CWE - Differences between Version 1.3 and Version 1.4

Home > CWE List > Reports > Differences between Version 1.3 and Version 1.4

Differences between Version 1.3 and Version 1.4

Differences between Version 1.3 and Version 1.4

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 1.4)	777
Total (Version 1.3)	762
Total new	15
Total deprecated	1
Total shared	762
Total important changes	114
Total major changes	197
Total minor changes	1
Total minor changes (no major)	1
Total unchanged	564

Summary of Entry Types

Type	Version 1.3	Version 1.4
Category	103	104
Chain	3	3
Composite	9	9
Deprecated	8	9
View	22	22
Weakness	617	630

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Affected_Resources	0	0
Alternate_Terms	2	0
Applicable_Platforms	2	0
Background_Details	1	0
Black_Box_Definitions	0	0
Causal_Nature	0	0
Common_Consequences	3	0
Common_Methods_of_Exploitation	0	0
Context_Notes	0	0
Demonstrative_Examples	75	0
Description	57	0
Detection_Factors	0	0
Enabling_Factors_for_Exploitation	0	0
Functional_Areas	0	0
Likelihood_of_Exploit	1	0
Maintenance_Notes	1	0
Modes_of_Introduction	0	0
Name	66	0
Observed_Examples	0	0
Other_Notes	7	1
Potential_Mitigations	3	0
References	4	0
Related_Attack_Patterns	31	0
Relationship_Notes	3	0
Relationships	35	0
Relevant_Properties	0	0
Research_Gaps	0	0
Source_Taxonomy	0	0
Taxonomy_Mappings	3	0
Terminology_Notes	0	0
Theoretical_Notes	0	0
Time_of_Introduction	2	0
Type	1	0
View_Audience	0	0
View_Filter	0	0
View_Structure	0	0
View_Type	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		761
Weakness/Base	Deprecated	1

Relationship Changes

The "Version 1.4 Total" lists the total number of relationships in Version 1.4. The "Shared" value is the total number of relationships in entries that were in both Version 1.4 and Version 1.3. The "New" value is the total number of relationships involving entries that did not exist in Version 1.3. Thus, the total number of relationships in Version 1.4 would combine stats from Shared entries and New entries.

Relationship	Version 1.4 Total	Version 1.3 Total	Version 1.4 Shared	Unchanged	Added to Version 1.4	Removed from Version 1.4	Version 1.4 New
ALL	4591	4529	4521	4501	20	28	70
CanAlsoBe	38	38	38	38
CanFollow	79	78	79	78	1
CanPrecede	79	78	79	78	1
ChildOf	1961	1931	1926	1918	8	13	35
HasMember	115	114	115	114	1
MemberOf	115	114	115	114	1
ParentOf	1961	1931	1926	1918	8	13	35
PeerOf	186	188	186	186		2
RequiredBy	27	27	27	27
Requires	27	27	27	27
StartsWith	3	3	3	3

Nodes Removed from Version 1.3

CWE-ID	CWE Name
None.

Nodes Added to Version 1.4

CWE-ID	CWE Name
761	Free of Pointer not at Start of Buffer
762	Mismatched Memory Management Routines
763	Release of Invalid Pointer or Reference
764	Multiple Locks of a Critical Resource
765	Multiple Unlocks of a Critical Resource
766	Critical Variable Declared Public
767	Access to Critical Private Variable via Public Method
768	Incorrect Short Circuit Evaluation
769	File Descriptor Exhaustion
770	Allocation of Resources Without Limits or Throttling
771	Missing Reference to Active Allocated Resource
772	Missing Release of Resource after Effective Lifetime
773	Missing Reference to Active File Descriptor or Handle
774	Allocation of File Descriptors or Handles Without Limits or Throttling
775	Missing Release of File Descriptor or Handle after Effective Lifetime

Nodes Deprecated in Version 1.4

CWE-ID	CWE Name
217	DEPRECATED: Failure to Protect Stored Data from Modification

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			6	J2EE Misconfiguration: Insufficient Session-ID Length
	N		41	Improper Resolution of Path Equivalence
		R	45	Path Equivalence: 'file...name' (Multiple Internal Dot)
D	N		59	Improper Link Resolution Before File Access ('Link Following')
	N		72	Improper Handling of Apple HFS+ Alternate Data Stream Path
	N		74	Failure to Sanitize Data into a Different Plane ('Injection')
	N		77	Failure to Sanitize Data into a Control Plane ('Command Injection')
	N		78	Failure to Preserve OS Command Structure ('OS Command Injection')
	N		79	Failure to Preserve Web Page Structure ('Cross-site Scripting')
D	N		80	Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)
D	N		81	Improper Sanitization of Script in an Error Message Web Page
D	N		82	Improper Sanitization of Script in Attributes of IMG Tags in a Web Page
	N		89	Failure to Preserve SQL Query Structure ('SQL Injection')
	N		90	Failure to Sanitize Data into LDAP Queries ('LDAP Injection')
D	N		92	Improper Sanitization of Custom Special Characters
	N		93	Failure to Sanitize CRLF Sequences ('CRLF Injection')
	N		94	Failure to Control Generation of Code ('Code Injection')
D	N		95	Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')
D	N		96	Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')
D	N		98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
D	N		99	Improper Control of Resource Identifiers ('Resource Injection')
	N		113	Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
D	N		117	Improper Output Sanitization for Logs
	N		118	Improper Access of Indexable Resource ('Range Error')
		R	123	Write-what-where Condition
D			135	Incorrect Calculation of Multi-Byte String Length
D	N		160	Improper Sanitization of Leading Special Elements
D	N		161	Improper Sanitization of Multiple Leading Special Elements
D	N		162	Improper Sanitization of Trailing Special Elements
D	N	R	163	Improper Sanitization of Multiple Trailing Special Elements
D	N		164	Improper Sanitization of Internal Special Elements
D	N	R	165	Improper Sanitization of Multiple Internal Special Elements
D	N		166	Improper Handling of Missing Special Element
D	N		167	Improper Handling of Additional Special Element
		R	171	Cleansing, Canonicalization, and Comparison Errors
D			184	Incomplete Blacklist
D			198	Use of Incorrect Byte Ordering
		R	216	Containment Errors (Container Errors)
D	N	R	217	DEPRECATED: Failure to Protect Stored Data from Modification
		R	226	Sensitive Information Uncleared Before Release
	N	R	227	Failure to Fulfill API Contract ('API Abuse')
	N		244	Failure to Clear Heap Memory Before Release ('Heap Inspection')
		R	247	Reliance on DNS Lookups in a Security Decision
	N		269	Improper Privilege Management
	N		273	Improper Check for Dropped Privileges
D	N		274	Improper Handling of Insufficient Privileges
D	N		276	Incorrect Default Permissions
D	N		279	Incorrect Execution-Assigned Permissions
D	N		281	Improper Preservation of Permissions
D			285	Improper Access Control (Authorization)
D			287	Improper Authentication
		R	299	Improper Check for Certificate Revocation
	N		300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
D	N		303	Incorrect Implementation of Authentication Algorithm
D	N		333	Improper Handling of Insufficient Entropy in TRNG
D	N		347	Improper Verification of Cryptographic Signature
		R	350	Improperly Trusted Reverse DNS
D			357	Insufficient UI Warning of Dangerous Operations
D			358	Improperly Implemented Security Check for Standard
		R	362	Race Condition
	N	R	370	Missing Check for Certificate Revocation after Initial Check
D	N		379	Creation of Temporary File in Directory with Incorrect Permissions
		R	399	Resource Management Errors
	N	R	400	Uncontrolled Resource Consumption ('Resource Exhaustion')
	N		401	Failure to Release Memory Before Removing Last Reference ('Memory Leak')
	N		402	Transmission of Private Resources into a New Sphere ('Resource Leak')
D		R	404	Improper Resource Shutdown or Release
D			408	Incorrect Behavior Order: Early Amplification
D	N		409	Improper Handling of Highly Compressed Data (Data Amplification)
	N		444	Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
		R	459	Incomplete Cleanup
D			460	Improper Cleanup on Thrown Exception
	N		470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
D	N		478	Missing Default Case in Switch Statement
		R	485	Insufficient Encapsulation
	N		491	Public cloneable() Method Without Final ('Object Hijack')
D		R	493	Critical Public Variable Without Final Modifier
		R	500	Public Static Field Not Marked Final
D			585	Empty Synchronized Block
D	N	R	590	Free of Memory not on the Heap
D			591	Sensitive Data Storage in Improperly Locked Memory
	N		595	Comparison of Object References Instead of Object Contents
	N		601	URL Redirection to Untrusted Site ('Open Redirect')
		R	604	Deprecated Entries
		R	609	Double-Checked Locking
	N		619	Dangling Database Cursor ('Cursor Injection')
		R	633	Weaknesses that Affect Memory
	N		636	Not Failing Securely ('Failing Open')
		R	639	Access Control Bypass Through User-Controlled Key
	N		643	Failure to Sanitize Data within XPath Expressions ('XPath injection')
D	N		644	Improper Sanitization of HTTP Headers for Scripting Syntax
	N		648	Incorrect Use of Privileged APIs
	N		652	Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')
		R	654	Reliance on a Single Factor in a Security Decision
	N		655	Insufficient Psychological Acceptability
		R	662	Insufficient Synchronization
D	N	R	664	Improper Control of a Resource Through its Lifetime
D		R	665	Improper Initialization
		R	667	Insufficient Locking
		R	668	Exposure of Resource to Wrong Sphere
		R	675	Duplicate Operations on Resource
D			685	Function Call With Incorrect Number of Arguments
D			686	Function Call With Incorrect Argument Type
D			687	Function Call With Incorrectly Specified Argument Value
D			688	Function Call With Incorrect Variable or Reference as Argument
		R	691	Insufficient Control Flow Management
D			693	Protection Mechanism Failure
D			696	Incorrect Behavior Order
D			697	Insufficient Comparison
D			704	Incorrect Type Conversion or Cast
D	N		707	Improper Enforcement of Message or Data Structure
D			708	Incorrect Ownership Assignment
		R	715	OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
	N		732	Incorrect Permission Assignment for Critical Resource

Detailed Difference Report

6	J2EE Misconfiguration: Insufficient Session-ID Length
	Major	Description, Other_Notes, References
	Minor	None
14	Compiler Removal of Code to Clear Buffers
	Major	Demonstrative_Examples
	Minor	None
15	External Control of System or Configuration Setting
	Major	Demonstrative_Examples
	Minor	None
20	Improper Input Validation
	Major	Related_Attack_Patterns
	Minor	None
41	Improper Resolution of Path Equivalence
	Major	Name
	Minor	None
45	Path Equivalence: 'file...name' (Multiple Internal Dot)
	Major	Relationships
	Minor	None
59	Improper Link Resolution Before File Access ('Link Following')
	Major	Description, Name
	Minor	None
72	Improper Handling of Apple HFS+ Alternate Data Stream Path
	Major	Name
	Minor	None
74	Failure to Sanitize Data into a Different Plane ('Injection')
	Major	Name, Related_Attack_Patterns
	Minor	None
77	Failure to Sanitize Data into a Control Plane ('Command Injection')
	Major	Demonstrative_Examples, Name
	Minor	None
78	Failure to Preserve OS Command Structure ('OS Command Injection')
	Major	Name, Related_Attack_Patterns
	Minor	None
79	Failure to Preserve Web Page Structure ('Cross-site Scripting')
	Major	Name
	Minor	None
80	Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)
	Major	Demonstrative_Examples, Description, Name
	Minor	None
81	Improper Sanitization of Script in an Error Message Web Page
	Major	Description, Name
	Minor	None
82	Improper Sanitization of Script in Attributes of IMG Tags in a Web Page
	Major	Description, Name
	Minor	None
89	Failure to Preserve SQL Query Structure ('SQL Injection')
	Major	Demonstrative_Examples, Name, Related_Attack_Patterns
	Minor	None
90	Failure to Sanitize Data into LDAP Queries ('LDAP Injection')
	Major	Name
	Minor	None
92	Improper Sanitization of Custom Special Characters
	Major	Description, Name
	Minor	None
93	Failure to Sanitize CRLF Sequences ('CRLF Injection')
	Major	Name
	Minor	None
94	Failure to Control Generation of Code ('Code Injection')
	Major	Demonstrative_Examples, Name
	Minor	None
95	Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')
	Major	Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Name, References
	Minor	None
96	Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')
	Major	Description, Name
	Minor	None
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
	Major	Description, Name
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	Description, Name
	Minor	None
100	Technology-Specific Input Validation Problems
	Major	Related_Attack_Patterns
	Minor	None
112	Missing XML Validation
	Major	Demonstrative_Examples
	Minor	None
113	Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
	Major	Name
	Minor	None
114	Process Control
	Major	Related_Attack_Patterns
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Related_Attack_Patterns
	Minor	None
117	Improper Output Sanitization for Logs
	Major	Demonstrative_Examples, Description, Name, Related_Attack_Patterns
	Minor	None
118	Improper Access of Indexable Resource ('Range Error')
	Major	Name
	Minor	None
119	Failure to Constrain Operations within the Bounds of a Memory Buffer
	Major	Demonstrative_Examples
	Minor	None
123	Write-what-where Condition
	Major	Relationships
	Minor	None
134	Uncontrolled Format String
	Major	Demonstrative_Examples
	Minor	None
135	Incorrect Calculation of Multi-Byte String Length
	Major	Description
	Minor	None
160	Improper Sanitization of Leading Special Elements
	Major	Description, Name
	Minor	None
161	Improper Sanitization of Multiple Leading Special Elements
	Major	Description, Name
	Minor	None
162	Improper Sanitization of Trailing Special Elements
	Major	Description, Name
	Minor	None
163	Improper Sanitization of Multiple Trailing Special Elements
	Major	Description, Name, Relationships
	Minor	None
164	Improper Sanitization of Internal Special Elements
	Major	Description, Name
	Minor	None
165	Improper Sanitization of Multiple Internal Special Elements
	Major	Description, Name, Relationships
	Minor	None
166	Improper Handling of Missing Special Element
	Major	Description, Name
	Minor	None
167	Improper Handling of Additional Special Element
	Major	Description, Name
	Minor	None
170	Improper Null Termination
	Major	Demonstrative_Examples
	Minor	None
171	Cleansing, Canonicalization, and Comparison Errors
	Major	Relationships
	Minor	None
176	Failure to Handle Unicode Encoding
	Major	Demonstrative_Examples
	Minor	None
180	Incorrect Behavior Order: Validate Before Canonicalize
	Major	Other_Notes, Relationship_Notes
	Minor	None
184	Incomplete Blacklist
	Major	Description, Other_Notes, Relationship_Notes, Time_of_Introduction
	Minor	None
190	Integer Overflow or Wraparound
	Major	Demonstrative_Examples
	Minor	None
191	Integer Underflow (Wrap or Wraparound)
	Major	Demonstrative_Examples
	Minor	None
194	Unexpected Sign Extension
	Major	Demonstrative_Examples
	Minor	None
195	Signed to Unsigned Conversion Error
	Major	Demonstrative_Examples
	Minor	None
196	Unsigned to Signed Conversion Error
	Major	Demonstrative_Examples
	Minor	None
197	Numeric Truncation Error
	Major	Demonstrative_Examples
	Minor	None
198	Use of Incorrect Byte Ordering
	Major	Description
	Minor	None
215	Information Leak Through Debug Information
	Major	Demonstrative_Examples
	Minor	None
216	Containment Errors (Container Errors)
	Major	Relationships
	Minor	None
217	DEPRECATED: Failure to Protect Stored Data from Modification
	Major	Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
	Minor	None
226	Sensitive Information Uncleared Before Release
	Major	Relationships
	Minor	None
227	Failure to Fulfill API Contract ('API Abuse')
	Major	Name, Relationships
	Minor	None
243	Failure to Change Working Directory in chroot Jail
	Major	Demonstrative_Examples
	Minor	None
244	Failure to Clear Heap Memory Before Release ('Heap Inspection')
	Major	Demonstrative_Examples, Name
	Minor	None
247	Reliance on DNS Lookups in a Security Decision
	Major	Relationships, Taxonomy_Mappings
	Minor	None
249	Often Misused: Path Manipulation
	Major	Demonstrative_Examples
	Minor	None
250	Execution with Unnecessary Privileges
	Major	Related_Attack_Patterns
	Minor	None
252	Unchecked Return Value
	Major	Demonstrative_Examples
	Minor	None
269	Improper Privilege Management
	Major	Name
	Minor	None
272	Least Privilege Violation
	Major	Demonstrative_Examples
	Minor	None
273	Improper Check for Dropped Privileges
	Major	Name
	Minor	None
274	Improper Handling of Insufficient Privileges
	Major	Description, Name
	Minor	None
276	Incorrect Default Permissions
	Major	Description, Name
	Minor	None
279	Incorrect Execution-Assigned Permissions
	Major	Description, Name
	Minor	None
281	Improper Preservation of Permissions
	Major	Description, Name
	Minor	None
285	Improper Access Control (Authorization)
	Major	Description, Related_Attack_Patterns
	Minor	None
287	Improper Authentication
	Major	Description, Related_Attack_Patterns
	Minor	None
292	Trusting Self-reported DNS Name
	Major	Demonstrative_Examples
	Minor	None
294	Authentication Bypass by Capture-replay
	Major	Related_Attack_Patterns
	Minor	None
296	Improper Following of Chain of Trust for Certificate Validation
	Major	Demonstrative_Examples
	Minor	None
297	Improper Validation of Host-specific Certificate Data
	Major	Demonstrative_Examples
	Minor	None
298	Improper Validation of Certificate Expiration
	Major	Demonstrative_Examples
	Minor	None
299	Improper Check for Certificate Revocation
	Major	Relationships
	Minor	None
300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
	Major	Name
	Minor	None
303	Incorrect Implementation of Authentication Algorithm
	Major	Description, Name
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Related_Attack_Patterns
	Minor	None
321	Use of Hard-coded Cryptographic Key
	Major	Demonstrative_Examples
	Minor	None
324	Use of a Key Past its Expiration Date
	Major	Demonstrative_Examples
	Minor	None
326	Weak Encryption
	Major	Related_Attack_Patterns
	Minor	None
330	Use of Insufficiently Random Values
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
333	Improper Handling of Insufficient Entropy in TRNG
	Major	Description, Name
	Minor	None
345	Insufficient Verification of Data Authenticity
	Major	Related_Attack_Patterns
	Minor	None
346	Origin Validation Error
	Major	Related_Attack_Patterns
	Minor	None
347	Improper Verification of Cryptographic Signature
	Major	Description, Name
	Minor	None
350	Improperly Trusted Reverse DNS
	Major	Relationships
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
357	Insufficient UI Warning of Dangerous Operations
	Major	Description
	Minor	None
358	Improperly Implemented Security Check for Standard
	Major	Description
	Minor	None
362	Race Condition
	Major	Relationships
	Minor	None
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	Demonstrative_Examples
	Minor	None
369	Divide By Zero
	Major	Demonstrative_Examples
	Minor	None
370	Missing Check for Certificate Revocation after Initial Check
	Major	Name, Relationships
	Minor	None
377	Insecure Temporary File
	Major	Demonstrative_Examples
	Minor	None
379	Creation of Temporary File in Directory with Incorrect Permissions
	Major	Description, Name
	Minor	None
391	Unchecked Error Condition
	Major	Demonstrative_Examples
	Minor	None
395	Use of NullPointerException Catch to Detect NULL Pointer Dereference
	Major	Demonstrative_Examples
	Minor	None
396	Declaration of Catch for Generic Exception
	Major	Demonstrative_Examples
	Minor	None
397	Declaration of Throws for Generic Exception
	Major	Demonstrative_Examples
	Minor	None
399	Resource Management Errors
	Major	Relationships
	Minor	None
400	Uncontrolled Resource Consumption ('Resource Exhaustion')
	Major	Name, Relationships
	Minor	None
401	Failure to Release Memory Before Removing Last Reference ('Memory Leak')
	Major	Name
	Minor	None
402	Transmission of Private Resources into a New Sphere ('Resource Leak')
	Major	Name
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Description, Relationships
	Minor	None
408	Incorrect Behavior Order: Early Amplification
	Major	Description
	Minor	None
409	Improper Handling of Highly Compressed Data (Data Amplification)
	Major	Description, Name
	Minor	None
415	Double Free
	Major	Demonstrative_Examples
	Minor	None
416	Use After Free
	Major	Demonstrative_Examples
	Minor	None
431	Missing Handler
	Major	Demonstrative_Examples
	Minor	None
436	Interpretation Conflict
	Major	Related_Attack_Patterns
	Minor	None
444	Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
	Major	Name, Related_Attack_Patterns
	Minor	None
457	Use of Uninitialized Variable
	Major	Demonstrative_Examples
	Minor	None
459	Incomplete Cleanup
	Major	Relationship_Notes, Relationships
	Minor	None
460	Improper Cleanup on Thrown Exception
	Major	Description
	Minor	None
468	Incorrect Pointer Scaling
	Major	Demonstrative_Examples
	Minor	None
470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
	Major	Demonstrative_Examples, Name
	Minor	None
476	NULL Pointer Dereference
	Major	Demonstrative_Examples
	Minor	None
477	Use of Obsolete Functions
	Major	Demonstrative_Examples
	Minor	None
478	Missing Default Case in Switch Statement
	Major	Description, Name
	Minor	None
481	Assigning instead of Comparing
	Major	Demonstrative_Examples
	Minor	None
483	Incorrect Block Delimitation
	Major	Demonstrative_Examples
	Minor	None
485	Insufficient Encapsulation
	Major	Relationships
	Minor	None
488	Data Leak Between Sessions
	Major	Demonstrative_Examples
	Minor	None
491	Public cloneable() Method Without Final ('Object Hijack')
	Major	Name
	Minor	None
493	Critical Public Variable Without Final Modifier
	Major	Background_Details, Demonstrative_Examples, Description, Relationships
	Minor	None
497	Information Leak of System Data
	Major	Demonstrative_Examples
	Minor	None
500	Public Static Field Not Marked Final
	Major	Relationships
	Minor	None
521	Weak Password Requirements
	Major	Related_Attack_Patterns
	Minor	None
522	Insufficiently Protected Credentials
	Major	Related_Attack_Patterns
	Minor	None
523	Unprotected Transport of Credentials
	Major	Related_Attack_Patterns
	Minor	None
558	Use of getlogin() in Multithreaded Application
	Major	Demonstrative_Examples, Taxonomy_Mappings
	Minor	None
561	Dead Code
	Major	Demonstrative_Examples
	Minor	None
562	Return of Stack Variable Address
	Major	Demonstrative_Examples
	Minor	None
563	Unused Variable
	Major	Demonstrative_Examples
	Minor	None
564	SQL Injection: Hibernate
	Major	Related_Attack_Patterns
	Minor	None
572	Call to Thread run() instead of start()
	Major	Demonstrative_Examples
	Minor	None
579	J2EE Bad Practices: Non-serializable Object Stored in Session
	Major	Demonstrative_Examples
	Minor	None
582	Array Declared Public, Final, and Static
	Major	Demonstrative_Examples
	Minor	None
583	finalize() Method Declared Public
	Major	Demonstrative_Examples
	Minor	None
584	Return Inside Finally Block
	Major	Demonstrative_Examples
	Minor	None
585	Empty Synchronized Block
	Major	Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References
	Minor	None
586	Explicit Call to Finalize()
	Major	Demonstrative_Examples
	Minor	None
590	Free of Memory not on the Heap
	Major	Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, References, Relationships
	Minor	None
591	Sensitive Data Storage in Improperly Locked Memory
	Major	Description, Other_Notes
	Minor	None
592	Authentication Bypass Issues
	Major	Related_Attack_Patterns
	Minor	None
593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
	Major	None
	Minor	Other_Notes
595	Comparison of Object References Instead of Object Contents
	Major	Name
	Minor	None
597	Use of Wrong Operator in String Comparison
	Major	Demonstrative_Examples
	Minor	None
600	Failure to Catch All Exceptions in Servlet
	Major	Demonstrative_Examples
	Minor	None
601	URL Redirection to Untrusted Site ('Open Redirect')
	Major	Name
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	Demonstrative_Examples
	Minor	None
604	Deprecated Entries
	Major	Relationships
	Minor	None
605	Multiple Binds to the Same Port
	Major	Demonstrative_Examples
	Minor	None
606	Unchecked Input for Loop Condition
	Major	Demonstrative_Examples
	Minor	None
609	Double-Checked Locking
	Major	Relationships
	Minor	None
614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
	Major	Related_Attack_Patterns
	Minor	None
619	Dangling Database Cursor ('Cursor Injection')
	Major	Name
	Minor	None
620	Unverified Password Change
	Major	Demonstrative_Examples
	Minor	None
625	Permissive Regular Expression
	Major	Demonstrative_Examples
	Minor	None
633	Weaknesses that Affect Memory
	Major	Relationships
	Minor	None
636	Not Failing Securely ('Failing Open')
	Major	Name
	Minor	None
638	Failure to Use Complete Mediation
	Major	Related_Attack_Patterns
	Minor	None
639	Access Control Bypass Through User-Controlled Key
	Major	Relationships
	Minor	None
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	Related_Attack_Patterns
	Minor	None
643	Failure to Sanitize Data within XPath Expressions ('XPath injection')
	Major	Name
	Minor	None
644	Improper Sanitization of HTTP Headers for Scripting Syntax
	Major	Description, Name
	Minor	None
648	Incorrect Use of Privileged APIs
	Major	Name, Related_Attack_Patterns
	Minor	None
652	Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')
	Major	Name
	Minor	None
654	Reliance on a Single Factor in a Security Decision
	Major	Relationships
	Minor	None
655	Insufficient Psychological Acceptability
	Major	Name
	Minor	None
662	Insufficient Synchronization
	Major	Relationships
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Description, Name, Relationships
	Minor	None
665	Improper Initialization
	Major	Description, Relationships
	Minor	None
667	Insufficient Locking
	Major	Relationships
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
675	Duplicate Operations on Resource
	Major	Relationships
	Minor	None
682	Incorrect Calculation
	Major	Demonstrative_Examples
	Minor	None
683	Function Call With Incorrect Order of Arguments
	Major	Demonstrative_Examples
	Minor	None
685	Function Call With Incorrect Number of Arguments
	Major	Description
	Minor	None
686	Function Call With Incorrect Argument Type
	Major	Description
	Minor	None
687	Function Call With Incorrectly Specified Argument Value
	Major	Description
	Minor	None
688	Function Call With Incorrect Variable or Reference as Argument
	Major	Description
	Minor	None
691	Insufficient Control Flow Management
	Major	Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Description, Related_Attack_Patterns
	Minor	None
696	Incorrect Behavior Order
	Major	Description
	Minor	None
697	Insufficient Comparison
	Major	Description
	Minor	None
704	Incorrect Type Conversion or Cast
	Major	Description
	Minor	None
707	Improper Enforcement of Message or Data Structure
	Major	Description, Name
	Minor	None
708	Incorrect Ownership Assignment
	Major	Description
	Minor	None
715	OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
	Major	Relationships
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Name
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration