CWE - Differences between Version 1.6 and Version 1.7

Home > CWE List > Reports > Differences between Version 1.6 and Version 1.7

Differences between Version 1.6 and Version 1.7

Differences between Version 1.6 and Version 1.7

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 1.7)	799
Total (Version 1.6)	791
Total new	8
Total deprecated	0
Total shared	791
Total important changes	20
Total major changes	109
Total minor changes	190
Total minor changes (no major)	165
Total unchanged	517

Summary of Entry Types

Type	Version 1.6	Version 1.7
Category	105	105
Chain	3	3
Composite	9	9
Deprecated	11	11
View	22	22
Weakness	641	649

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	12	0
Description	14	0
Applicable_Platforms	17	32
Time_of_Introduction	10	0
Demonstrative_Examples	29	0
Detection_Factors	12	0
Likelihood_of_Exploit	14	0
Common_Consequences	17	175
Relationships	4	0
References	10	0
Potential_Mitigations	42	1
Observed_Examples	15	1
Terminology_Notes	0	0
Alternate_Terms	2	0
Related_Attack_Patterns	9	0
Relationship_Notes	3	0
Taxonomy_Mappings	0	0
Maintenance_Notes	1	0
Modes_of_Introduction	2	0
Affected_Resources	0	0
Functional_Areas	1	1
Research_Gaps	2	0
Background_Details	1	0
Theoretical_Notes	1	0
Weakness_Ordinalities	5	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	1	0
Other_Notes	19	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	0	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		791

Status Changes

From	To	Total
Unchanged		790
Draft	Usable	1

Relationship Changes

The "Version 1.7 Total" lists the total number of relationships in Version 1.7. The "Shared" value is the total number of relationships in entries that were in both Version 1.7 and Version 1.6. The "New" value is the total number of relationships involving entries that did not exist in Version 1.6. Thus, the total number of relationships in Version 1.7 would combine stats from Shared entries and New entries.

Relationship	Version 1.7 Total	Version 1.6 Total	Version 1.7 Shared	Unchanged	Added to Version 1.7	Removed from Version 1.7	Version 1.7 New
ALL	4676	4658	4660	4656	4	2	16
ChildOf	2008	2000	2000	1999	1	1	8
ParentOf	2008	2000	2000	1999	1	1	8
MemberOf	106	106	106	106
HasMember	106	106	106	106
CanPrecede	84	83	84	83	1
CanFollow	84	83	84	83	1
StartsWith	3	3	3	3
Requires	27	27	27	27
RequiredBy	27	27	27	27
CanAlsoBe	37	37	37	37
PeerOf	186	186	186	186

Nodes Removed from Version 1.6

CWE-ID	CWE Name
None.

Nodes Added to Version 1.7

CWE-ID	CWE Name
790	Improper Filtering of Special Elements
791	Incomplete Filtering of Special Elements
792	Incomplete Filtering of One or More Instances of Special Elements
793	Only Filtering One Instance of a Special Element
794	Incomplete Filtering of Multiple Instances of Special Elements
795	Only Filtering Special Elements at a Specified Location
796	Only Filtering Special Elements Relative to a Marker
797	Only Filtering Special Elements at an Absolute Position

Nodes Deprecated in Version 1.7

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			79	Failure to Preserve Web Page Structure ('Cross-site Scripting')
		R	138	Improper Sanitization of Special Elements
D			192	Integer Coercion Error
D	N		200	Information Exposure
D	N		203	Information Exposure Through Discrepancy
D	N		205	Information Exposure Through Behavioral Discrepancy
D	N		207	Information Exposure Through an External Behavioral Inconsistency
	N		209	Information Exposure Through an Error Message
	N		212	Improper Cross-boundary Cleansing
		R	219	Sensitive Data Under Web Root
		R	285	Improper Access Control (Authorization)
D			330	Use of Insufficiently Random Values
D	N		497	Exposure of System Data to an Unauthorized Control Sphere
D	N		527	Exposure of CVS Repository to an Unauthorized Control Sphere
D	N		528	Exposure of Core Dump File to an Unauthorized Control Sphere
D	N		529	Exposure of Access Control List Files to an Unauthorized Control Sphere
D	N		530	Exposure of Backup File to an Unauthorized Control Sphere
D	N		538	File and Directory Information Exposure
D			548	Information Leak Through Directory Listing
		R	668	Exposure of Resource to Wrong Sphere

Detailed Difference Report

6	J2EE Misconfiguration: Insufficient Session-ID Length
	Major	None
	Minor	Common_Consequences
11	ASP.NET Misconfiguration: Creating Debug Binary
	Major	None
	Minor	Common_Consequences
12	ASP.NET Misconfiguration: Missing Custom Error Page
	Major	None
	Minor	Common_Consequences
20	Improper Input Validation
	Major	Applicable_Platforms, Demonstrative_Examples, Detection_Factors
	Minor	Common_Consequences
26	Path Traversal: '/dir/../filename'
	Major	None
	Minor	Applicable_Platforms
59	Improper Link Resolution Before File Access ('Link Following')
	Major	None
	Minor	Applicable_Platforms
73	External Control of File Name or Path
	Major	Detection_Factors
	Minor	Applicable_Platforms, Common_Consequences
74	Failure to Sanitize Data into a Different Plane ('Injection')
	Major	None
	Minor	Common_Consequences
77	Improper Sanitization of Special Elements used in a Command ('Command Injection')
	Major	None
	Minor	Common_Consequences
78	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Detection_Factors
	Minor	Common_Consequences
79	Failure to Preserve Web Page Structure ('Cross-site Scripting')
	Major	Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Observed_Examples
	Minor	Applicable_Platforms, Common_Consequences
82	Improper Sanitization of Script in Attributes of IMG Tags in a Web Page
	Major	Observed_Examples
	Minor	None
89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Potential_Mitigations
	Minor	Common_Consequences
92	DEPRECATED: Improper Sanitization of Custom Special Characters
	Major	Related_Attack_Patterns
	Minor	None
93	Failure to Sanitize CRLF Sequences ('CRLF Injection')
	Major	Likelihood_of_Exploit
	Minor	None
94	Failure to Control Generation of Code ('Code Injection')
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
	Major	Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction
	Minor	None
102	Struts: Duplicate Validation Forms
	Major	Background_Details, Common_Consequences, Other_Notes
	Minor	None
103	Struts: Incomplete validate() Method Definition
	Major	Common_Consequences, Other_Notes
	Minor	None
104	Struts: Form Bean Does Not Extend Validation Class
	Major	Common_Consequences, Other_Notes
	Minor	None
108	Struts: Unvalidated Action Form
	Major	Common_Consequences, Other_Notes
	Minor	None
110	Struts: Validator Without Form Field
	Major	None
	Minor	Common_Consequences
113	Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
	Major	None
	Minor	Common_Consequences
116	Improper Encoding or Escaping of Output
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	Applicable_Platforms, Common_Consequences
117	Improper Output Sanitization for Logs
	Major	None
	Minor	Common_Consequences
119	Failure to Constrain Operations within the Bounds of a Memory Buffer
	Major	Common_Consequences, Demonstrative_Examples, Detection_Factors, Observed_Examples
	Minor	Applicable_Platforms
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	None
	Minor	Common_Consequences
121	Stack-based Buffer Overflow
	Major	None
	Minor	Common_Consequences
122	Heap-based Buffer Overflow
	Major	None
	Minor	Common_Consequences
123	Write-what-where Condition
	Major	None
	Minor	Common_Consequences
124	Buffer Underwrite ('Buffer Underflow')
	Major	None
	Minor	Common_Consequences
128	Wrap-around Error
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
129	Improper Validation of Array Index
	Major	Applicable_Platforms, Common_Consequences, Observed_Examples, Other_Notes, Potential_Mitigations, Theoretical_Notes, Weakness_Ordinalities
	Minor	None
130	Improper Handling of Length Parameter Inconsistency
	Major	Observed_Examples
	Minor	Applicable_Platforms
131	Incorrect Calculation of Buffer Size
	Major	Demonstrative_Examples, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations
	Minor	None
134	Uncontrolled Format String
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
138	Improper Sanitization of Special Elements
	Major	Relationships
	Minor	None
170	Improper Null Termination
	Major	None
	Minor	Common_Consequences
171	Cleansing, Canonicalization, and Comparison Errors
	Major	Applicable_Platforms
	Minor	None
185	Incorrect Regular Expression
	Major	Common_Consequences, Other_Notes
	Minor	None
187	Partial Comparison
	Major	Demonstrative_Examples, Observed_Examples, Other_Notes, Relationship_Notes
	Minor	None
188	Reliance on Data/Memory Layout
	Major	None
	Minor	Common_Consequences
190	Integer Overflow or Wraparound
	Major	None
	Minor	Common_Consequences
192	Integer Coercion Error
	Major	Description, Other_Notes
	Minor	Common_Consequences
193	Off-by-one Error
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
194	Unexpected Sign Extension
	Major	None
	Minor	Common_Consequences
195	Signed to Unsigned Conversion Error
	Major	None
	Minor	Common_Consequences
196	Unsigned to Signed Conversion Error
	Major	None
	Minor	Common_Consequences
197	Numeric Truncation Error
	Major	None
	Minor	Common_Consequences
200	Information Exposure
	Major	Alternate_Terms, Description, Name
	Minor	None
201	Information Leak Through Sent Data
	Major	None
	Minor	Common_Consequences
202	Privacy Leak through Data Queries
	Major	None
	Minor	Common_Consequences
203	Information Exposure Through Discrepancy
	Major	Description, Name
	Minor	None
204	Response Discrepancy Information Leak
	Major	Demonstrative_Examples
	Minor	None
205	Information Exposure Through Behavioral Discrepancy
	Major	Description, Name
	Minor	None
207	Information Exposure Through an External Behavioral Inconsistency
	Major	Description, Name
	Minor	None
209	Information Exposure Through an Error Message
	Major	Demonstrative_Examples, Name, Potential_Mitigations, References, Time_of_Introduction
	Minor	Applicable_Platforms, Common_Consequences
210	Product-Generated Error Message Information Leak
	Major	Demonstrative_Examples
	Minor	None
211	Product-External Error Message Information Leak
	Major	None
	Minor	Applicable_Platforms
212	Improper Cross-boundary Cleansing
	Major	Name
	Minor	None
219	Sensitive Data Under Web Root
	Major	Relationships
	Minor	None
234	Failure to Handle Missing Parameter
	Major	None
	Minor	Common_Consequences
244	Failure to Clear Heap Memory Before Release ('Heap Inspection')
	Major	None
	Minor	Common_Consequences
250	Execution with Unnecessary Privileges
	Major	None
	Minor	Common_Consequences
252	Unchecked Return Value
	Major	Common_Consequences, Demonstrative_Examples, References
	Minor	None
253	Incorrect Check of Function Return Value
	Major	None
	Minor	Common_Consequences
257	Storing Passwords in a Recoverable Format
	Major	None
	Minor	Common_Consequences
259	Hard-Coded Password
	Major	None
	Minor	Common_Consequences
262	Not Using Password Aging
	Major	None
	Minor	Common_Consequences
263	Password Aging with Long Expiration
	Major	None
	Minor	Common_Consequences
265	Privilege / Sandbox Issues
	Major	Potential_Mitigations
	Minor	None
266	Incorrect Privilege Assignment
	Major	Potential_Mitigations
	Minor	None
267	Privilege Defined With Unsafe Actions
	Major	Potential_Mitigations
	Minor	None
268	Privilege Chaining
	Major	Other_Notes, Potential_Mitigations, Research_Gaps
	Minor	None
269	Improper Privilege Management
	Major	Potential_Mitigations
	Minor	None
270	Privilege Context Switching Error
	Major	Potential_Mitigations
	Minor	None
271	Privilege Dropping / Lowering Errors
	Major	Potential_Mitigations
	Minor	None
272	Least Privilege Violation
	Major	Potential_Mitigations
	Minor	Common_Consequences
273	Improper Check for Dropped Privileges
	Major	None
	Minor	Common_Consequences
282	Improper Ownership Management
	Major	Potential_Mitigations
	Minor	None
283	Unverified Ownership
	Major	Potential_Mitigations
	Minor	None
284	Access Control (Authorization) Issues
	Major	Potential_Mitigations
	Minor	None
285	Improper Access Control (Authorization)
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Observed_Examples, Relationships
	Minor	None
287	Improper Authentication
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, References
	Minor	None
291	Trusting Self-reported IP Address
	Major	None
	Minor	Common_Consequences
292	Trusting Self-reported DNS Name
	Major	None
	Minor	Common_Consequences
293	Using Referer Field for Authentication
	Major	None
	Minor	Common_Consequences
294	Authentication Bypass by Capture-replay
	Major	None
	Minor	Common_Consequences
296	Improper Following of Chain of Trust for Certificate Validation
	Major	None
	Minor	Common_Consequences
297	Improper Validation of Host-specific Certificate Data
	Major	None
	Minor	Common_Consequences
298	Improper Validation of Certificate Expiration
	Major	None
	Minor	Common_Consequences
299	Improper Check for Certificate Revocation
	Major	None
	Minor	Common_Consequences
301	Reflection Attack in an Authentication Protocol
	Major	None
	Minor	Common_Consequences
307	Failure to Restrict Excessive Authentication Attempts
	Major	Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
	Minor	None
308	Use of Single-factor Authentication
	Major	None
	Minor	Common_Consequences
309	Use of Password System for Primary Authentication
	Major	None
	Minor	Common_Consequences
311	Failure to Encrypt Sensitive Data
	Major	None
	Minor	Common_Consequences
317	Plaintext Storage in GUI
	Major	None
	Minor	Applicable_Platforms
319	Cleartext Transmission of Sensitive Information
	Major	None
	Minor	Common_Consequences
321	Use of Hard-coded Cryptographic Key
	Major	None
	Minor	Common_Consequences
322	Key Exchange without Entity Authentication
	Major	None
	Minor	Common_Consequences
323	Reusing a Nonce, Key Pair in Encryption
	Major	None
	Minor	Common_Consequences
324	Use of a Key Past its Expiration Date
	Major	None
	Minor	Common_Consequences
326	Inadequate Encryption Strength
	Major	None
	Minor	Common_Consequences
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	References
	Minor	Common_Consequences
329	Not Using a Random IV with CBC Mode
	Major	None
	Minor	Common_Consequences
330	Use of Insufficiently Random Values
	Major	Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Time_of_Introduction
	Minor	Functional_Areas
332	Insufficient Entropy in PRNG
	Major	Potential_Mitigations
	Minor	Common_Consequences
333	Improper Handling of Insufficient Entropy in TRNG
	Major	None
	Minor	Common_Consequences
334	Small Space of Random Values
	Major	Potential_Mitigations
	Minor	None
336	Same Seed in PRNG
	Major	Potential_Mitigations
	Minor	None
337	Predictable Seed in PRNG
	Major	Potential_Mitigations
	Minor	None
338	Use of Cryptographically Weak PRNG
	Major	None
	Minor	Common_Consequences
339	Small Seed Space in PRNG
	Major	Potential_Mitigations
	Minor	None
341	Predictable from Observable State
	Major	Potential_Mitigations
	Minor	None
342	Predictable Exact Value from Previous Values
	Major	Potential_Mitigations
	Minor	None
343	Predictable Value Range from Previous Values
	Major	Potential_Mitigations
	Minor	None
344	Use of Invariant Value in Dynamically Changing Context
	Major	Potential_Mitigations
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, Time_of_Introduction
	Minor	None
353	Failure to Add Integrity Check Value
	Major	None
	Minor	Common_Consequences
354	Improper Validation of Integrity Check Value
	Major	None
	Minor	Common_Consequences
359	Privacy Violation
	Major	Other_Notes, References
	Minor	None
360	Trust of System Event Data
	Major	None
	Minor	Common_Consequences
362	Race Condition
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
364	Signal Handler Race Condition
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
365	Race Condition in Switch
	Major	None
	Minor	Common_Consequences
366	Race Condition within a Thread
	Major	None
	Minor	Common_Consequences
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	None
	Minor	Common_Consequences
369	Divide By Zero
	Major	None
	Minor	Common_Consequences
370	Missing Check for Certificate Revocation after Initial Check
	Major	None
	Minor	Common_Consequences
373	State Synchronization Error
	Major	None
	Minor	Common_Consequences
374	Mutable Objects Passed by Reference
	Major	None
	Minor	Common_Consequences
375	Passing Mutable Objects to an Untrusted Method
	Major	None
	Minor	Common_Consequences
378	Creation of Temporary File With Insecure Permissions
	Major	None
	Minor	Common_Consequences
379	Creation of Temporary File in Directory with Incorrect Permissions
	Major	None
	Minor	Common_Consequences
385	Covert Timing Channel
	Major	None
	Minor	Common_Consequences
386	Symbolic Name not Mapping to Correct Object
	Major	None
	Minor	Common_Consequences
387	Signal Errors
	Major	Other_Notes
	Minor	None
388	Error Handling
	Major	None
	Minor	Common_Consequences
389	Error Conditions, Return Values, Status Codes
	Major	Other_Notes, Weakness_Ordinalities
	Minor	None
394	Unexpected Status Code or Return Value
	Major	Other_Notes, Relationship_Notes
	Minor	None
400	Uncontrolled Resource Consumption ('Resource Exhaustion')
	Major	Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References
	Minor	None
401	Failure to Release Memory Before Removing Last Reference ('Memory Leak')
	Major	None
	Minor	Common_Consequences
404	Improper Resource Shutdown or Release
	Major	None
	Minor	Common_Consequences
405	Asymmetric Resource Consumption (Amplification)
	Major	None
	Minor	Common_Consequences
407	Algorithmic Complexity
	Major	Applicable_Platforms, Likelihood_of_Exploit
	Minor	Common_Consequences
410	Insufficient Resource Pool
	Major	None
	Minor	Common_Consequences
412	Unrestricted Externally Accessible Lock
	Major	None
	Minor	Common_Consequences
415	Double Free
	Major	None
	Minor	Common_Consequences
416	Use After Free
	Major	None
	Minor	Common_Consequences
426	Untrusted Search Path
	Major	References
	Minor	Common_Consequences, Potential_Mitigations
428	Unquoted Search Path or Element
	Major	None
	Minor	Applicable_Platforms
434	Unrestricted File Upload
	Major	Applicable_Platforms, Functional_Areas, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction
	Minor	None
447	Unimplemented or Unsupported Feature in UI
	Major	Other_Notes, Potential_Mitigations, Research_Gaps
	Minor	None
453	Insecure Default Variable Initialization
	Major	None
	Minor	Applicable_Platforms
454	External Initialization of Trusted Variables
	Major	None
	Minor	Applicable_Platforms
457	Use of Uninitialized Variable
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
460	Improper Cleanup on Thrown Exception
	Major	None
	Minor	Common_Consequences
463	Deletion of Data Structure Sentinel
	Major	None
	Minor	Common_Consequences
464	Addition of Data Structure Sentinel
	Major	None
	Minor	Common_Consequences
467	Use of sizeof() on a Pointer Type
	Major	Demonstrative_Examples
	Minor	Common_Consequences
468	Incorrect Pointer Scaling
	Major	None
	Minor	Common_Consequences
469	Use of Pointer Subtraction to Determine Size
	Major	None
	Minor	Common_Consequences
470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
472	External Control of Assumed-Immutable Web Parameter
	Major	None
	Minor	Common_Consequences
473	PHP External Variable Modification
	Major	Other_Notes, Relationship_Notes
	Minor	None
474	Use of Function with Inconsistent Implementations
	Major	None
	Minor	Applicable_Platforms
476	NULL Pointer Dereference
	Major	Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Weakness_Ordinalities
	Minor	None
478	Missing Default Case in Switch Statement
	Major	None
	Minor	Common_Consequences
479	Unsafe Function Call from a Signal Handler
	Major	None
	Minor	Common_Consequences
480	Use of Incorrect Operator
	Major	None
	Minor	Applicable_Platforms
482	Comparing instead of Assigning
	Major	None
	Minor	Common_Consequences
483	Incorrect Block Delimitation
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
486	Comparison of Classes by Name
	Major	None
	Minor	Common_Consequences
487	Reliance on Package-level Scope
	Major	None
	Minor	Common_Consequences
489	Leftover Debug Code
	Major	None
	Minor	Common_Consequences
492	Use of Inner Class Containing Sensitive Data
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	Common_Consequences
493	Critical Public Variable Without Final Modifier
	Major	None
	Minor	Common_Consequences
494	Download of Code Without Integrity Check
	Major	None
	Minor	Common_Consequences
497	Exposure of System Data to an Unauthorized Control Sphere
	Major	Description, Name
	Minor	None
498	Information Leak through Class Cloning
	Major	None
	Minor	Common_Consequences
499	Serializable Class Containing Sensitive Data
	Major	None
	Minor	Common_Consequences
500	Public Static Field Not Marked Final
	Major	None
	Minor	Common_Consequences
502	Deserialization of Untrusted Data
	Major	None
	Minor	Common_Consequences
515	Covert Storage Channel
	Major	None
	Minor	Common_Consequences
525	Information Leak Through Browser Caching
	Major	None
	Minor	Common_Consequences
527	Exposure of CVS Repository to an Unauthorized Control Sphere
	Major	Description, Name
	Minor	None
528	Exposure of Core Dump File to an Unauthorized Control Sphere
	Major	Description, Name
	Minor	None
529	Exposure of Access Control List Files to an Unauthorized Control Sphere
	Major	Description, Name
	Minor	None
530	Exposure of Backup File to an Unauthorized Control Sphere
	Major	Description, Name
	Minor	Common_Consequences
532	Information Leak Through Log Files
	Major	None
	Minor	Common_Consequences
536	Information Leak Through Servlet Runtime Error Message
	Major	None
	Minor	Common_Consequences
538	File and Directory Information Exposure
	Major	Description, Maintenance_Notes, Name
	Minor	None
548	Information Leak Through Directory Listing
	Major	Common_Consequences, Description
	Minor	None
561	Dead Code
	Major	None
	Minor	Common_Consequences
565	Reliance on Cookies without Validation and Integrity Checking
	Major	None
	Minor	Common_Consequences
575	EJB Bad Practices: Use of AWT Swing
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
576	EJB Bad Practices: Use of Java I/O
	Major	Demonstrative_Examples
	Minor	None
577	EJB Bad Practices: Use of Sockets
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
578	EJB Bad Practices: Use of Class Loader
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
581	Object Model Violation: Just One of Equals and Hashcode Defined
	Major	None
	Minor	Common_Consequences
585	Empty Synchronized Block
	Major	None
	Minor	Common_Consequences
587	Assignment of a Fixed Address to a Pointer
	Major	None
	Minor	Common_Consequences
588	Attempt to Access Child of a Non-structure Pointer
	Major	None
	Minor	Common_Consequences
590	Free of Memory not on the Heap
	Major	None
	Minor	Common_Consequences
591	Sensitive Data Storage in Improperly Locked Memory
	Major	None
	Minor	Common_Consequences
593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
	Major	None
	Minor	Common_Consequences
594	J2EE Framework: Saving Unserializable Objects to Disk
	Major	None
	Minor	Common_Consequences
599	Trust of OpenSSL Certificate Without Validation
	Major	None
	Minor	Common_Consequences
601	URL Redirection to Untrusted Site ('Open Redirect')
	Major	Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
605	Multiple Binds to the Same Port
	Major	None
	Minor	Common_Consequences
620	Unverified Password Change
	Major	Other_Notes, Weakness_Ordinalities
	Minor	None
622	Unvalidated Function Hook Arguments
	Major	Other_Notes, Weakness_Ordinalities
	Minor	None
636	Not Failing Securely ('Failing Open')
	Major	None
	Minor	Common_Consequences
638	Failure to Use Complete Mediation
	Major	None
	Minor	Common_Consequences
639	Access Control Bypass Through User-Controlled Key
	Major	None
	Minor	Common_Consequences
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	None
	Minor	Common_Consequences
641	Insufficient Filtering of File and Other Resource Names for Executable Content
	Major	None
	Minor	Common_Consequences
642	External Control of Critical State Data
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
643	Failure to Sanitize Data within XPath Expressions ('XPath injection')
	Major	None
	Minor	Common_Consequences
644	Improper Sanitization of HTTP Headers for Scripting Syntax
	Major	None
	Minor	Common_Consequences
645	Overly Restrictive Account Lockout Mechanism
	Major	None
	Minor	Common_Consequences
646	Reliance on File Name or Extension of Externally-Supplied File
	Major	None
	Minor	Common_Consequences
647	Use of Non-Canonical URL Paths for Authorization Decisions
	Major	None
	Minor	Common_Consequences
648	Incorrect Use of Privileged APIs
	Major	None
	Minor	Common_Consequences
649	Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
	Major	None
	Minor	Common_Consequences
650	Trusting HTTP Permission Methods on the Server Side
	Major	None
	Minor	Common_Consequences
651	Information Leak through WSDL File
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
652	Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')
	Major	None
	Minor	Common_Consequences
653	Insufficient Compartmentalization
	Major	None
	Minor	Common_Consequences
654	Reliance on a Single Factor in a Security Decision
	Major	None
	Minor	Common_Consequences
655	Insufficient Psychological Acceptability
	Major	None
	Minor	Common_Consequences
656	Reliance on Security through Obscurity
	Major	None
	Minor	Common_Consequences
665	Improper Initialization
	Major	None
	Minor	Common_Consequences
667	Insufficient Locking
	Major	None
	Minor	Common_Consequences
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
674	Uncontrolled Recursion
	Major	None
	Minor	Common_Consequences
681	Incorrect Conversion between Numeric Types
	Major	Applicable_Platforms, Likelihood_of_Exploit, Potential_Mitigations
	Minor	None
682	Incorrect Calculation
	Major	None
	Minor	Common_Consequences
690	Unchecked Return Value to NULL Pointer Dereference
	Major	Demonstrative_Examples
	Minor	None
704	Incorrect Type Conversion or Cast
	Major	None
	Minor	Applicable_Platforms
712	OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)
	Major	Related_Attack_Patterns
	Minor	None
713	OWASP Top Ten 2007 Category A2 - Injection Flaws
	Major	Related_Attack_Patterns
	Minor	None
714	OWASP Top Ten 2007 Category A3 - Malicious File Execution
	Major	Related_Attack_Patterns
	Minor	None
716	OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)
	Major	Related_Attack_Patterns
	Minor	None
717	OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
	Major	Related_Attack_Patterns
	Minor	None
718	OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management
	Major	Related_Attack_Patterns
	Minor	None
719	OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
	Major	Related_Attack_Patterns
	Minor	None
721	OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
	Major	Related_Attack_Patterns
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References
	Minor	None
733	Compiler Optimization Removal or Modification of Security-critical Code
	Major	None
	Minor	Applicable_Platforms
749	Exposed Dangerous Method or Function
	Major	Applicable_Platforms, Likelihood_of_Exploit
	Minor	None
754	Improper Check for Exceptional Conditions
	Major	Applicable_Platforms, Likelihood_of_Exploit, Time_of_Introduction
	Minor	None
755	Improper Handling of Exceptional Conditions
	Major	Applicable_Platforms, Likelihood_of_Exploit, Time_of_Introduction
	Minor	None
762	Mismatched Memory Management Routines
	Major	Applicable_Platforms, Likelihood_of_Exploit
	Minor	None
766	Critical Variable Declared Public
	Major	Demonstrative_Examples
	Minor	Common_Consequences
768	Incorrect Short Circuit Evaluation
	Major	None
	Minor	Common_Consequences
770	Allocation of Resources Without Limits or Throttling
	Major	Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Observed_Examples, References, Time_of_Introduction
	Minor	Common_Consequences
771	Missing Reference to Active Allocated Resource
	Major	None
	Minor	Common_Consequences
772	Missing Release of Resource after Effective Lifetime
	Major	None
	Minor	Common_Consequences
773	Missing Reference to Active File Descriptor or Handle
	Major	None
	Minor	Common_Consequences
774	Allocation of File Descriptors or Handles Without Limits or Throttling
	Major	None
	Minor	Common_Consequences
775	Missing Release of File Descriptor or Handle after Effective Lifetime
	Major	Observed_Examples
	Minor	Common_Consequences
776	Unrestricted Recursive Entity References in DTDs ('XML Bomb')
	Major	None
	Minor	Common_Consequences
777	Regular Expression without Anchors
	Major	None
	Minor	Common_Consequences
778	Insufficient Logging
	Major	None
	Minor	Common_Consequences
779	Logging of Excessive Data
	Major	None
	Minor	Common_Consequences
780	Use of RSA Algorithm without OAEP
	Major	None
	Minor	Common_Consequences
781	Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
	Major	Common_Consequences, Potential_Mitigations, References, Time_of_Introduction
	Minor	Applicable_Platforms
782	Exposed IOCTL with Insufficient Access Control
	Major	Time_of_Introduction
	Minor	Applicable_Platforms, Common_Consequences, Observed_Examples
783	Operator Precedence Logic Error
	Major	Observed_Examples
	Minor	Applicable_Platforms, Common_Consequences
784	Reliance on Cookies without Validation and Integrity Checking in a Security Decision
	Major	None
	Minor	Applicable_Platforms, Common_Consequences
789	Uncontrolled Memory Allocation
	Major	None
	Minor	Common_Consequences

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration

Differences between Version 1.6 and Version 1.7 Differences between Version 1.6 and Version 1.7