CWE - Differences between Version 1.2 and Version 1.3

Home > CWE List > Reports > Differences between Version 1.2 and Version 1.3

Differences between Version 1.2 and Version 1.3

Differences between Version 1.2 and Version 1.3

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 1.3)	762
Total (Version 1.2)	755
Total new	7
Total deprecated	0
Total shared	755
Total important changes	117
Total major changes	183
Total minor changes	8
Total minor changes (no major)	6
Total unchanged	566

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Affected_Resources	0	0
Alternate_Terms	1	0
Applicable_Platforms	1	0
Background_Details	0	0
Black_Box_Definitions	0	0
Causal_Nature	0	0
Common_Consequences	1	1
Common_Methods_of_Exploitation	0	0
Context_Notes	0	0
Demonstrative_Examples	15	5
Description	37	0
Detection_Factors	0	0
Enabling_Factors_for_Exploitation	0	0
Functional_Areas	0	0
Likelihood_of_Exploit	0	0
Maintenance_Notes	3	0
Modes_of_Introduction	0	0
Name	33	1
Observed_Examples	1	0
Other_Notes	6	1
Potential_Mitigations	35	0
References	1	0
Related_Attack_Patterns	19	0
Relationship_Notes	0	0
Relationships	89	0
Relevant_Properties	0	0
Research_Gaps	0	0
Source_Taxonomy	0	0
Taxonomy_Mappings	0	0
Terminology_Notes	0	0
Theoretical_Notes	2	0
Time_of_Introduction	0	0
Type	0	0
View_Audience	0	0
View_Filter	2	0
View_Structure	0	0
View_Type	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		755

Relationship Changes

The "Version 1.3 Total" lists the total number of relationships in Version 1.3. The "Shared" value is the total number of relationships in entries that were in both Version 1.3 and Version 1.2. The "New" value is the total number of relationships involving entries that did not exist in Version 1.2. Thus, the total number of relationships in Version 1.3 would combine stats from Shared entries and New entries.

Relationship	Version 1.3 Total	Version 1.2 Total	Version 1.3 Shared	Unchanged	Added to Version 1.3	Removed from Version 1.3	Version 1.3 New
ALL	4529	4371	4461	4343	118	28	68
CanAlsoBe	38	38	38	38
CanFollow	78	78	77	77		1	1
CanPrecede	78	78	77	77		1	1
ChildOf	1931	1852	1898	1839	59	13	33
HasMember	114	114	114	114
MemberOf	114	114	114	114
ParentOf	1931	1852	1898	1839	59	13	33
PeerOf	188	188	188	188
RequiredBy	27	27	27	27
Requires	27	27	27	27
StartsWith	3	3	3	3

Nodes Removed from Version 1.2

CWE-ID	CWE Name
None.

Nodes Added to Version 1.3

CWE-ID	CWE Name
754	Improper Check for Exceptional Conditions
755	Improper Handling of Exceptional Conditions
756	Missing Custom Error Page
757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
759	Use of a One-Way Hash without a Salt
760	Use of a One-Way Hash with a Predictable Salt

Nodes Deprecated in Version 1.3

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

	N	R	7	J2EE Misconfiguration: Missing Custom Error Page
		R	9	J2EE Misconfiguration: Weak Access Permissions for EJB Methods
	N	R	12	ASP.NET Misconfiguration: Missing Custom Error Page
D			20	Improper Input Validation
		R	41	Failure to Resolve Path Equivalence
D	N		66	Improper Handling of File Names that Identify Virtual Resources
D	N		67	Improper Handling of Windows Device Names
		R	73	External Control of File Name or Path
		R	98	Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
		R	102	Struts: Duplicate Validation Forms
		R	103	Struts: Incomplete validate() Method Definition
		R	104	Struts: Form Bean Does Not Extend Validation Class
		R	106	Struts: Plug-in Framework not in Use
		R	109	Struts: Validator Turned Off
D			116	Improper Encoding or Escaping of Output
		R	117	Incorrect Output Sanitization for Logs
D			118	Improper Access of Indexable Resource (aka 'Range Error')
D	N		130	Improper Handling of Length Parameter Inconsistency
		R	134	Uncontrolled Format String
D	N		138	Improper Sanitization of Special Elements
D	N		147	Improper Sanitization of Input Terminators
D	N		151	Improper Sanitization of Comment Delimiters
D	N		152	Improper Sanitization of Macro Symbols
D	N		153	Improper Sanitization of Substitution Characters
D	N		154	Improper Sanitization of Variable Name Delimiters
D	N		155	Improper Sanitization of Wildcards or Matching Symbols
D	N		156	Improper Sanitization of Whitespace
		R	166	Failure to Handle Missing Special Element
		R	167	Failure to Handle Additional Special Element
		R	168	Failure to Resolve Inconsistent Special Elements
D			178	Failure to Resolve Case Sensitivity
		R	179	Incorrect Behavior Order: Early Validation
		R	182	Collapse of Data Into Unsafe Value
		R	183	Permissive Whitelist
		R	188	Reliance on Data/Memory Layout
		R	209	Error Message Information Leak
		R	226	Sensitive Information Uncleared Before Release
D	N		228	Improper Handling of Syntactically Invalid Structure
D			229	Improper Handling of Values
D	N		230	Improper Handling of Missing Values
D	N		231	Improper Handling of Extra Values
D	N		232	Improper Handling of Undefined Values
D	N		235	Improper Handling of Extra Parameters
D	N		236	Improper Handling of Undefined Parameters
D	N		237	Improper Handling of Structural Elements
D	N		238	Improper Handling of Incomplete Structural Elements
D	N		240	Improper Handling of Inconsistent Structural Elements
D	N		241	Improper Handling of Unexpected Data Type
		R	248	Uncaught Exception
		R	252	Unchecked Return Value
D	N	R	253	Incorrect Check of Function Return Value
		R	266	Incorrect Privilege Assignment
		R	268	Privilege Chaining
D	N	R	273	Improper Check for Successfully Dropped Privileges
D	N		280	Improper Handling of Insufficient Permissions or Privileges
		R	283	Unverified Ownership
		R	284	Access Control (Authorization) Issues
D	N	R	296	Improper Following of Chain of Trust for Certificate Validation
D	N	R	297	Improper Validation of Host-specific Certificate Data
D	N	R	298	Improper Validation of Certificate Expiration
D	N	R	299	Improper Check for Certificate Revocation
		R	302	Authentication Bypass by Assumed-Immutable Data
		R	304	Missing Critical Step in Authentication
		R	307	Failure to Restrict Excessive Authentication Attempts
		R	326	Weak Encryption
D	N	R	354	Improper Validation of Integrity Check Value
		R	388	Error Handling
		R	390	Detection of Error Condition Without Action
		R	392	Failure to Report Error in Status Code
		R	393	Return of Wrong Status Code
		R	394	Unexpected Status Code or Return Value
		R	395	Use of NullPointerException Catch to Detect NULL Pointer Dereference
		R	396	Declaration of Catch for Generic Exception
		R	397	Declaration of Throws for Generic Exception
		R	460	Improper Cleanup on Thrown Exception
		R	526	Information Leak Through Environmental Variables
		R	527	Information Leak Through CVS Repository
		R	528	Information Leak Through Core Dump Files
		R	529	Information Leak Through Access Control List Files
		R	530	Information Leak Through Backup (.~bk) Files
		R	531	Information Leak Through Test Code
		R	532	Information Leak Through Log Files
		R	533	Information Leak Through Server Log Files
		R	534	Information Leak Through Debug Log Files
		R	539	Information Leak Through Persistent Cookies
		R	540	Information Leak Through Source Code
		R	541	Information Leak Through Include Source Code
		R	542	Information Leak Through Cleanup Log Files
D	N	R	544	Failure to Use a Standardized Error Handling Mechanism
		R	551	Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
		R	556	ASP.NET Misconfiguration: Use of Identity Impersonation
		R	587	Assignment of a Fixed Address to a Pointer
		R	588	Attempt to Access Child of a Non-structure Pointer
		R	598	Information Leak Through Query Strings in GET Request
		R	599	Trust of OpenSSL Certificate Without Validation
D	N	R	600	Failure to Catch All Exceptions in Servlet
		R	601	URL Redirection to Untrusted Site (aka 'Open Redirect')
		R	613	Insufficient Session Expiration
D			625	Permissive Regular Expression
		R	636	Not Failing Securely (aka 'Failing Open')
		R	639	Access Control Bypass Through User-Controlled Key
		R	640	Weak Password Recovery Mechanism for Forgotten Password
		R	644	Insufficient Sanitization of HTTP Headers for Scripting Syntax
		R	693	Protection Mechanism Failure
		R	703	Failure to Handle Exceptional Conditions
		R	708	Incorrect Ownership Assignment
		R	710	Coding Standards Violation
		R	722	OWASP Top Ten 2004 Category A1 - Unvalidated Input
		R	723	OWASP Top Ten 2004 Category A2 - Broken Access Control
		R	724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
		R	725	OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
		R	726	OWASP Top Ten 2004 Category A5 - Buffer Overflows
		R	727	OWASP Top Ten 2004 Category A6 - Injection Flaws
		R	728	OWASP Top Ten 2004 Category A7 - Improper Error Handling
		R	729	OWASP Top Ten 2004 Category A8 - Insecure Storage
		R	731	OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
		R	733	Compiler Optimization Removal or Modification of Security-critical Code

Detailed Difference Report

7	J2EE Misconfiguration: Missing Custom Error Page
	Major	Name, Relationships
	Minor	None
9	J2EE Misconfiguration: Weak Access Permissions for EJB Methods
	Major	Relationships
	Minor	None
12	ASP.NET Misconfiguration: Missing Custom Error Page
	Major	Name, Relationships
	Minor	None
20	Improper Input Validation
	Major	Description, Potential_Mitigations
	Minor	None
41	Failure to Resolve Path Equivalence
	Major	Relationships
	Minor	None
66	Improper Handling of File Names that Identify Virtual Resources
	Major	Description, Name
	Minor	None
67	Improper Handling of Windows Device Names
	Major	Description, Name
	Minor	None
71	Apple '.DS_Store'
	Major	Related_Attack_Patterns
	Minor	None
73	External Control of File Name or Path
	Major	Potential_Mitigations, Relationships
	Minor	None
78	Failure to Preserve OS Command Structure (aka 'OS Command Injection')
	Major	Potential_Mitigations
	Minor	None
79	Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
	Major	Potential_Mitigations
	Minor	None
89	Failure to Preserve SQL Query Structure (aka 'SQL Injection')
	Major	Potential_Mitigations
	Minor	None
93	Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')
	Major	References
	Minor	None
94	Failure to Control Generation of Code (aka 'Code Injection')
	Major	Potential_Mitigations
	Minor	None
98	Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
	Major	Relationships
	Minor	None
102	Struts: Duplicate Validation Forms
	Major	Relationships
	Minor	None
103	Struts: Incomplete validate() Method Definition
	Major	Relationships
	Minor	None
104	Struts: Form Bean Does Not Extend Validation Class
	Major	Relationships
	Minor	None
106	Struts: Plug-in Framework not in Use
	Major	Relationships
	Minor	None
109	Struts: Validator Turned Off
	Major	Relationships
	Minor	None
113	Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')
	Major	Demonstrative_Examples
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Description, Potential_Mitigations
	Minor	Demonstrative_Examples
117	Incorrect Output Sanitization for Logs
	Major	Relationships
	Minor	None
118	Improper Access of Indexable Resource (aka 'Range Error')
	Major	Description
	Minor	None
119	Failure to Constrain Operations within the Bounds of a Memory Buffer
	Major	Potential_Mitigations
	Minor	None
130	Improper Handling of Length Parameter Inconsistency
	Major	Description, Name
	Minor	None
134	Uncontrolled Format String
	Major	Relationships
	Minor	None
138	Improper Sanitization of Special Elements
	Major	Description, Name
	Minor	None
147	Improper Sanitization of Input Terminators
	Major	Description, Name
	Minor	None
151	Improper Sanitization of Comment Delimiters
	Major	Description, Name
	Minor	None
152	Improper Sanitization of Macro Symbols
	Major	Description, Name
	Minor	None
153	Improper Sanitization of Substitution Characters
	Major	Description, Name
	Minor	None
154	Improper Sanitization of Variable Name Delimiters
	Major	Description, Name
	Minor	None
155	Improper Sanitization of Wildcards or Matching Symbols
	Major	Description, Name
	Minor	None
156	Improper Sanitization of Whitespace
	Major	Description, Name
	Minor	None
157	Failure to Sanitize Paired Delimiters
	Major	None
	Minor	Demonstrative_Examples
166	Failure to Handle Missing Special Element
	Major	Relationships
	Minor	None
167	Failure to Handle Additional Special Element
	Major	Relationships
	Minor	None
168	Failure to Resolve Inconsistent Special Elements
	Major	Relationships
	Minor	None
170	Improper Null Termination
	Major	Common_Consequences
	Minor	None
176	Failure to Handle Unicode Encoding
	Major	Demonstrative_Examples
	Minor	None
178	Failure to Resolve Case Sensitivity
	Major	Description
	Minor	None
179	Incorrect Behavior Order: Early Validation
	Major	Relationships
	Minor	None
182	Collapse of Data Into Unsafe Value
	Major	Relationships
	Minor	None
183	Permissive Whitelist
	Major	Relationships
	Minor	None
188	Reliance on Data/Memory Layout
	Major	Relationships
	Minor	None
209	Error Message Information Leak
	Major	Demonstrative_Examples, Potential_Mitigations, Relationships
	Minor	None
217	Failure to Protect Stored Data from Modification
	Major	None
	Minor	Demonstrative_Examples
226	Sensitive Information Uncleared Before Release
	Major	Relationships
	Minor	None
228	Improper Handling of Syntactically Invalid Structure
	Major	Description, Name
	Minor	None
229	Improper Handling of Values
	Major	Description
	Minor	None
230	Improper Handling of Missing Values
	Major	Description, Name
	Minor	None
231	Improper Handling of Extra Values
	Major	Description, Name
	Minor	None
232	Improper Handling of Undefined Values
	Major	Description, Name
	Minor	None
234	Failure to Handle Missing Parameter
	Major	Maintenance_Notes, Other_Notes, Potential_Mitigations
	Minor	None
235	Improper Handling of Extra Parameters
	Major	Description, Name
	Minor	None
236	Improper Handling of Undefined Parameters
	Major	Description, Name
	Minor	None
237	Improper Handling of Structural Elements
	Major	Description, Name
	Minor	None
238	Improper Handling of Incomplete Structural Elements
	Major	Description, Name
	Minor	None
240	Improper Handling of Inconsistent Structural Elements
	Major	Description, Name
	Minor	None
241	Improper Handling of Unexpected Data Type
	Major	Description, Name
	Minor	None
243	Failure to Change Working Directory in chroot Jail
	Major	Demonstrative_Examples
	Minor	None
248	Uncaught Exception
	Major	Relationships
	Minor	None
250	Execution with Unnecessary Privileges
	Major	Potential_Mitigations
	Minor	None
252	Unchecked Return Value
	Major	Relationships
	Minor	None
253	Incorrect Check of Function Return Value
	Major	Description, Name, Relationships
	Minor	None
259	Hard-Coded Password
	Major	Potential_Mitigations
	Minor	None
266	Incorrect Privilege Assignment
	Major	Relationships
	Minor	Demonstrative_Examples
268	Privilege Chaining
	Major	Relationships
	Minor	None
272	Least Privilege Violation
	Major	Demonstrative_Examples
	Minor	None
273	Improper Check for Successfully Dropped Privileges
	Major	Description, Name, Relationships
	Minor	None
274	Failure to Handle Insufficient Privileges
	Major	Maintenance_Notes, Theoretical_Notes
	Minor	None
280	Improper Handling of Insufficient Permissions or Privileges
	Major	Description, Name, Theoretical_Notes
	Minor	None
283	Unverified Ownership
	Major	Relationships
	Minor	None
284	Access Control (Authorization) Issues
	Major	Relationships
	Minor	None
285	Improper Access Control (Authorization)
	Major	Potential_Mitigations
	Minor	None
296	Improper Following of Chain of Trust for Certificate Validation
	Major	Description, Name, Relationships
	Minor	None
297	Improper Validation of Host-specific Certificate Data
	Major	Description, Name, Relationships
	Minor	None
298	Improper Validation of Certificate Expiration
	Major	Description, Name, Relationships
	Minor	None
299	Improper Check for Certificate Revocation
	Major	Description, Name, Relationships
	Minor	None
302	Authentication Bypass by Assumed-Immutable Data
	Major	Relationships
	Minor	None
304	Missing Critical Step in Authentication
	Major	Relationships
	Minor	None
307	Failure to Restrict Excessive Authentication Attempts
	Major	Relationships
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Potential_Mitigations
	Minor	None
326	Weak Encryption
	Major	Relationships
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Potential_Mitigations
	Minor	None
330	Use of Insufficiently Random Values
	Major	Potential_Mitigations
	Minor	None
332	Insufficient Entropy in PRNG
	Major	Potential_Mitigations
	Minor	None
334	Small Space of Random Values
	Major	Potential_Mitigations
	Minor	None
336	Same Seed in PRNG
	Major	Potential_Mitigations
	Minor	None
337	Predictable Seed in PRNG
	Major	Potential_Mitigations
	Minor	None
339	Small Seed Space in PRNG
	Major	Potential_Mitigations
	Minor	None
341	Predictable from Observable State
	Major	Potential_Mitigations
	Minor	None
342	Predictable Exact Value from Previous Values
	Major	Potential_Mitigations
	Minor	None
343	Predictable Value Range from Previous Values
	Major	Potential_Mitigations
	Minor	None
344	Use of Invariant Value in Dynamically Changing Context
	Major	Potential_Mitigations
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Potential_Mitigations
	Minor	None
354	Improper Validation of Integrity Check Value
	Major	Description, Name, Relationships
	Minor	None
359	Privacy Violation
	Major	Other_Notes
	Minor	None
362	Race Condition
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
377	Insecure Temporary File
	Major	Demonstrative_Examples
	Minor	None
388	Error Handling
	Major	Relationships
	Minor	None
390	Detection of Error Condition Without Action
	Major	Relationships
	Minor	None
392	Failure to Report Error in Status Code
	Major	Relationships
	Minor	None
393	Return of Wrong Status Code
	Major	Relationships
	Minor	None
394	Unexpected Status Code or Return Value
	Major	Relationships
	Minor	None
395	Use of NullPointerException Catch to Detect NULL Pointer Dereference
	Major	Relationships
	Minor	None
396	Declaration of Catch for Generic Exception
	Major	Relationships
	Minor	None
397	Declaration of Throws for Generic Exception
	Major	Relationships
	Minor	None
401	Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')
	Major	Other_Notes
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Potential_Mitigations
	Minor	None
410	Insufficient Resource Pool
	Major	None
	Minor	Other_Notes
415	Double Free
	Major	None
	Minor	Demonstrative_Examples
416	Use After Free
	Major	Demonstrative_Examples
	Minor	None
426	Untrusted Search Path
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
457	Use of Uninitialized Variable
	Major	Demonstrative_Examples
	Minor	None
460	Improper Cleanup on Thrown Exception
	Major	Relationships
	Minor	None
467	Use of sizeof() on a Pointer Type
	Major	Demonstrative_Examples
	Minor	None
477	Use of Obsolete Functions
	Major	Other_Notes
	Minor	None
486	Comparison of Classes by Name
	Major	Other_Notes
	Minor	None
492	Use of Inner Class Containing Sensitive Data
	Major	Demonstrative_Examples
	Minor	None
494	Download of Code Without Integrity Check
	Major	Potential_Mitigations
	Minor	None
497	Information Leak of System Data
	Major	Demonstrative_Examples
	Minor	None
526	Information Leak Through Environmental Variables
	Major	Relationships
	Minor	None
527	Information Leak Through CVS Repository
	Major	Relationships
	Minor	None
528	Information Leak Through Core Dump Files
	Major	Relationships
	Minor	None
529	Information Leak Through Access Control List Files
	Major	Relationships
	Minor	None
530	Information Leak Through Backup (.~bk) Files
	Major	Relationships
	Minor	None
531	Information Leak Through Test Code
	Major	Relationships
	Minor	None
532	Information Leak Through Log Files
	Major	Relationships
	Minor	None
533	Information Leak Through Server Log Files
	Major	Relationships
	Minor	None
534	Information Leak Through Debug Log Files
	Major	Relationships
	Minor	None
539	Information Leak Through Persistent Cookies
	Major	Relationships
	Minor	None
540	Information Leak Through Source Code
	Major	Relationships
	Minor	None
541	Information Leak Through Include Source Code
	Major	Relationships
	Minor	None
542	Information Leak Through Cleanup Log Files
	Major	Relationships
	Minor	None
544	Failure to Use a Standardized Error Handling Mechanism
	Major	Description, Name, Relationships
	Minor	None
551	Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
	Major	Relationships
	Minor	None
556	ASP.NET Misconfiguration: Use of Identity Impersonation
	Major	Relationships
	Minor	None
587	Assignment of a Fixed Address to a Pointer
	Major	Relationships
	Minor	None
588	Attempt to Access Child of a Non-structure Pointer
	Major	Relationships
	Minor	None
593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
	Major	None
	Minor	Common_Consequences
598	Information Leak Through Query Strings in GET Request
	Major	Relationships
	Minor	None
599	Trust of OpenSSL Certificate Without Validation
	Major	Relationships
	Minor	None
600	Failure to Catch All Exceptions in Servlet
	Major	Alternate_Terms, Description, Maintenance_Notes, Name, Other_Notes, Relationships
	Minor	None
601	URL Redirection to Untrusted Site (aka 'Open Redirect')
	Major	Relationships
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	Potential_Mitigations
	Minor	None
613	Insufficient Session Expiration
	Major	Relationships
	Minor	None
614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
	Major	None
	Minor	Name
615	Information Leak Through Comments
	Major	Demonstrative_Examples
	Minor	None
625	Permissive Regular Expression
	Major	Description
	Minor	None
636	Not Failing Securely (aka 'Failing Open')
	Major	Relationships
	Minor	None
639	Access Control Bypass Through User-Controlled Key
	Major	Relationships
	Minor	None
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	Relationships
	Minor	None
642	External Control of Critical State Data
	Major	Potential_Mitigations
	Minor	None
643	Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')
	Major	Demonstrative_Examples
	Minor	None
644	Insufficient Sanitization of HTTP Headers for Scripting Syntax
	Major	Relationships
	Minor	None
662	Insufficient Synchronization
	Major	Related_Attack_Patterns
	Minor	None
663	Use of a Non-reentrant Function in an Unsynchronized Context
	Major	Related_Attack_Patterns
	Minor	None
664	Insufficient Control of a Resource Through its Lifetime
	Major	Related_Attack_Patterns
	Minor	None
665	Improper Initialization
	Major	Potential_Mitigations
	Minor	None
667	Insufficient Locking
	Major	Related_Attack_Patterns
	Minor	None
674	Uncontrolled Recursion
	Major	Related_Attack_Patterns
	Minor	None
680	Integer Overflow to Buffer Overflow
	Major	Related_Attack_Patterns
	Minor	None
682	Incorrect Calculation
	Major	Potential_Mitigations
	Minor	None
689	Permission Race Condition During Resource Copy
	Major	Related_Attack_Patterns
	Minor	None
691	Insufficient Control Flow Management
	Major	Related_Attack_Patterns
	Minor	None
692	Incomplete Blacklist to Cross-Site Scripting
	Major	Related_Attack_Patterns
	Minor	None
693	Protection Mechanism Failure
	Major	Related_Attack_Patterns, Relationships
	Minor	None
695	Use of Low-Level Functionality
	Major	Related_Attack_Patterns
	Minor	None
697	Insufficient Comparison
	Major	Related_Attack_Patterns
	Minor	None
701	Weaknesses Introduced During Design
	Major	View_Filter
	Minor	None
702	Weaknesses Introduced During Implementation
	Major	View_Filter
	Minor	None
703	Failure to Handle Exceptional Conditions
	Major	Relationships
	Minor	None
706	Use of Incorrectly-Resolved Name or Reference
	Major	Related_Attack_Patterns
	Minor	None
707	Failure to Enforce that Messages or Data are Well-Formed
	Major	Related_Attack_Patterns
	Minor	None
708	Incorrect Ownership Assignment
	Major	Relationships
	Minor	None
710	Coding Standards Violation
	Major	Relationships
	Minor	None
722	OWASP Top Ten 2004 Category A1 - Unvalidated Input
	Major	Relationships
	Minor	None
723	OWASP Top Ten 2004 Category A2 - Broken Access Control
	Major	Relationships
	Minor	None
724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
	Major	Related_Attack_Patterns, Relationships
	Minor	None
725	OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
	Major	Relationships
	Minor	None
726	OWASP Top Ten 2004 Category A5 - Buffer Overflows
	Major	Relationships
	Minor	None
727	OWASP Top Ten 2004 Category A6 - Injection Flaws
	Major	Relationships
	Minor	None
728	OWASP Top Ten 2004 Category A7 - Improper Error Handling
	Major	Related_Attack_Patterns, Relationships
	Minor	None
729	OWASP Top Ten 2004 Category A8 - Insecure Storage
	Major	Relationships
	Minor	None
731	OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
	Major	Relationships
	Minor	None
732	Insecure Permission Assignment for Critical Resource
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
733	Compiler Optimization Removal or Modification of Security-critical Code
	Major	Applicable_Platforms, Observed_Examples, Related_Attack_Patterns, Relationships
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.