CWE - Differences between Version 1.8 and Version 1.8.1

Home > CWE List > Reports > Differences between Version 1.8 and Version 1.8.1

Differences between Version 1.8 and Version 1.8.1

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 1.8.1)	810
Total (Version 1.8)	810
Total new	0
Total deprecated	0
Total shared	810
Total important changes	31
Total major changes	105
Total minor changes	10
Total minor changes (no major)	8
Total unchanged	697

Summary of Entry Types

Type	Version 1.8	Version 1.8.1
Category	109	109
Chain	3	3
Composite	6	6
Deprecated	11	11
View	23	23
Weakness	658	658

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	28	0
Description	30	0
Applicable_Platforms	8	1
Time_of_Introduction	1	0
Demonstrative_Examples	17	7
Detection_Factors	3	0
Likelihood_of_Exploit	0	0
Common_Consequences	2	0
Relationships	1	0
References	3	0
Potential_Mitigations	16	1
Observed_Examples	0	0
Terminology_Notes	0	0
Alternate_Terms	0	0
Related_Attack_Patterns	50	0
Relationship_Notes	0	0
Taxonomy_Mappings	0	0
Maintenance_Notes	0	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	0	0
Background_Details	0	1
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	0	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	0	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		810

Status Changes

From	To	Total
Unchanged		810

Relationship Changes

The "Version 1.8.1 Total" lists the total number of relationships in Version 1.8.1. The "Shared" value is the total number of relationships in entries that were in both Version 1.8.1 and Version 1.8. The "New" value is the total number of relationships involving entries that did not exist in Version 1.8. Thus, the total number of relationships in Version 1.8.1 would combine stats from Shared entries and New entries.

Relationship	Version 1.8.1 Total	Version 1.8 Total	Version 1.8.1 Shared	Unchanged	Removed from Version 1.8
ALL	4818	4819	4818	4818	1
ChildOf	2078	2078	2078	2078
ParentOf	2078	2078	2078	2078
MemberOf	109	109	109	109
HasMember	109	109	109	109
CanPrecede	90	90	90	90
CanFollow	90	91	90	90	1
StartsWith	3	3	3	3
Requires	19	19	19	19
RequiredBy	19	19	19	19
CanAlsoBe	37	37	37	37
PeerOf	186	186	186	186

Nodes Removed from Version 1.8

CWE-ID	CWE Name
None.

Nodes Added to Version 1.8.1

CWE-ID	CWE Name
None.

Nodes Deprecated in Version 1.8.1

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			79	Failure to Preserve Web Page Structure ('Cross-site Scripting')
D	N		83	Improper Neutralization of Script in Attributes in a Web Page
D	N		86	Improper Neutralization of Invalid Characters in Identifiers in Web Pages
D	N		96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
D	N		138	Improper Neutralization of Special Elements
D	N		141	Improper Neutralization of Parameter/Argument Delimiters
D	N		142	Improper Neutralization of Value Delimiters
D	N		143	Improper Neutralization of Record Delimiters
D	N		144	Improper Neutralization of Line Delimiters
D	N		145	Improper Neutralization of Section Delimiters
D	N		146	Improper Neutralization of Expression/Command Delimiters
D	N		147	Improper Neutralization of Input Terminators
D	N		150	Improper Neutralization of Escape, Meta, or Control Sequences
D	N		151	Improper Neutralization of Comment Delimiters
D	N		152	Improper Neutralization of Macro Symbols
D	N		153	Improper Neutralization of Substitution Characters
D	N		154	Improper Neutralization of Variable Name Delimiters
D	N		155	Improper Neutralization of Wildcards or Matching Symbols
D	N		156	Improper Neutralization of Whitespace
D	N		158	Improper Neutralization of Null Byte or NUL Character
D	N		160	Improper Neutralization of Leading Special Elements
D	N		161	Improper Neutralization of Multiple Leading Special Elements
D	N		162	Improper Neutralization of Trailing Special Elements
D	N		163	Improper Neutralization of Multiple Trailing Special Elements
D	N		164	Improper Neutralization of Internal Special Elements
D	N		165	Improper Neutralization of Multiple Internal Special Elements
D			185	Incorrect Regular Expression
		R	242	Use of Inherently Dangerous Function
D	N		643	Improper Neutralization of Data within XPath Expressions ('XPath injection')
D	N		644	Improper Neutralization of HTTP Headers for Scripting Syntax
D	N		652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

Detailed Difference Report

15	External Control of System or Configuration Setting
	Major	Related_Attack_Patterns
	Minor	None
20	Improper Input Validation
	Major	Related_Attack_Patterns
	Minor	None
59	Improper Link Resolution Before File Access ('Link Following')
	Major	Related_Attack_Patterns
	Minor	Background_Details
69	Failure to Handle Windows ::DATA Alternate Data Stream
	Major	Related_Attack_Patterns
	Minor	None
74	Failure to Sanitize Data into a Different Plane ('Injection')
	Major	Related_Attack_Patterns
	Minor	None
78	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Potential_Mitigations
	Minor	None
79	Failure to Preserve Web Page Structure ('Cross-site Scripting')
	Major	Description, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
81	Improper Sanitization of Script in an Error Message Web Page
	Major	Related_Attack_Patterns
	Minor	None
83	Improper Neutralization of Script in Attributes in a Web Page
	Major	Description, Name, Related_Attack_Patterns
	Minor	None
84	Failure to Resolve Encoded URI Schemes in a Web Page
	Major	Related_Attack_Patterns
	Minor	None
85	Doubled Character XSS Manipulations
	Major	Related_Attack_Patterns
	Minor	None
86	Improper Neutralization of Invalid Characters in Identifiers in Web Pages
	Major	Description, Name, Related_Attack_Patterns
	Minor	None
88	Argument Injection or Modification
	Major	Related_Attack_Patterns
	Minor	None
89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
93	Failure to Sanitize CRLF Sequences ('CRLF Injection')
	Major	Related_Attack_Patterns
	Minor	None
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
	Major	Description, Name
	Minor	None
100	Technology-Specific Input Validation Problems
	Major	Related_Attack_Patterns
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Potential_Mitigations
	Minor	None
119	Failure to Constrain Operations within the Bounds of a Memory Buffer
	Major	None
	Minor	Demonstrative_Examples
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
129	Improper Validation of Array Index
	Major	Related_Attack_Patterns
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns
	Minor	None
138	Improper Neutralization of Special Elements
	Major	Description, Name
	Minor	None
141	Improper Neutralization of Parameter/Argument Delimiters
	Major	Description, Name
	Minor	None
142	Improper Neutralization of Value Delimiters
	Major	Description, Name
	Minor	None
143	Improper Neutralization of Record Delimiters
	Major	Description, Name
	Minor	None
144	Improper Neutralization of Line Delimiters
	Major	Description, Name
	Minor	None
145	Improper Neutralization of Section Delimiters
	Major	Description, Name
	Minor	None
146	Improper Neutralization of Expression/Command Delimiters
	Major	Description, Name
	Minor	None
147	Improper Neutralization of Input Terminators
	Major	Description, Name
	Minor	None
150	Improper Neutralization of Escape, Meta, or Control Sequences
	Major	Description, Name
	Minor	None
151	Improper Neutralization of Comment Delimiters
	Major	Description, Name
	Minor	None
152	Improper Neutralization of Macro Symbols
	Major	Description, Name
	Minor	None
153	Improper Neutralization of Substitution Characters
	Major	Description, Name
	Minor	None
154	Improper Neutralization of Variable Name Delimiters
	Major	Description, Name
	Minor	None
155	Improper Neutralization of Wildcards or Matching Symbols
	Major	Description, Name
	Minor	None
156	Improper Neutralization of Whitespace
	Major	Description, Name
	Minor	None
158	Improper Neutralization of Null Byte or NUL Character
	Major	Description, Name
	Minor	None
160	Improper Neutralization of Leading Special Elements
	Major	Description, Name
	Minor	None
161	Improper Neutralization of Multiple Leading Special Elements
	Major	Description, Name
	Minor	None
162	Improper Neutralization of Trailing Special Elements
	Major	Description, Name
	Minor	None
163	Improper Neutralization of Multiple Trailing Special Elements
	Major	Description, Name
	Minor	None
164	Improper Neutralization of Internal Special Elements
	Major	Description, Name
	Minor	None
165	Improper Neutralization of Multiple Internal Special Elements
	Major	Description, Name
	Minor	None
170	Improper Null Termination
	Major	None
	Minor	Potential_Mitigations
184	Incomplete Blacklist
	Major	Related_Attack_Patterns
	Minor	None
185	Incorrect Regular Expression
	Major	Description
	Minor	None
190	Integer Overflow or Wraparound
	Major	Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns
	Minor	None
192	Integer Coercion Error
	Major	Demonstrative_Examples
	Minor	None
194	Unexpected Sign Extension
	Major	Demonstrative_Examples
	Minor	None
195	Signed to Unsigned Conversion Error
	Major	Demonstrative_Examples
	Minor	None
200	Information Exposure
	Major	Related_Attack_Patterns
	Minor	None
209	Information Exposure Through an Error Message
	Major	Related_Attack_Patterns
	Minor	None
212	Improper Cross-boundary Removal of Sensitive Data
	Major	Related_Attack_Patterns
	Minor	None
242	Use of Inherently Dangerous Function
	Major	Relationships
	Minor	None
245	J2EE Bad Practices: Direct Management of Connections
	Major	Demonstrative_Examples
	Minor	None
247	Reliance on DNS Lookups in a Security Decision
	Major	Related_Attack_Patterns
	Minor	None
252	Unchecked Return Value
	Major	Demonstrative_Examples
	Minor	None
259	Use of Hard-coded Password
	Major	Applicable_Platforms
	Minor	None
285	Improper Access Control (Authorization)
	Major	Potential_Mitigations
	Minor	None
302	Authentication Bypass by Assumed-Immutable Data
	Major	Related_Attack_Patterns
	Minor	None
307	Improper Restriction of Excessive Authentication Attempts
	Major	Demonstrative_Examples
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Related_Attack_Patterns
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Applicable_Platforms, Common_Consequences, Time_of_Introduction
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Applicable_Platforms, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
330	Use of Insufficiently Random Values
	Major	Related_Attack_Patterns
	Minor	None
345	Insufficient Verification of Data Authenticity
	Major	Related_Attack_Patterns
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	None
	Minor	Demonstrative_Examples
357	Insufficient UI Warning of Dangerous Operations
	Major	Related_Attack_Patterns
	Minor	None
388	Error Handling
	Major	Related_Attack_Patterns
	Minor	None
400	Uncontrolled Resource Consumption ('Resource Exhaustion')
	Major	Related_Attack_Patterns
	Minor	None
407	Algorithmic Complexity
	Major	None
	Minor	Applicable_Platforms
426	Untrusted Search Path
	Major	Applicable_Platforms
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Related_Attack_Patterns
	Minor	None
436	Interpretation Conflict
	Major	Related_Attack_Patterns
	Minor	None
441	Unintended Proxy/Intermediary
	Major	Related_Attack_Patterns
	Minor	None
454	External Initialization of Trusted Variables or Data Stores
	Major	Applicable_Platforms, Demonstrative_Examples
	Minor	None
456	Missing Initialization
	Major	Applicable_Platforms, Demonstrative_Examples
	Minor	None
471	Modification of Assumed-Immutable Data (MAID)
	Major	Related_Attack_Patterns
	Minor	None
472	External Control of Assumed-Immutable Web Parameter
	Major	Related_Attack_Patterns
	Minor	None
476	NULL Pointer Dereference
	Major	None
	Minor	Demonstrative_Examples
494	Download of Code Without Integrity Check
	Major	Applicable_Platforms
	Minor	None
514	Covert Channel
	Major	Related_Attack_Patterns
	Minor	None
559	Often Misused: Arguments and Parameters
	Major	Related_Attack_Patterns
	Minor	None
574	EJB Bad Practices: Use of Synchronization Primitives
	Major	Demonstrative_Examples
	Minor	None
601	URL Redirection to Untrusted Site ('Open Redirect')
	Major	Demonstrative_Examples
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	Related_Attack_Patterns
	Minor	None
610	Externally Controlled Reference to a Resource in Another Sphere
	Major	Related_Attack_Patterns
	Minor	None
643	Improper Neutralization of Data within XPath Expressions ('XPath injection')
	Major	Description, Name
	Minor	None
644	Improper Neutralization of HTTP Headers for Scripting Syntax
	Major	Description, Name
	Minor	None
648	Incorrect Use of Privileged APIs
	Major	Related_Attack_Patterns
	Minor	None
652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
	Major	Description, Name
	Minor	None
654	Reliance on a Single Factor in a Security Decision
	Major	Related_Attack_Patterns
	Minor	None
656	Reliance on Security through Obscurity
	Major	Related_Attack_Patterns
	Minor	None
665	Improper Initialization
	Major	Applicable_Platforms
	Minor	None
672	Operation on a Resource after Expiration or Release
	Major	None
	Minor	Demonstrative_Examples
681	Incorrect Conversion between Numeric Types
	Major	None
	Minor	Demonstrative_Examples
682	Incorrect Calculation
	Major	Detection_Factors, Potential_Mitigations, References
	Minor	None
690	Unchecked Return Value to NULL Pointer Dereference
	Major	None
	Minor	Demonstrative_Examples
732	Incorrect Permission Assignment for Critical Resource
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
749	Exposed Dangerous Method or Function
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
754	Improper Check for Unusual or Exceptional Conditions
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
	Major	Related_Attack_Patterns
	Minor	None
769	File Descriptor Exhaustion
	Major	Potential_Mitigations
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Common_Consequences, Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
771	Missing Reference to Active Allocated Resource
	Major	Potential_Mitigations
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Potential_Mitigations
	Minor	None
773	Missing Reference to Active File Descriptor or Handle
	Major	Potential_Mitigations
	Minor	None
774	Allocation of File Descriptors or Handles Without Limits or Throttling
	Major	Potential_Mitigations
	Minor	None
775	Missing Release of File Descriptor or Handle after Effective Lifetime
	Major	Potential_Mitigations
	Minor	None
798	Use of Hard-coded Credentials
	Major	Related_Attack_Patterns
	Minor	None
799	Improper Control of Interaction Frequency
	Major	Demonstrative_Examples
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Related_Attack_Patterns
	Minor	Demonstrative_Examples

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration