned Conversion Error
D		R	200	Information Exposure
	N		202	Exposure of Sensitive Data Through Data Queries
	N		206	Information Exposure of Internal State Through Behavioral Inconsistency
	N		208	Information Exposure Through Timing Discrepancy
		R	209	Information Exposure Through an Error Message
	N	R	210	Information Exposure Through Generated Error Message
	N		211	Information Exposure Through External Error Message
	N		213	Intentional Information Exposure
	N		214	Information Exposure Through Process Environment
D	N		227	Improper Fulfillment of API Contract ('API Abuse')
D		R	248	Uncaught Exception
		R	250	Execution with Unnecessary Privileges
		R	261	Weak Cryptography for Passwords
		R	262	Not Using Password Aging
D		R	263	Password Aging with Long Expiration
		R	264	Permissions, Privileges, and Access Controls
		R	265	Privilege / Sandbox Issues
D		R	269	Improper Privilege Management
		R	271	Privilege Dropping / Lowering Errors
		R	282	Improper Ownership Management
		R	283	Unverified Ownership
D	N	R	284	Improper Access Control
D	N	R	285	Improper Authorization
		R	286	Incorrect User Management
		R	287	Improper Authentication
		R	288	Authentication Bypass Using an Alternate Path or Channel
D			327	Use of a Broken or Risky Cryptographic Algorithm
D			352	Cross-Site Request Forgery (CSRF)
		R	361	Time and State
D			385	Covert Timing Channel
		R	395	Use of NullPointerException Catch to Detect NULL Pointer Dereference
	N		403	Exposure of File Descriptor to Unintended Control Sphere
		R	408	Incorrect Behavior Order: Early Amplification
D			416	Use After Free
D		R	425	Direct Request ('Forced Browsing')
		R	438	Behavioral Problems
		R	442	Web Problems
	N		488	Exposure of Data Element to Wrong Session
	N		498	Cloneable Class Containing Sensitive Information
		R	521	Weak Password Requirements
		R	522	Insufficiently Protected Credentials
	N		524	Information Exposure Through Caching
	N		525	Information Exposure Through Browser Caching
	N		526	Information Exposure Through Environmental Variables
	N		531	Information Exposure Through Test Code
	N		532	Information Exposure Through Log Files
	N		533	Information Exposure Through Server Log Files
	N		534	Information Exposure Through Debug Log Files
	N		535	Information Exposure Through Shell Error Message
	N		536	Information Exposure Through Servlet Runtime Error Message
	N		537	Information Exposure Through Java Runtime Error Message
	N		539	Information Exposure Through Persistent Cookies
D	N		540	Information Exposure Through Source Code
	N		541	Information Exposure Through Include Source Code
D	N		542	Information Exposure Through Cleanup Log Files
	N		548	Information Exposure Through Directory Listing
D			549	Missing Password Field Masking
	N	R	550	Information Exposure Through Server Error Message
D			554	ASP.NET Misconfiguration: Not Using Input Validation Framework
D			555	J2EE Misconfiguration: Plaintext Password in Configuration File
	N		566	Authorization Bypass Through User-Controlled SQL Primary Key
D	N		573	Improper Following of Specification by Caller
D			581	Object Model Violation: Just One of Equals and Hashcode Defined
		R	596	Incorrect Semantic Object Comparison
D			597	Use of Wrong Operator in String Comparison
	N		598	Information Exposure Through Query Strings in GET Request
		R	600	Uncaught Exception in Servlet
		R	602	Client-Side Enforcement of Server-Side Security
		R	606	Unchecked Input for Loop Condition
	N		611	Information Exposure Through XML External Entity Reference
	N		612	Information Exposure Through Indexing of Private Data
	N		615	Information Exposure Through Comments
D			627	Dynamic Variable Evaluation
D	N	R	639	Authorization Bypass Through User-Controlled Key
		R	640	Weak Password Recovery Mechanism for Forgotten Password
D			644	Improper Neutralization of HTTP Headers for Scripting Syntax
D			646	Reliance on File Name or Extension of Externally-Supplied File
		R	647	Use of Non-Canonical URL Paths for Authorization Decisions
D			648	Incorrect Use of Privileged APIs
		R	664	Improper Control of a Resource Through its Lifetime
		R	666	Operation on Resource in Wrong Phase of Lifetime
		R	668	Exposure of Resource to Wrong Sphere
		R	674	Uncontrolled Recursion
		R	682	Incorrect Calculation
D	N		684	Incorrect Provision of Specified Functionality
		R	691	Insufficient Control Flow Management
		R	693	Protection Mechanism Failure
		R	696	Incorrect Behavior Order
D			697	Insufficient Comparison
		R	703	Improper Check or Handling of Exceptional Conditions
		R	705	Incorrect Control Flow Scoping
		R	706	Use of Incorrectly-Resolved Name or Reference
D		R	732	Incorrect Permission Assignment for Critical Resource
D		R	754	Improper Check for Unusual or Exceptional Conditions
		R	755	Improper Handling of Exceptional Conditions
		R	770	Allocation of Resources Without Limits or Throttling
		R	799	Improper Control of Interaction Frequency
D			822	Untrusted Pointer Dereference
		R	827	Improper Control of Document Type Definition

Detailed Difference Report

5	J2EE Misconfiguration: Data Transmission Without Encryption
	Major	Other_Notes
	Minor	None
20	Improper Input Validation
	Major	Observed_Examples
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Potential_Mitigations
	Minor	None
23	Relative Path Traversal
	Major	Potential_Mitigations
	Minor	None
24	Path Traversal: '../filedir'
	Major	Potential_Mitigations
	Minor	None
25	Path Traversal: '/../filedir'
	Major	Potential_Mitigations
	Minor	None
26	Path Traversal: '/dir/../filename'
	Major	Potential_Mitigations
	Minor	None
27	Path Traversal: 'dir/../../filename'
	Major	Potential_Mitigations
	Minor	None
28	Path Traversal: '..\filedir'
	Major	Potential_Mitigations
	Minor	None
29	Path Traversal: '\..\filename'
	Major	Potential_Mitigations
	Minor	None
30	Path Traversal: '\dir\..\filename'
	Major	Potential_Mitigations
	Minor	None
31	Path Traversal: 'dir\..\..\filename'
	Major	Potential_Mitigations
	Minor	None
32	Path Traversal: '...' (Triple Dot)
	Major	Maintenance_Notes, Potential_Mitigations
	Minor	None
33	Path Traversal: '....' (Multiple Dot)
	Major	Potential_Mitigations
	Minor	None
34	Path Traversal: '....//'
	Major	Potential_Mitigations
	Minor	None
35	Path Traversal: '.../...//'
	Major	Potential_Mitigations
	Minor	None
37	Path Traversal: '/absolute/pathname/here'
	Major	Potential_Mitigations
	Minor	None
38	Path Traversal: '\absolute\pathname\here'
	Major	Potential_Mitigations
	Minor	None
39	Path Traversal: 'C:dirname'
	Major	Potential_Mitigations
	Minor	None
40	Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
	Major	Potential_Mitigations
	Minor	None
41	Improper Resolution of Path Equivalence
	Major	Other_Notes, Potential_Mitigations, Relationship_Notes
	Minor	None
67	Improper Handling of Windows Device Names
	Major	Description
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Demonstrative_Examples
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Demonstrative_Examples, Description
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Demonstrative_Examples, References
	Minor	None
80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
	Major	Description, Potential_Mitigations
	Minor	None
81	Improper Neutralization of Script in an Error Message Web Page
	Major	Potential_Mitigations
	Minor	None
83	Improper Neutralization of Script in Attributes in a Web Page
	Major	Potential_Mitigations
	Minor	None
84	Improper Neutralization of Encoded URI Schemes in a Web Page
	Major	Potential_Mitigations
	Minor	None
85	Doubled Character XSS Manipulations
	Major	Potential_Mitigations
	Minor	None
87	Improper Neutralization of Alternate XSS Syntax
	Major	Potential_Mitigations
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Demonstrative_Examples
	Minor	None
93	Improper Neutralization of CRLF Sequences ('CRLF Injection')
	Major	Description
	Minor	None
94	Improper Control of Generation of Code ('Code Injection')
	Major	Name
	Minor	None
102	Struts: Duplicate Validation Forms
	Major	Background_Details, Common_Consequences
	Minor	None
106	Struts: Plug-in Framework not in Use
	Major	Other_Notes
	Minor	None
108	Struts: Unvalidated Action Form
	Major	Other_Notes
	Minor	None
109	Struts: Validator Turned Off
	Major	Demonstrative_Examples
	Minor	None
111	Direct Use of Unsafe JNI
	Major	Demonstrative_Examples
	Minor	None
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
	Major	Potential_Mitigations
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Relationship_Notes, Relationships
	Minor	None
117	Improper Output Neutralization for Logs
	Major	Description, Potential_Mitigations
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Relationships
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Demonstrative_Examples, Description
	Minor	None
124	Buffer Underwrite ('Buffer Underflow')
	Major	Demonstrative_Examples, Relationships
	Minor	None
126	Buffer Over-read
	Major	Demonstrative_Examples
	Minor	None
129	Improper Validation of Array Index
	Major	Common_Consequences, Demonstrative_Examples, Weakness_Ordinalities
	Minor	None
130	Improper Handling of Length Parameter Inconsistency
	Major	Demonstrative_Examples
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Maintenance_Notes
	Minor	None
138	Improper Neutralization of Special Elements
	Major	Potential_Mitigations
	Minor	None
140	Improper Neutralization of Delimiters
	Major	Potential_Mitigations
	Minor	None
141	Improper Neutralization of Parameter/Argument Delimiters
	Major	Potential_Mitigations
	Minor	None
142	Improper Neutralization of Value Delimiters
	Major	Potential_Mitigations
	Minor	None
143	Improper Neutralization of Record Delimiters
	Major	Potential_Mitigations
	Minor	None
144	Improper Neutralization of Line Delimiters
	Major	Potential_Mitigations
	Minor	None
145	Improper Neutralization of Section Delimiters
	Major	Potential_Mitigations
	Minor	None
146	Improper Neutralization of Expression/Command Delimiters
	Major	Potential_Mitigations
	Minor	None
147	Improper Neutralization of Input Terminators
	Major	Potential_Mitigations
	Minor	None
148	Improper Neutralization of Input Leaders
	Major	Potential_Mitigations
	Minor	None
149	Improper Neutralization of Quoting Syntax
	Major	Potential_Mitigations
	Minor	None
150	Improper Neutralization of Escape, Meta, or Control Sequences
	Major	Potential_Mitigations
	Minor	None
151	Improper Neutralization of Comment Delimiters
	Major	Potential_Mitigations
	Minor	None
152	Improper Neutralization of Macro Symbols
	Major	Observed_Examples, Potential_Mitigations
	Minor	None
153	Improper Neutralization of Substitution Characters
	Major	Observed_Examples, Potential_Mitigations
	Minor	None
154	Improper Neutralization of Variable Name Delimiters
	Major	Observed_Examples, Potential_Mitigations
	Minor	None
155	Improper Neutralization of Wildcards or Matching Symbols
	Major	Potential_Mitigations
	Minor	None
156	Improper Neutralization of Whitespace
	Major	Potential_Mitigations
	Minor	None
157	Failure to Sanitize Paired Delimiters
	Major	Potential_Mitigations
	Minor	None
158	Improper Neutralization of Null Byte or NUL Character
	Major	Potential_Mitigations
	Minor	None
159	Failure to Sanitize Special Element
	Major	Description, Potential_Mitigations
	Minor	None
160	Improper Neutralization of Leading Special Elements
	Major	Potential_Mitigations
	Minor	None
161	Improper Neutralization of Multiple Leading Special Elements
	Major	Potential_Mitigations
	Minor	None
162	Improper Neutralization of Trailing Special Elements
	Major	Potential_Mitigations
	Minor	None
163	Improper Neutralization of Multiple Trailing Special Elements
	Major	Potential_Mitigations
	Minor	None
164	Improper Neutralization of Internal Special Elements
	Major	Potential_Mitigations
	Minor	None
165	Improper Neutralization of Multiple Internal Special Elements
	Major	Potential_Mitigations
	Minor	None
166	Improper Handling of Missing Special Element
	Major	Potential_Mitigations
	Minor	None
167	Improper Handling of Additional Special Element
	Major	Potential_Mitigations
	Minor	None
168	Improper Handling of Inconsistent Special Elements
	Major	Potential_Mitigations
	Minor	None
169	Technology-Specific Special Elements
	Major	Other_Notes
	Minor	None
170	Improper Null Termination
	Major	Common_Consequences
	Minor	None
172	Encoding Error
	Major	Potential_Mitigations
	Minor	None
173	Improper Handling of Alternate Encoding
	Major	Potential_Mitigations
	Minor	None
174	Double Decoding of the Same Data
	Major	Potential_Mitigations
	Minor	None
175	Improper Handling of Mixed Encoding
	Major	Potential_Mitigations
	Minor	None
176	Improper Handling of Unicode Encoding
	Major	Potential_Mitigations
	Minor	None
177	Improper Handling of URL Encoding (Hex Encoding)
	Major	Potential_Mitigations
	Minor	None
178	Improper Handling of Case Sensitivity
	Major	Potential_Mitigations
	Minor	None
179	Incorrect Behavior Order: Early Validation
	Major	Potential_Mitigations
	Minor	None
180	Incorrect Behavior Order: Validate Before Canonicalize
	Major	Potential_Mitigations
	Minor	None
181	Incorrect Behavior Order: Validate Before Filter
	Major	Demonstrative_Examples
	Minor	None
182	Collapse of Data into Unsafe Value
	Major	Potential_Mitigations
	Minor	None
183	Permissive Whitelist
	Major	Potential_Mitigations
	Minor	None
185	Incorrect Regular Expression
	Major	Observed_Examples
	Minor	None
187	Partial Comparison
	Major	Relationships
	Minor	None
188	Reliance on Data/Memory Layout
	Major	Common_Consequences
	Minor	None
189	Numeric Errors
	Major	Relationships
	Minor	None
195	Signed to Unsigned Conversion Error
	Major	Relationships
	Minor	None
200	Information Exposure
	Major	Description, Relationships
	Minor	None
202	Exposure of Sensitive Data Through Data Queries
	Major	Name
	Minor	None
206	Information Exposure of Internal State Through Behavioral Inconsistency
	Major	Name
	Minor	None
208	Information Exposure Through Timing Discrepancy
	Major	Name
	Minor	None
209	Information Exposure Through an Error Message
	Major	Demonstrative_Examples, Observed_Examples, Relationships
	Minor	None
210	Information Exposure Through Generated Error Message
	Major	Name, Relationships
	Minor	None
211	Information Exposure Through External Error Message
	Major	Name
	Minor	None
213	Intentional Information Exposure
	Major	Name
	Minor	None
214	Information Exposure Through Process Environment
	Major	Name
	Minor	None
223	Omission of Security-relevant Information
	Major	Demonstrative_Examples
	Minor	None
224	Obscured Security-relevant Information by Alternate Name
	Major	Demonstrative_Examples
	Minor	None
227	Improper Fulfillment of API Contract ('API Abuse')
	Major	Description, Name
	Minor	None
241	Improper Handling of Unexpected Data Type
	Major	Potential_Mitigations
	Minor	None
248	Uncaught Exception
	Major	Description, Relationships
	Minor	None
250	Execution with Unnecessary Privileges
	Major	Relationships
	Minor	None
261	Weak Cryptography for Passwords
	Major	Relationships
	Minor	None
262	Not Using Password Aging
	Major	Relationships
	Minor	None
263	Password Aging with Long Expiration
	Major	Description, Other_Notes, Relationships
	Minor	None
264	Permissions, Privileges, and Access Controls
	Major	Relationships
	Minor	None
265	Privilege / Sandbox Issues
	Major	Relationships
	Minor	None
269	Improper Privilege Management
	Major	Description, Relationships
	Minor	None
271	Privilege Dropping / Lowering Errors
	Major	Relationships
	Minor	None
282	Improper Ownership Management
	Major	Relationships
	Minor	None
283	Unverified Ownership
	Major	Relationships
	Minor	None
284	Improper Access Control
	Major	Alternate_Terms, Background_Details, Description, Maintenance_Notes, Name, Relationships
	Minor	None
285	Improper Authorization
	Major	Background_Details, Demonstrative_Examples, Description, Name, Relationships
	Minor	None
286	Incorrect User Management
	Major	Applicable_Platforms, Maintenance_Notes, Relationships
	Minor	None
287	Improper Authentication
	Major	Relationships
	Minor	None
288	Authentication Bypass Using an Alternate Path or Channel
	Major	Relationships
	Minor	None
289	Authentication Bypass by Alternate Name
	Major	Potential_Mitigations
	Minor	None
307	Improper Restriction of Excessive Authentication Attempts
	Major	Demonstrative_Examples
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Demonstrative_Examples
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Potential_Mitigations
	Minor	None
320	Key Management Errors
	Major	Observed_Examples
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Demonstrative_Examples, Description
	Minor	None
330	Use of Insufficiently Random Values
	Major	Demonstrative_Examples
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Description
	Minor	None
359	Privacy Violation
	Major	Other_Notes
	Minor	None
361	Time and State
	Major	Relationships
	Minor	None
363	Race Condition Enabling Link Following
	Major	Demonstrative_Examples
	Minor	None
385	Covert Timing Channel
	Major	Description
	Minor	None
395	Use of NullPointerException Catch to Detect NULL Pointer Dereference
	Major	Other_Notes, Relationships
	Minor	None
401	Improper Release of Memory Before Removing Last Reference ('Memory Leak')
	Major	Alternate_Terms
	Minor	None
402	Transmission of Private Resources into a New Sphere ('Resource Leak')
	Major	Alternate_Terms
	Minor	None
403	Exposure of File Descriptor to Unintended Control Sphere
	Major	Name
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Weakness_Ordinalities
	Minor	None
406	Insufficient Control of Network Message Volume (Network Amplification)
	Major	Demonstrative_Examples
	Minor	None
408	Incorrect Behavior Order: Early Amplification
	Major	Demonstrative_Examples, Observed_Examples, Relationships
	Minor	None
412	Unrestricted Externally Accessible Lock
	Major	Demonstrative_Examples
	Minor	None
416	Use After Free
	Major	Description
	Minor	None
425	Direct Request ('Forced Browsing')
	Major	Applicable_Platforms, Description, Relationships
	Minor	None
426	Untrusted Search Path
	Major	Demonstrative_Examples
	Minor	None
427	Uncontrolled Search Path Element
	Major	Potential_Mitigations
	Minor	None
428	Unquoted Search Path or Element
	Major	Potential_Mitigations
	Minor	None
431	Missing Handler
	Major	Demonstrative_Examples
	Minor	None
438	Behavioral Problems
	Major	Relationships
	Minor	None
442	Web Problems
	Major	Relationships
	Minor	None
446	UI Discrepancy for Security Feature
	Major	Other_Notes, Relationship_Notes
	Minor	None
450	Multiple Interpretations of UI Input
	Major	Potential_Mitigations
	Minor	None
454	External Initialization of Trusted Variables or Data Stores
	Major	Demonstrative_Examples
	Minor	None
456	Missing Initialization
	Major	Demonstrative_Examples
	Minor	None
470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
	Major	Demonstrative_Examples
	Minor	None
472	External Control of Assumed-Immutable Web Parameter
	Major	Potential_Mitigations
	Minor	None
477	Use of Obsolete Functions
	Major	Demonstrative_Examples
	Minor	None
478	Missing Default Case in Switch Statement
	Major	Demonstrative_Examples
	Minor	None
488	Exposure of Data Element to Wrong Session
	Major	Name
	Minor	None
494	Download of Code Without Integrity Check
	Major	Demonstrative_Examples
	Minor	None
498	Cloneable Class Containing Sensitive Information
	Major	Name
	Minor	None
521	Weak Password Requirements
	Major	Potential_Mitigations, Relationships
	Minor	None
522	Insufficiently Protected Credentials
	Major	Relationships
	Minor	None
524	Information Exposure Through Caching
	Major	Name
	Minor	None
525	Information Exposure Through Browser Caching
	Major	Name
	Minor	None
526	Information Exposure Through Environmental Variables
	Major	Name
	Minor	None
531	Information Exposure Through Test Code
	Major	Name
	Minor	None
532	Information Exposure Through Log Files
	Major	Name
	Minor	None
533	Information Exposure Through Server Log Files
	Major	Name
	Minor	None
534	Information Exposure Through Debug Log Files
	Major	Name
	Minor	None
535	Information Exposure Through Shell Error Message
	Major	Name
	Minor	None
536	Information Exposure Through Servlet Runtime Error Message
	Major	Name
	Minor	None
537	Information Exposure Through Java Runtime Error Message
	Major	Demonstrative_Examples, Name
	Minor	None
539	Information Exposure Through Persistent Cookies
	Major	Name
	Minor	None
540	Information Exposure Through Source Code
	Major	Description, Name
	Minor	None
541	Information Exposure Through Include Source Code
	Major	Name
	Minor	None
542	Information Exposure Through Cleanup Log Files
	Major	Description, Name
	Minor	None
543	Use of Singleton Pattern Without Synchronization in a Multithreaded Context
	Major	Demonstrative_Examples
	Minor	None
548	Information Exposure Through Directory Listing
	Major	Name
	Minor	None
549	Missing Password Field Masking
	Major	Description
	Minor	None
550	Information Exposure Through Server Error Message
	Major	Name, Relationships
	Minor	None
554	ASP.NET Misconfiguration: Not Using Input Validation Framework
	Major	Common_Consequences, Description, Potential_Mitigations
	Minor	None
555	J2EE Misconfiguration: Plaintext Password in Configuration File
	Major	Description
	Minor	None
566	Authorization Bypass Through User-Controlled SQL Primary Key
	Major	Applicable_Platforms, Demonstrative_Examples, Name
	Minor	None
568	finalize() Method Without super.finalize()
	Major	None
	Minor	Description
573	Improper Following of Specification by Caller
	Major	Description, Name
	Minor	None
580	clone() Method Without super.clone()
	Major	Demonstrative_Examples
	Minor	None
581	Object Model Violation: Just One of Equals and Hashcode Defined
	Major	Description
	Minor	None
596	Incorrect Semantic Object Comparison
	Major	Relationships
	Minor	None
597	Use of Wrong Operator in String Comparison
	Major	Demonstrative_Examples, Description, Potential_Mitigations
	Minor	None
598	Information Exposure Through Query Strings in GET Request
	Major	Name
	Minor	None
600	Uncaught Exception in Servlet
	Major	Relationships
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	Relationships
	Minor	None
606	Unchecked Input for Loop Condition
	Major	Demonstrative_Examples, Relationships
	Minor	None
607	Public Static Final Field References Mutable Object
	Major	None
	Minor	Description
611	Information Exposure Through XML External Entity Reference
	Major	Name
	Minor	None
612	Information Exposure Through Indexing of Private Data
	Major	Name
	Minor	None
615	Information Exposure Through Comments
	Major	Name
	Minor	None
616	Incomplete Identification of Uploaded File Variables (PHP)
	Major	Other_Notes
	Minor	None
626	Null Byte Interaction Error (Poison Null Byte)
	Major	Other_Notes
	Minor	None
627	Dynamic Variable Evaluation
	Major	Description
	Minor	None
639	Authorization Bypass Through User-Controlled Key
	Major	Alternate_Terms, Applicable_Platforms, Description, Name, Potential_Mitigations, Relationships
	Minor	None
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	Relationships
	Minor	None
644	Improper Neutralization of HTTP Headers for Scripting Syntax
	Major	Description
	Minor	None
646	Reliance on File Name or Extension of Externally-Supplied File
	Major	Common_Consequences, Description
	Minor	None
647	Use of Non-Canonical URL Paths for Authorization Decisions
	Major	Relationships
	Minor	None
648	Incorrect Use of Privileged APIs
	Major	Description, Potential_Mitigations
	Minor	None
650	Trusting HTTP Permission Methods on the Server Side
	Major	Common_Consequences
	Minor	None
651	Information Exposure Through WSDL File
	Major	None
	Minor	Name
656	Reliance on Security Through Obscurity
	Major	None
	Minor	Name
664	Improper Control of a Resource Through its Lifetime
	Major	Relationships
	Minor	None
666	Operation on Resource in Wrong Phase of Lifetime
	Major	Relationships
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
674	Uncontrolled Recursion
	Major	Relationships
	Minor	None
681	Incorrect Conversion between Numeric Types
	Major	Demonstrative_Examples
	Minor	None
682	Incorrect Calculation
	Major	Relationships
	Minor	None
684	Incorrect Provision of Specified Functionality
	Major	Description, Name
	Minor	None
691	Insufficient Control Flow Management
	Major	Maintenance_Notes, Other_Notes, Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Maintenance_Notes, Other_Notes, Relationships
	Minor	None
696	Incorrect Behavior Order
	Major	Relationships
	Minor	None
697	Insufficient Comparison
	Major	Description
	Minor	None
703	Improper Check or Handling of Exceptional Conditions
	Major	Relationships
	Minor	None
705	Incorrect Control Flow Scoping
	Major	Relationships
	Minor	None
706	Use of Incorrectly-Resolved Name or Reference
	Major	Relationships
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Demonstrative_Examples, Description, Relationships
	Minor	None
754	Improper Check for Unusual or Exceptional Conditions
	Major	Description, Relationships
	Minor	None
755	Improper Handling of Exceptional Conditions
	Major	Relationships
	Minor	None
759	Use of a One-Way Hash without a Salt
	Major	Observed_Examples
	Minor	None
760	Use of a One-Way Hash with a Predictable Salt
	Major	Observed_Examples
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Demonstrative_Examples, Detection_Factors, Relationships
	Minor	None
789	Uncontrolled Memory Allocation
	Major	Common_Consequences, Observed_Examples
	Minor	None
795	Only Filtering Special Elements at a Specified Location
	Major	None
	Minor	Description
799	Improper Control of Interaction Frequency
	Major	Observed_Examples, Relationships
	Minor	None
806	Buffer Access Using Size of Source Buffer
	Major	Demonstrative_Examples
	Minor	None
822	Untrusted Pointer Dereference
	Major	Description
	Minor	Common_Consequences
823	Use of Out-of-range Pointer Offset
	Major	None
	Minor	Common_Consequences
827	Improper Control of Document Type Definition
	Major	Relationships
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration