CWE - Differences between Version 2.2 and Version 2.3

Home > CWE List > Reports > Differences between Version 2.2 and Version 2.3

Differences between Version 2.2 and Version 2.3

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 2.3)	909
Total (Version 2.2)	909
Total new	0
Total deprecated	0
Total shared	909
Total important changes	4
Total major changes	394
Total minor changes	2
Total minor changes (no major)	1
Total unchanged	514

Summary of Entry Types

Type	Version 2.2	Version 2.3
Category	177	177
Chain	3	3
Composite	6	6
Deprecated	12	12
View	29	29
Weakness	682	682

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	3	0
Description	1	1
Applicable_Platforms	0	0
Time_of_Introduction	0	0
Demonstrative_Examples	42	0
Detection_Factors	0	0
Likelihood_of_Exploit	0	0
Common_Consequences	0	0
Relationships	0	0
References	9	0
Potential_Mitigations	373	1
Observed_Examples	4	0
Terminology_Notes	1	0
Alternate_Terms	0	0
Related_Attack_Patterns	0	0
Relationship_Notes	0	0
Taxonomy_Mappings	0	0
Maintenance_Notes	0	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	0	0
Background_Details	0	0
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	0	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	0	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		909

Status Changes

From	To	Total
Unchanged		909

Relationship Changes

The "Version 2.3 Total" lists the total number of relationships in Version 2.3. The "Shared" value is the total number of relationships in entries that were in both Version 2.3 and Version 2.2. The "New" value is the total number of relationships involving entries that did not exist in Version 2.2. Thus, the total number of relationships in Version 2.3 would combine stats from Shared entries and New entries.

Relationship	Version 2.3 Total	Version 2.2 Total	Version 2.3 Shared	Unchanged
ALL	7357	7357	7357	7357
ChildOf	3113	3113	3113	3113
ParentOf	3113	3113	3113	3113
MemberOf	334	334	334	334
HasMember	334	334	334	334
CanPrecede	113	113	113	113
CanFollow	113	113	113	113
StartsWith	3	3	3	3
Requires	19	19	19	19
RequiredBy	19	19	19	19
CanAlsoBe	34	34	34	34
PeerOf	162	162	162	162

Nodes Removed from Version 2.2

CWE-ID	CWE Name
None.

Nodes Added to Version 2.3

CWE-ID	CWE Name
None.

Nodes Deprecated in Version 2.3

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

	N	210	Information Exposure Through Self-generated Error Message
	N	211	Information Exposure Through Externally-generated Error Message
D		500	Public Static Field Not Marked Final
	N	622	Improper Validation of Function Hook Arguments

Detailed Difference Report

5	J2EE Misconfiguration: Data Transmission Without Encryption
	Major	Potential_Mitigations
	Minor	None
6	J2EE Misconfiguration: Insufficient Session-ID Length
	Major	Potential_Mitigations
	Minor	None
7	J2EE Misconfiguration: Missing Custom Error Page
	Major	Potential_Mitigations
	Minor	None
8	J2EE Misconfiguration: Entity Bean Declared Remote
	Major	Potential_Mitigations
	Minor	None
9	J2EE Misconfiguration: Weak Access Permissions for EJB Methods
	Major	Potential_Mitigations
	Minor	None
12	ASP.NET Misconfiguration: Missing Custom Error Page
	Major	Potential_Mitigations
	Minor	None
13	ASP.NET Misconfiguration: Password in Configuration File
	Major	Demonstrative_Examples
	Minor	None
15	External Control of System or Configuration Setting
	Major	Potential_Mitigations
	Minor	None
20	Improper Input Validation
	Major	Potential_Mitigations
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Potential_Mitigations
	Minor	None
36	Absolute Path Traversal
	Major	Potential_Mitigations
	Minor	None
41	Improper Resolution of Path Equivalence
	Major	Potential_Mitigations
	Minor	None
42	Path Equivalence: 'filename.' (Trailing Dot)
	Major	Potential_Mitigations
	Minor	None
43	Path Equivalence: 'filename....' (Multiple Trailing Dot)
	Major	Potential_Mitigations
	Minor	None
44	Path Equivalence: 'file.name' (Internal Dot)
	Major	Potential_Mitigations
	Minor	None
45	Path Equivalence: 'file...name' (Multiple Internal Dot)
	Major	Potential_Mitigations
	Minor	None
46	Path Equivalence: 'filename ' (Trailing Space)
	Major	Potential_Mitigations
	Minor	None
47	Path Equivalence: ' filename' (Leading Space)
	Major	Potential_Mitigations
	Minor	None
48	Path Equivalence: 'file name' (Internal Whitespace)
	Major	Potential_Mitigations
	Minor	None
49	Path Equivalence: 'filename/' (Trailing Slash)
	Major	Potential_Mitigations
	Minor	None
50	Path Equivalence: '//multiple/leading/slash'
	Major	Potential_Mitigations
	Minor	None
51	Path Equivalence: '/multiple//internal/slash'
	Major	Potential_Mitigations
	Minor	None
52	Path Equivalence: '/multiple/trailing/slash//'
	Major	Potential_Mitigations
	Minor	None
53	Path Equivalence: '\multiple\\internal\backslash'
	Major	Potential_Mitigations
	Minor	None
54	Path Equivalence: 'filedir\' (Trailing Backslash)
	Major	Potential_Mitigations
	Minor	None
55	Path Equivalence: '/./' (Single Dot Directory)
	Major	Potential_Mitigations
	Minor	None
56	*Path Equivalence: 'filedir' (Wildcard)**
	Major	Potential_Mitigations
	Minor	None
57	Path Equivalence: 'fakedir/../realdir/filename'
	Major	Potential_Mitigations
	Minor	None
58	Path Equivalence: Windows 8.3 Filename
	Major	Potential_Mitigations
	Minor	None
59	Improper Link Resolution Before File Access ('Link Following')
	Major	Potential_Mitigations
	Minor	None
61	UNIX Symbolic Link (Symlink) Following
	Major	Potential_Mitigations
	Minor	None
62	UNIX Hard Link
	Major	Potential_Mitigations
	Minor	None
64	Windows Shortcut Following (.LNK)
	Major	Potential_Mitigations
	Minor	None
65	Windows Hard Link
	Major	Potential_Mitigations
	Minor	None
67	Improper Handling of Windows Device Names
	Major	Potential_Mitigations
	Minor	None
69	Improper Handling of Windows ::DATA Alternate Data Stream
	Major	Potential_Mitigations
	Minor	None
73	External Control of File Name or Path
	Major	Potential_Mitigations
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Potential_Mitigations
	Minor	None
75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
	Major	Potential_Mitigations
	Minor	None
76	Improper Neutralization of Equivalent Special Elements
	Major	Potential_Mitigations
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Potential_Mitigations
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Observed_Examples, Potential_Mitigations
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Potential_Mitigations
	Minor	None
80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
	Major	Potential_Mitigations
	Minor	None
81	Improper Neutralization of Script in an Error Message Web Page
	Major	Potential_Mitigations
	Minor	None
82	Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
	Major	Potential_Mitigations
	Minor	None
83	Improper Neutralization of Script in Attributes in a Web Page
	Major	Potential_Mitigations
	Minor	None
84	Improper Neutralization of Encoded URI Schemes in a Web Page
	Major	Potential_Mitigations
	Minor	None
85	Doubled Character XSS Manipulations
	Major	Potential_Mitigations
	Minor	None
86	Improper Neutralization of Invalid Characters in Identifiers in Web Pages
	Major	Potential_Mitigations
	Minor	None
87	Improper Neutralization of Alternate XSS Syntax
	Major	Potential_Mitigations
	Minor	None
88	Argument Injection or Modification
	Major	Potential_Mitigations
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Potential_Mitigations
	Minor	None
90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
91	XML Injection (aka Blind XPath Injection)
	Major	Potential_Mitigations
	Minor	None
93	Improper Neutralization of CRLF Sequences ('CRLF Injection')
	Major	Potential_Mitigations
	Minor	None
94	Improper Control of Generation of Code ('Code Injection')
	Major	Potential_Mitigations
	Minor	None
95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
	Major	Potential_Mitigations
	Minor	None
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
	Major	Potential_Mitigations
	Minor	None
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
	Major	Potential_Mitigations, References
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	Potential_Mitigations
	Minor	None
103	Struts: Incomplete validate() Method Definition
	Major	Potential_Mitigations
	Minor	None
104	Struts: Form Bean Does Not Extend Validation Class
	Major	Potential_Mitigations
	Minor	None
105	Struts: Form Field Without Validator
	Major	Potential_Mitigations
	Minor	None
107	Struts: Unused Validation Form
	Major	Potential_Mitigations
	Minor	None
108	Struts: Unvalidated Action Form
	Major	Potential_Mitigations
	Minor	None
109	Struts: Validator Turned Off
	Major	Potential_Mitigations
	Minor	None
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
	Major	Potential_Mitigations
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Potential_Mitigations
	Minor	None
117	Improper Output Neutralization for Logs
	Major	Potential_Mitigations
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Potential_Mitigations
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Potential_Mitigations
	Minor	None
121	Stack-based Buffer Overflow
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
122	Heap-based Buffer Overflow
	Major	Demonstrative_Examples
	Minor	None
123	Write-what-where Condition
	Major	Demonstrative_Examples
	Minor	None
129	Improper Validation of Array Index
	Major	Potential_Mitigations
	Minor	None
130	Improper Handling of Length Parameter Inconsistency
	Major	Potential_Mitigations
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Potential_Mitigations
	Minor	None
135	Incorrect Calculation of Multi-Byte String Length
	Major	Potential_Mitigations
	Minor	None
140	Improper Neutralization of Delimiters
	Major	Potential_Mitigations
	Minor	None
141	Improper Neutralization of Parameter/Argument Delimiters
	Major	Potential_Mitigations
	Minor	None
142	Improper Neutralization of Value Delimiters
	Major	Potential_Mitigations
	Minor	None
143	Improper Neutralization of Record Delimiters
	Major	Potential_Mitigations
	Minor	None
144	Improper Neutralization of Line Delimiters
	Major	Potential_Mitigations
	Minor	None
145	Improper Neutralization of Section Delimiters
	Major	Potential_Mitigations
	Minor	None
146	Improper Neutralization of Expression/Command Delimiters
	Major	Potential_Mitigations
	Minor	None
147	Improper Neutralization of Input Terminators
	Major	Potential_Mitigations
	Minor	None
148	Improper Neutralization of Input Leaders
	Major	Potential_Mitigations
	Minor	None
149	Improper Neutralization of Quoting Syntax
	Major	Potential_Mitigations
	Minor	None
150	Improper Neutralization of Escape, Meta, or Control Sequences
	Major	Potential_Mitigations
	Minor	None
151	Improper Neutralization of Comment Delimiters
	Major	Potential_Mitigations
	Minor	None
152	Improper Neutralization of Macro Symbols
	Major	Potential_Mitigations
	Minor	None
153	Improper Neutralization of Substitution Characters
	Major	Potential_Mitigations
	Minor	None
154	Improper Neutralization of Variable Name Delimiters
	Major	Potential_Mitigations
	Minor	None
155	Improper Neutralization of Wildcards or Matching Symbols
	Major	Potential_Mitigations
	Minor	None
156	Improper Neutralization of Whitespace
	Major	Potential_Mitigations
	Minor	None
157	Failure to Sanitize Paired Delimiters
	Major	Potential_Mitigations
	Minor	None
158	Improper Neutralization of Null Byte or NUL Character
	Major	Potential_Mitigations
	Minor	None
159	Failure to Sanitize Special Element
	Major	Potential_Mitigations
	Minor	None
160	Improper Neutralization of Leading Special Elements
	Major	Potential_Mitigations
	Minor	None
161	Improper Neutralization of Multiple Leading Special Elements
	Major	Potential_Mitigations
	Minor	None
162	Improper Neutralization of Trailing Special Elements
	Major	Potential_Mitigations
	Minor	None
163	Improper Neutralization of Multiple Trailing Special Elements
	Major	Potential_Mitigations
	Minor	None
164	Improper Neutralization of Internal Special Elements
	Major	Potential_Mitigations
	Minor	None
165	Improper Neutralization of Multiple Internal Special Elements
	Major	Potential_Mitigations
	Minor	None
166	Improper Handling of Missing Special Element
	Major	Potential_Mitigations
	Minor	None
167	Improper Handling of Additional Special Element
	Major	Potential_Mitigations
	Minor	None
168	Improper Handling of Inconsistent Special Elements
	Major	Potential_Mitigations
	Minor	None
171	Cleansing, Canonicalization, and Comparison Errors
	Major	Potential_Mitigations
	Minor	None
172	Encoding Error
	Major	Potential_Mitigations
	Minor	None
173	Improper Handling of Alternate Encoding
	Major	Potential_Mitigations
	Minor	None
174	Double Decoding of the Same Data
	Major	Potential_Mitigations
	Minor	None
175	Improper Handling of Mixed Encoding
	Major	Potential_Mitigations
	Minor	None
176	Improper Handling of Unicode Encoding
	Major	Potential_Mitigations
	Minor	None
177	Improper Handling of URL Encoding (Hex Encoding)
	Major	Potential_Mitigations
	Minor	None
178	Improper Handling of Case Sensitivity
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
181	Incorrect Behavior Order: Validate Before Filter
	Major	Potential_Mitigations
	Minor	None
182	Collapse of Data into Unsafe Value
	Major	Potential_Mitigations
	Minor	None
185	Incorrect Regular Expression
	Major	Potential_Mitigations
	Minor	None
187	Partial Comparison
	Major	Potential_Mitigations
	Minor	None
188	Reliance on Data/Memory Layout
	Major	Potential_Mitigations
	Minor	None
190	Integer Overflow or Wraparound
	Major	Potential_Mitigations
	Minor	None
192	Integer Coercion Error
	Major	Potential_Mitigations
	Minor	None
196	Unsigned to Signed Conversion Error
	Major	Potential_Mitigations
	Minor	None
200	Information Exposure
	Major	Potential_Mitigations
	Minor	None
201	Information Exposure Through Sent Data
	Major	Potential_Mitigations
	Minor	None
203	Information Exposure Through Discrepancy
	Major	Potential_Mitigations
	Minor	None
204	Response Discrepancy Information Exposure
	Major	Potential_Mitigations
	Minor	None
205	Information Exposure Through Behavioral Discrepancy
	Major	Potential_Mitigations
	Minor	None
206	Information Exposure of Internal State Through Behavioral Inconsistency
	Major	Potential_Mitigations
	Minor	None
207	Information Exposure Through an External Behavioral Inconsistency
	Major	Potential_Mitigations
	Minor	None
210	Information Exposure Through Self-generated Error Message
	Major	Name, Potential_Mitigations
	Minor	None
211	Information Exposure Through Externally-generated Error Message
	Major	Name
	Minor	None
212	Improper Cross-boundary Removal of Sensitive Data
	Major	Potential_Mitigations
	Minor	None
213	Intentional Information Exposure
	Major	Potential_Mitigations
	Minor	None
214	Information Exposure Through Process Environment
	Major	Potential_Mitigations
	Minor	None
215	Information Exposure Through Debug Information
	Major	Potential_Mitigations
	Minor	None
216	Containment Errors (Container Errors)
	Major	Potential_Mitigations
	Minor	None
219	Sensitive Data Under Web Root
	Major	Potential_Mitigations
	Minor	None
220	Sensitive Data Under FTP Root
	Major	Potential_Mitigations
	Minor	None
224	Obscured Security-relevant Information by Alternate Name
	Major	Potential_Mitigations
	Minor	None
227	Improper Fulfillment of API Contract ('API Abuse')
	Major	Observed_Examples, Potential_Mitigations
	Minor	None
241	Improper Handling of Unexpected Data Type
	Major	Potential_Mitigations
	Minor	None
242	Use of Inherently Dangerous Function
	Major	Potential_Mitigations
	Minor	None
246	J2EE Bad Practices: Direct Use of Sockets
	Major	Potential_Mitigations
	Minor	None
250	Execution with Unnecessary Privileges
	Major	Potential_Mitigations
	Minor	None
253	Incorrect Check of Function Return Value
	Major	Potential_Mitigations
	Minor	None
256	Plaintext Storage of a Password
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
257	Storing Passwords in a Recoverable Format
	Major	Demonstrative_Examples
	Minor	None
259	Use of Hard-coded Password
	Major	Demonstrative_Examples
	Minor	None
260	Password in Configuration File
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
264	Permissions, Privileges, and Access Controls
	Major	Potential_Mitigations
	Minor	None
265	Privilege / Sandbox Issues
	Major	Potential_Mitigations
	Minor	None
266	Incorrect Privilege Assignment
	Major	Potential_Mitigations, References
	Minor	None
267	Privilege Defined With Unsafe Actions
	Major	Potential_Mitigations, References
	Minor	None
268	Privilege Chaining
	Major	Potential_Mitigations, References
	Minor	None
269	Improper Privilege Management
	Major	Potential_Mitigations
	Minor	None
270	Privilege Context Switching Error
	Major	Potential_Mitigations, References
	Minor	None
271	Privilege Dropping / Lowering Errors
	Major	Potential_Mitigations
	Minor	None
272	Least Privilege Violation
	Major	Potential_Mitigations
	Minor	None
273	Improper Check for Dropped Privileges
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
276	Incorrect Default Permissions
	Major	Potential_Mitigations
	Minor	None
277	Insecure Inherited Permissions
	Major	Potential_Mitigations
	Minor	None
278	Insecure Preserved Inherited Permissions
	Major	Potential_Mitigations
	Minor	None
279	Incorrect Execution-Assigned Permissions
	Major	Potential_Mitigations
	Minor	None
280	Improper Handling of Insufficient Permissions or Privileges
	Major	Potential_Mitigations
	Minor	None
283	Unverified Ownership
	Major	Potential_Mitigations
	Minor	None
284	Improper Access Control
	Major	Potential_Mitigations
	Minor	None
285	Improper Authorization
	Major	Potential_Mitigations
	Minor	None
288	Authentication Bypass Using an Alternate Path or Channel
	Major	Potential_Mitigations
	Minor	None
289	Authentication Bypass by Alternate Name
	Major	Potential_Mitigations
	Minor	None
293	Using Referer Field for Authentication
	Major	Demonstrative_Examples
	Minor	None
300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
	Major	Potential_Mitigations
	Minor	None
306	Missing Authentication for Critical Function
	Major	Potential_Mitigations
	Minor	None
308	Use of Single-factor Authentication
	Major	Demonstrative_Examples
	Minor	None
309	Use of Password System for Primary Authentication
	Major	Demonstrative_Examples
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Potential_Mitigations, References
	Minor	None
323	Reusing a Nonce, Key Pair in Encryption
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
324	Use of a Key Past its Expiration Date
	Major	Potential_Mitigations
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Potential_Mitigations
	Minor	None
328	Reversible One-Way Hash
	Major	Demonstrative_Examples, Potential_Mitigations, References
	Minor	None
329	Not Using a Random IV with CBC Mode
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
331	Insufficient Entropy
	Major	Potential_Mitigations
	Minor	None
333	Improper Handling of Insufficient Entropy in TRNG
	Major	Demonstrative_Examples
	Minor	None
334	Small Space of Random Values
	Major	Potential_Mitigations
	Minor	None
337	Predictable Seed in PRNG
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
338	Use of Cryptographically Weak PRNG
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
339	Small Seed Space in PRNG
	Major	Potential_Mitigations
	Minor	None
341	Predictable from Observable State
	Major	Potential_Mitigations
	Minor	None
342	Predictable Exact Value from Previous Values
	Major	Potential_Mitigations
	Minor	None
343	Predictable Value Range from Previous Values
	Major	Potential_Mitigations
	Minor	None
344	Use of Invariant Value in Dynamically Changing Context
	Major	Potential_Mitigations
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Potential_Mitigations
	Minor	None
353	Missing Support for Integrity Check
	Major	Demonstrative_Examples
	Minor	None
360	Trust of System Event Data
	Major	Demonstrative_Examples
	Minor	None
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	Potential_Mitigations
	Minor	None
375	Returning a Mutable Object to an Untrusted Caller
	Major	Demonstrative_Examples
	Minor	None
378	Creation of Temporary File With Insecure Permissions
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
379	Creation of Temporary File in Directory with Incorrect Permissions
	Major	Demonstrative_Examples
	Minor	None
383	J2EE Bad Practices: Direct Use of Threads
	Major	Potential_Mitigations
	Minor	None
384	Session Fixation
	Major	Potential_Mitigations
	Minor	Description
391	Unchecked Error Condition
	Major	Potential_Mitigations
	Minor	None
395	Use of NullPointerException Catch to Detect NULL Pointer Dereference
	Major	Potential_Mitigations
	Minor	None
401	Improper Release of Memory Before Removing Last Reference ('Memory Leak')
	Major	Potential_Mitigations
	Minor	None
405	Asymmetric Resource Consumption (Amplification)
	Major	Potential_Mitigations
	Minor	None
406	Insufficient Control of Network Message Volume (Network Amplification)
	Major	Potential_Mitigations
	Minor	None
410	Insufficient Resource Pool
	Major	Potential_Mitigations
	Minor	None
413	Improper Resource Locking
	Major	Potential_Mitigations
	Minor	None
414	Missing Lock Check
	Major	Potential_Mitigations
	Minor	None
419	Unprotected Primary Channel
	Major	Potential_Mitigations
	Minor	None
420	Unprotected Alternate Channel
	Major	Potential_Mitigations
	Minor	None
421	Race Condition During Access to Alternate Channel
	Major	Potential_Mitigations
	Minor	None
422	Unprotected Windows Messaging Channel ('Shatter')
	Major	Potential_Mitigations
	Minor	None
424	Improper Protection of Alternate Path
	Major	Potential_Mitigations
	Minor	None
425	Direct Request ('Forced Browsing')
	Major	Potential_Mitigations
	Minor	None
428	Unquoted Search Path or Element
	Major	Potential_Mitigations
	Minor	None
430	Deployment of Wrong Handler
	Major	Potential_Mitigations
	Minor	None
433	Unparsed Raw Web Content Delivery
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Potential_Mitigations
	Minor	None
441	Unintended Proxy/Intermediary
	Major	Potential_Mitigations
	Minor	None
444	Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
447	Unimplemented or Unsupported Feature in UI
	Major	Potential_Mitigations
	Minor	None
448	Obsolete Feature in UI
	Major	Potential_Mitigations
	Minor	None
449	The UI Performs the Wrong Action
	Major	Potential_Mitigations
	Minor	None
451	UI Misrepresentation of Critical Information
	Major	Potential_Mitigations
	Minor	None
453	Insecure Default Variable Initialization
	Major	Potential_Mitigations
	Minor	None
454	External Initialization of Trusted Variables or Data Stores
	Major	Potential_Mitigations
	Minor	None
455	Non-exit on Failed Initialization
	Major	Potential_Mitigations
	Minor	None
456	Missing Initialization
	Major	Potential_Mitigations
	Minor	None
457	Use of Uninitialized Variable
	Major	Demonstrative_Examples
	Minor	None
459	Incomplete Cleanup
	Major	Potential_Mitigations
	Minor	None
463	Deletion of Data Structure Sentinel
	Major	Potential_Mitigations
	Minor	None
464	Addition of Data Structure Sentinel
	Major	Potential_Mitigations
	Minor	None
466	Return of Pointer Value Outside of Expected Range
	Major	Potential_Mitigations
	Minor	None
468	Incorrect Pointer Scaling
	Major	Potential_Mitigations
	Minor	None
469	Use of Pointer Subtraction to Determine Size
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
473	PHP External Variable Modification
	Major	Potential_Mitigations
	Minor	None
474	Use of Function with Inconsistent Implementations
	Major	Potential_Mitigations
	Minor	None
477	Use of Obsolete Functions
	Major	Potential_Mitigations
	Minor	None
479	Signal Handler Use of a Non-reentrant Function
	Major	Demonstrative_Examples
	Minor	None
480	Use of Incorrect Operator
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
481	Assigning instead of Comparing
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
482	Comparing instead of Assigning
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
484	Omitted Break Statement in Switch
	Major	Demonstrative_Examples
	Minor	None
485	Insufficient Encapsulation
	Major	Potential_Mitigations, Terminology_Notes
	Minor	None
487	Reliance on Package-level Scope
	Major	Potential_Mitigations
	Minor	None
488	Exposure of Data Element to Wrong Session
	Major	Potential_Mitigations
	Minor	None
489	Leftover Debug Code
	Major	Potential_Mitigations
	Minor	None
491	Public cloneable() Method Without Final ('Object Hijack')
	Major	Potential_Mitigations
	Minor	None
494	Download of Code Without Integrity Check
	Major	Potential_Mitigations
	Minor	None
495	Private Array-Typed Field Returned From A Public Method
	Major	Potential_Mitigations
	Minor	None
496	Public Data Assigned to Private Array-Typed Field
	Major	Potential_Mitigations
	Minor	None
497	Exposure of System Data to an Unauthorized Control Sphere
	Major	Potential_Mitigations
	Minor	None
499	Serializable Class Containing Sensitive Data
	Major	Demonstrative_Examples
	Minor	None
500	Public Static Field Not Marked Final
	Major	Demonstrative_Examples, Description, Potential_Mitigations
	Minor	None
502	Deserialization of Untrusted Data
	Major	Demonstrative_Examples
	Minor	None
506	Embedded Malicious Code
	Major	Potential_Mitigations
	Minor	None
507	Trojan Horse
	Major	Potential_Mitigations
	Minor	None
508	Non-Replicating Malicious Code
	Major	Potential_Mitigations
	Minor	None
509	Replicating Malicious Code (Virus or Worm)
	Major	Potential_Mitigations
	Minor	None
510	Trapdoor
	Major	Potential_Mitigations
	Minor	None
511	Logic/Time Bomb
	Major	Potential_Mitigations
	Minor	None
512	Spyware
	Major	Potential_Mitigations
	Minor	None
520	.NET Misconfiguration: Use of Impersonation
	Major	Potential_Mitigations
	Minor	None
522	Insufficiently Protected Credentials
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
523	Unprotected Transport of Credentials
	Major	Potential_Mitigations
	Minor	None
524	Information Exposure Through Caching
	Major	Potential_Mitigations
	Minor	None
525	Information Exposure Through Browser Caching
	Major	Potential_Mitigations
	Minor	None
526	Information Exposure Through Environmental Variables
	Major	Potential_Mitigations
	Minor	None
527	Exposure of CVS Repository to an Unauthorized Control Sphere
	Major	Potential_Mitigations
	Minor	None
528	Exposure of Core Dump File to an Unauthorized Control Sphere
	Major	Potential_Mitigations
	Minor	None
529	Exposure of Access Control List Files to an Unauthorized Control Sphere
	Major	Potential_Mitigations
	Minor	None
530	Exposure of Backup File to an Unauthorized Control Sphere
	Major	Potential_Mitigations
	Minor	None
531	Information Exposure Through Test Code
	Major	Potential_Mitigations
	Minor	None
533	Information Exposure Through Server Log Files
	Major	Potential_Mitigations
	Minor	None
534	Information Exposure Through Debug Log Files
	Major	Potential_Mitigations
	Minor	None
535	Information Exposure Through Shell Error Message
	Major	Potential_Mitigations
	Minor	None
536	Information Exposure Through Servlet Runtime Error Message
	Major	Potential_Mitigations
	Minor	None
538	File and Directory Information Exposure
	Major	Potential_Mitigations
	Minor	None
539	Information Exposure Through Persistent Cookies
	Major	Potential_Mitigations
	Minor	None
540	Information Exposure Through Source Code
	Major	Potential_Mitigations
	Minor	None
541	Information Exposure Through Include Source Code
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
542	Information Exposure Through Cleanup Log Files
	Major	Potential_Mitigations
	Minor	None
545	Use of Dynamic Class Loading
	Major	Potential_Mitigations
	Minor	None
546	Suspicious Comment
	Major	Potential_Mitigations
	Minor	None
547	Use of Hard-coded, Security-relevant Constants
	Major	Potential_Mitigations
	Minor	None
548	Information Exposure Through Directory Listing
	Major	Potential_Mitigations
	Minor	None
549	Missing Password Field Masking
	Major	Potential_Mitigations
	Minor	None
550	Information Exposure Through Server Error Message
	Major	Potential_Mitigations
	Minor	None
551	Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
	Major	Potential_Mitigations
	Minor	None
553	Command Shell in Externally Accessible Directory
	Major	Potential_Mitigations
	Minor	None
554	ASP.NET Misconfiguration: Not Using Input Validation Framework
	Major	Potential_Mitigations
	Minor	None
555	J2EE Misconfiguration: Plaintext Password in Configuration File
	Major	Potential_Mitigations
	Minor	None
556	ASP.NET Misconfiguration: Use of Identity Impersonation
	Major	Potential_Mitigations
	Minor	None
558	Use of getlogin() in Multithreaded Application
	Major	Potential_Mitigations
	Minor	None
560	Use of umask() with chmod-style Argument
	Major	Potential_Mitigations
	Minor	None
561	Dead Code
	Major	Potential_Mitigations
	Minor	None
562	Return of Stack Variable Address
	Major	Potential_Mitigations
	Minor	None
563	Unused Variable
	Major	Potential_Mitigations
	Minor	None
564	SQL Injection: Hibernate
	Major	Potential_Mitigations
	Minor	None
567	Unsynchronized Access to Shared Data in a Multithreaded Context
	Major	Potential_Mitigations
	Minor	None
568	finalize() Method Without super.finalize()
	Major	Potential_Mitigations
	Minor	None
572	Call to Thread run() instead of start()
	Major	Potential_Mitigations
	Minor	None
574	EJB Bad Practices: Use of Synchronization Primitives
	Major	Potential_Mitigations
	Minor	None
576	EJB Bad Practices: Use of Java I/O
	Major	Potential_Mitigations
	Minor	None
579	J2EE Bad Practices: Non-serializable Object Stored in Session
	Major	Potential_Mitigations
	Minor	None
581	Object Model Violation: Just One of Equals and Hashcode Defined
	Major	Potential_Mitigations
	Minor	None
582	Array Declared Public, Final, and Static
	Major	Potential_Mitigations
	Minor	None
583	finalize() Method Declared Public
	Major	Potential_Mitigations
	Minor	None
584	Return Inside Finally Block
	Major	Potential_Mitigations
	Minor	None
586	Explicit Call to Finalize()
	Major	Potential_Mitigations
	Minor	None
588	Attempt to Access Child of a Non-structure Pointer
	Major	Potential_Mitigations
	Minor	None
589	Call to Non-ubiquitous API
	Major	Potential_Mitigations
	Minor	None
590	Free of Memory not on the Heap
	Major	Potential_Mitigations
	Minor	None
594	J2EE Framework: Saving Unserializable Objects to Disk
	Major	Potential_Mitigations
	Minor	None
595	Comparison of Object References Instead of Object Contents
	Major	Potential_Mitigations
	Minor	None
598	Information Exposure Through Query Strings in GET Request
	Major	Potential_Mitigations
	Minor	None
600	Uncaught Exception in Servlet
	Major	Potential_Mitigations
	Minor	None
601	URL Redirection to Untrusted Site ('Open Redirect')
	Major	Potential_Mitigations
	Minor	None
603	Use of Client-Side Authentication
	Major	Potential_Mitigations
	Minor	None
605	Multiple Binds to the Same Port
	Major	Potential_Mitigations
	Minor	None
606	Unchecked Input for Loop Condition
	Major	Potential_Mitigations
	Minor	None
607	Public Static Final Field References Mutable Object
	Major	Potential_Mitigations
	Minor	None
608	Struts: Non-private Field in ActionForm Class
	Major	Potential_Mitigations
	Minor	None
609	Double-Checked Locking
	Major	Potential_Mitigations
	Minor	None
613	Insufficient Session Expiration
	Major	Potential_Mitigations
	Minor	None
614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
	Major	Potential_Mitigations
	Minor	None
615	Information Exposure Through Comments
	Major	Potential_Mitigations
	Minor	None
616	Incomplete Identification of Uploaded File Variables (PHP)
	Major	Potential_Mitigations
	Minor	None
617	Reachable Assertion
	Major	Potential_Mitigations
	Minor	None
618	Exposed Unsafe ActiveX Method
	Major	Potential_Mitigations
	Minor	None
619	Dangling Database Cursor ('Cursor Injection')
	Major	Potential_Mitigations
	Minor	None
620	Unverified Password Change
	Major	Potential_Mitigations
	Minor	None
621	Variable Extraction Error
	Major	Potential_Mitigations
	Minor	None
622	Improper Validation of Function Hook Arguments
	Major	Name, Potential_Mitigations
	Minor	None
623	Unsafe ActiveX Control Marked Safe For Scripting
	Major	Potential_Mitigations
	Minor	None
624	Executable Regular Expression Error
	Major	Potential_Mitigations
	Minor	None
625	Permissive Regular Expression
	Major	Potential_Mitigations
	Minor	None
626	Null Byte Interaction Error (Poison Null Byte)
	Major	Potential_Mitigations
	Minor	None
627	Dynamic Variable Evaluation
	Major	Potential_Mitigations
	Minor	None
628	Function Call with Incorrectly Specified Arguments
	Major	Potential_Mitigations
	Minor	None
636	Not Failing Securely ('Failing Open')
	Major	Potential_Mitigations
	Minor	None
637	Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
	Major	Potential_Mitigations
	Minor	None
638	Not Using Complete Mediation
	Major	Potential_Mitigations
	Minor	None
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	Potential_Mitigations
	Minor	None
641	Improper Restriction of Names for Files and Other Resources
	Major	Potential_Mitigations
	Minor	None
642	External Control of Critical State Data
	Major	Potential_Mitigations
	Minor	None
643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')
	Major	Potential_Mitigations
	Minor	None
644	Improper Neutralization of HTTP Headers for Scripting Syntax
	Major	Potential_Mitigations
	Minor	None
645	Overly Restrictive Account Lockout Mechanism
	Major	Potential_Mitigations
	Minor	None
646	Reliance on File Name or Extension of Externally-Supplied File
	Major	Potential_Mitigations
	Minor	None
648	Incorrect Use of Privileged APIs
	Major	Potential_Mitigations
	Minor	None
649	Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
	Major	Potential_Mitigations
	Minor	None
650	Trusting HTTP Permission Methods on the Server Side
	Major	Potential_Mitigations
	Minor	None
652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
	Major	Potential_Mitigations
	Minor	None
653	Insufficient Compartmentalization
	Major	Potential_Mitigations
	Minor	None
654	Reliance on a Single Factor in a Security Decision
	Major	Potential_Mitigations
	Minor	None
655	Insufficient Psychological Acceptability
	Major	Potential_Mitigations
	Minor	None
656	Reliance on Security Through Obscurity
	Major	Potential_Mitigations
	Minor	None
662	Improper Synchronization
	Major	Potential_Mitigations
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Potential_Mitigations
	Minor	None
666	Operation on Resource in Wrong Phase of Lifetime
	Major	Potential_Mitigations
	Minor	None
667	Improper Locking
	Major	Potential_Mitigations
	Minor	None
674	Uncontrolled Recursion
	Major	Potential_Mitigations
	Minor	None
683	Function Call With Incorrect Order of Arguments
	Major	Potential_Mitigations
	Minor	None
685	Function Call With Incorrect Number of Arguments
	Major	Potential_Mitigations
	Minor	None
686	Function Call With Incorrect Argument Type
	Major	Potential_Mitigations
	Minor	None
687	Function Call With Incorrectly Specified Argument Value
	Major	Potential_Mitigations
	Minor	None
688	Function Call With Incorrect Variable or Reference as Argument
	Major	Potential_Mitigations
	Minor	None
694	Use of Multiple Resources with Duplicate Identifier
	Major	Potential_Mitigations
	Minor	None
695	Use of Low-Level Functionality
	Major	Potential_Mitigations
	Minor	None
698	Redirect Without Exit
	Major	Demonstrative_Examples
	Minor	None
708	Incorrect Ownership Assignment
	Major	Observed_Examples, Potential_Mitigations
	Minor	None
710	Coding Standards Violation
	Major	Potential_Mitigations
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Potential_Mitigations
	Minor	None
754	Improper Check for Unusual or Exceptional Conditions
	Major	Potential_Mitigations
	Minor	None
759	Use of a One-Way Hash without a Salt
	Major	Demonstrative_Examples, Potential_Mitigations, References
	Minor	None
760	Use of a One-Way Hash with a Predictable Salt
	Major	Potential_Mitigations, References
	Minor	None
761	Free of Pointer not at Start of Buffer
	Major	Potential_Mitigations
	Minor	None
762	Mismatched Memory Management Routines
	Major	Potential_Mitigations
	Minor	None
763	Release of Invalid Pointer or Reference
	Major	Potential_Mitigations
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Potential_Mitigations
	Minor	None
771	Missing Reference to Active Allocated Resource
	Major	Potential_Mitigations
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Potential_Mitigations
	Minor	None
773	Missing Reference to Active File Descriptor or Handle
	Major	Potential_Mitigations
	Minor	None
774	Allocation of File Descriptors or Handles Without Limits or Throttling
	Major	Potential_Mitigations
	Minor	None
775	Missing Release of File Descriptor or Handle after Effective Lifetime
	Major	Potential_Mitigations
	Minor	None
798	Use of Hard-coded Credentials
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Potential_Mitigations
	Minor	None
806	Buffer Access Using Size of Source Buffer
	Major	None
	Minor	Potential_Mitigations
807	Reliance on Untrusted Inputs in a Security Decision
	Major	Potential_Mitigations
	Minor	None
829	Inclusion of Functionality from Untrusted Control Sphere
	Major	Potential_Mitigations
	Minor	None
836	Use of Password Hash Instead of Password for Authentication
	Major	Observed_Examples
	Minor	None
862	Missing Authorization
	Major	Potential_Mitigations
	Minor	None
863	Incorrect Authorization
	Major	Potential_Mitigations
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration