CWE - Differences between Version 2.3 and Version 2.4

Home > CWE List > Reports > Differences between Version 2.3 and Version 2.4

Differences between Version 2.3 and Version 2.4

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 2.4)	920
Total (Version 2.3)	909
Total new	11
Total deprecated	0
Total shared	909
Total important changes	49
Total major changes	96
Total minor changes	1
Total minor changes (no major)
Total unchanged	813

Summary of Entry Types

Type	Version 2.3	Version 2.4
Category	177	176
Chain	3	3
Composite	6	6
Deprecated	12	12
View	29	29
Weakness	682	694

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	11	0
Description	15	1
Applicable_Platforms	19	0
Time_of_Introduction	2	0
Demonstrative_Examples	13	0
Detection_Factors	0	0
Likelihood_of_Exploit	0	0
Common_Consequences	5	0
Relationships	44	0
References	17	0
Potential_Mitigations	36	0
Observed_Examples	16	0
Terminology_Notes	0	0
Alternate_Terms	11	0
Related_Attack_Patterns	0	0
Relationship_Notes	3	0
Taxonomy_Mappings	1	0
Maintenance_Notes	5	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	0	0
Background_Details	2	0
Theoretical_Notes	2	0
Weakness_Ordinalities	1	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	5	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	7	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		902
Category	Weakness/Base	1
Weakness/Base	Weakness/Class	1
Weakness/Base	Weakness/Variant	3
Weakness/Class	Weakness/Base	2

Status Changes

From	To	Total
Unchanged		909

Relationship Changes

The "Version 2.4 Total" lists the total number of relationships in Version 2.4. The "Shared" value is the total number of relationships in entries that were in both Version 2.4 and Version 2.3. The "New" value is the total number of relationships involving entries that did not exist in Version 2.3. Thus, the total number of relationships in Version 2.4 would combine stats from Shared entries and New entries.

Relationship	Version 2.4 Total	Version 2.3 Total	Version 2.4 Shared	Unchanged	Added to Version 2.4	Removed from Version 2.3	Version 2.4 New
ALL	7419	7357	7341	7297	44	60	78
ChildOf	3141	3113	3106	3090	16	23	35
ParentOf	3141	3113	3106	3090	16	23	35
MemberOf	334	334	334	334
HasMember	334	334	334	334
CanPrecede	120	113	117	113	4		3
CanFollow	120	113	117	113	4		3
StartsWith	3	3	3	3
Requires	19	19	19	19
RequiredBy	19	19	19	19
CanAlsoBe	34	34	34	34
PeerOf	154	162	152	148	4	14	2

Nodes Removed from Version 2.3

CWE-ID	CWE Name
None.

Nodes Added to Version 2.4

CWE-ID	CWE Name
908	Use of Uninitialized Resource
909	Missing Initialization of Resource
910	Use of Expired File Descriptor
911	Improper Update of Reference Count
912	Hidden Functionality
913	Improper Control of Dynamically-Managed Code Resources
914	Improper Control of Dynamically-Identified Variables
915	Improperly Controlled Modification of Dynamically-Determined Object Attributes
916	Use of Password Hash With Insufficient Computational Effort
917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
918	Server-Side Request Forgery (SSRF)

Nodes Deprecated in Version 2.4

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	20	Improper Input Validation
		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	94	Improper Control of Generation of Code ('Code Injection')
	N		98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
		R	99	Improper Control of Resource Identifiers ('Resource Injection')
D	N	R	295	Improper Certificate Validation
D	N	R	296	Improper Following of a Certificate's Chain of Trust
D	N	R	297	Improper Validation of Certificate with Host Mismatch
		R	298	Improper Validation of Certificate Expiration
D		R	299	Improper Check for Certificate Revocation
		R	322	Key Exchange without Entity Authentication
D			324	Use of a Key Past its Expiration Date
		R	327	Use of a Broken or Risky Cryptographic Algorithm
		R	352	Cross-Site Request Forgery (CSRF)
D	N		403	Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
		R	418	Channel Errors
D	N	R	441	Unintended Proxy or Intermediary ('Confused Deputy')
		R	442	Web Problems
		R	452	Initialization and Cleanup Errors
	N	R	456	Missing Initialization of a Variable
D		R	457	Use of Uninitialized Variable
		R	470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
		R	471	Modification of Assumed-Immutable Data (MAID)
		R	485	Insufficient Encapsulation
		R	502	Deserialization of Untrusted Data
		R	505	Intentionally Introduced Weakness
		R	506	Embedded Malicious Code
D		R	514	Covert Channel
		R	538	File and Directory Information Exposure
D	N	R	599	Missing Validation of OpenSSL Certificate
D	N	R	611	Improper Restriction of XML External Entity Reference ('XXE')
		R	621	Variable Extraction Error
		R	627	Dynamic Variable Evaluation
		R	664	Improper Control of a Resource Through its Lifetime
		R	665	Improper Initialization
		R	668	Exposure of Resource to Wrong Sphere
		R	672	Operation on a Resource after Expiration or Release
		R	673	External Influence of Sphere Definition
		R	674	Uncontrolled Recursion
		R	693	Protection Mechanism Failure
	N		698	Execution After Redirect (EAR)
		R	710	Coding Standards Violation
		R	754	Improper Check for Unusual or Exceptional Conditions
D		R	759	Use of a One-Way Hash without a Salt
D		R	760	Use of a One-Way Hash with a Predictable Salt
		R	772	Missing Release of Resource after Effective Lifetime
D	N	R	776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
		R	813	OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
D			863	Incorrect Authorization

Detailed Difference Report

11	ASP.NET Misconfiguration: Creating Debug Binary
	Major	Potential_Mitigations
	Minor	None
12	ASP.NET Misconfiguration: Missing Custom Error Page
	Major	Potential_Mitigations
	Minor	None
13	ASP.NET Misconfiguration: Password in Configuration File
	Major	Potential_Mitigations
	Minor	None
15	External Control of System or Configuration Setting
	Major	Potential_Mitigations
	Minor	None
20	Improper Input Validation
	Major	Relationships
	Minor	None
21	Pathname Traversal and Equivalence Errors
	Major	Potential_Mitigations
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Observed_Examples
	Minor	None
37	Path Traversal: '/absolute/pathname/here'
	Major	Potential_Mitigations
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Relationships
	Minor	None
81	Improper Neutralization of Script in an Error Message Web Page
	Major	Potential_Mitigations
	Minor	None
84	Improper Neutralization of Encoded URI Schemes in a Web Page
	Major	Potential_Mitigations
	Minor	None
94	Improper Control of Generation of Code ('Code Injection')
	Major	Relationships
	Minor	None
95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
	Major	Observed_Examples
	Minor	None
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
	Major	Observed_Examples
	Minor	None
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
	Major	Alternate_Terms, Name, Observed_Examples
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	Alternate_Terms, Maintenance_Notes, Other_Notes, Relationships
	Minor	None
106	Struts: Plug-in Framework not in Use
	Major	Potential_Mitigations
	Minor	None
110	Struts: Validator Without Form Field
	Major	Potential_Mitigations
	Minor	None
111	Direct Use of Unsafe JNI
	Major	Potential_Mitigations
	Minor	None
112	Missing XML Validation
	Major	Potential_Mitigations
	Minor	None
114	Process Control
	Major	Potential_Mitigations
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Demonstrative_Examples
	Minor	None
122	Heap-based Buffer Overflow
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
123	Write-what-where Condition
	Major	Potential_Mitigations
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Demonstrative_Examples
	Minor	None
140	Improper Neutralization of Delimiters
	Major	Potential_Mitigations
	Minor	None
171	Cleansing, Canonicalization, and Comparison Errors
	Major	Potential_Mitigations
	Minor	None
172	Encoding Error
	Major	Potential_Mitigations
	Minor	None
183	Permissive Whitelist
	Major	Potential_Mitigations
	Minor	None
184	Incomplete Blacklist
	Major	Potential_Mitigations
	Minor	None
200	Information Exposure
	Major	Alternate_Terms, Applicable_Platforms, References
	Minor	None
201	Information Exposure Through Sent Data
	Major	Potential_Mitigations
	Minor	None
202	Exposure of Sensitive Data Through Data Queries
	Major	Potential_Mitigations
	Minor	None
258	Empty Password in Configuration File
	Major	Potential_Mitigations
	Minor	None
269	Improper Privilege Management
	Major	Potential_Mitigations
	Minor	None
295	Improper Certificate Validation
	Major	Applicable_Platforms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction, Type
	Minor	None
296	Improper Following of a Certificate's Chain of Trust
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, References, Relationships
	Minor	None
297	Improper Validation of Certificate with Host Mismatch
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, References, Relationships, Type
	Minor	None
298	Improper Validation of Certificate Expiration
	Major	Applicable_Platforms, Demonstrative_Examples, Relationships, Type
	Minor	Description
299	Improper Check for Certificate Revocation
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Relationships, Type
	Minor	None
312	Cleartext Storage of Sensitive Information
	Major	Applicable_Platforms, References
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Applicable_Platforms, References
	Minor	None
322	Key Exchange without Entity Authentication
	Major	Relationships
	Minor	None
324	Use of a Key Past its Expiration Date
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Relationships
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Relationships
	Minor	None
359	Privacy Violation
	Major	Applicable_Platforms, References
	Minor	None
360	Trust of System Event Data
	Major	Potential_Mitigations
	Minor	None
370	Missing Check for Certificate Revocation after Initial Check
	Major	Applicable_Platforms, Demonstrative_Examples
	Minor	None
401	Improper Release of Memory Before Removing Last Reference ('Memory Leak')
	Major	Observed_Examples
	Minor	None
403	Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
	Major	Alternate_Terms, Description, Name, Observed_Examples, References
	Minor	None
418	Channel Errors
	Major	Relationships
	Minor	None
431	Missing Handler
	Major	Potential_Mitigations
	Minor	None
441	Unintended Proxy or Intermediary ('Confused Deputy')
	Major	Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, References, Relationship_Notes, Relationships, Theoretical_Notes, Type
	Minor	None
442	Web Problems
	Major	Relationships
	Minor	None
452	Initialization and Cleanup Errors
	Major	Relationships
	Minor	None
456	Missing Initialization of a Variable
	Major	Name, Relationships
	Minor	None
457	Use of Uninitialized Variable
	Major	Applicable_Platforms, Description, Other_Notes, Potential_Mitigations, Relationships
	Minor	None
470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
	Major	Relationships
	Minor	None
471	Modification of Assumed-Immutable Data (MAID)
	Major	Relationships
	Minor	None
485	Insufficient Encapsulation
	Major	Relationships
	Minor	None
502	Deserialization of Untrusted Data
	Major	Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships
	Minor	None
505	Intentionally Introduced Weakness
	Major	Relationships
	Minor	None
506	Embedded Malicious Code
	Major	Relationships
	Minor	None
511	Logic/Time Bomb
	Major	Applicable_Platforms, Potential_Mitigations, References, Time_of_Introduction
	Minor	None
514	Covert Channel
	Major	Description, Relationships, Theoretical_Notes
	Minor	None
538	File and Directory Information Exposure
	Major	Relationships
	Minor	None
599	Missing Validation of OpenSSL Certificate
	Major	Demonstrative_Examples, Description, Name, Relationship_Notes, Relationships
	Minor	None
610	Externally Controlled Reference to a Resource in Another Sphere
	Major	Maintenance_Notes
	Minor	None
611	Improper Restriction of XML External Entity Reference ('XXE')
	Major	Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Taxonomy_Mappings
	Minor	None
621	Variable Extraction Error
	Major	Demonstrative_Examples, Relationships
	Minor	None
627	Dynamic Variable Evaluation
	Major	Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities
	Minor	None
639	Authorization Bypass Through User-Controlled Key
	Major	Alternate_Terms, Common_Consequences
	Minor	None
651	Information Exposure Through WSDL File
	Major	Potential_Mitigations
	Minor	None
654	Reliance on a Single Factor in a Security Decision
	Major	Potential_Mitigations
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Relationships
	Minor	None
665	Improper Initialization
	Major	Demonstrative_Examples, Relationships
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
672	Operation on a Resource after Expiration or Release
	Major	Relationships
	Minor	None
673	External Influence of Sphere Definition
	Major	Relationships
	Minor	None
674	Uncontrolled Recursion
	Major	Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Relationships
	Minor	None
698	Execution After Redirect (EAR)
	Major	Alternate_Terms, Name, Observed_Examples, References
	Minor	None
710	Coding Standards Violation
	Major	Relationships
	Minor	None
754	Improper Check for Unusual or Exceptional Conditions
	Major	Relationships
	Minor	None
759	Use of a One-Way Hash without a Salt
	Major	Description, Potential_Mitigations, References, Relationships, Type
	Minor	None
760	Use of a One-Way Hash with a Predictable Salt
	Major	Description, Potential_Mitigations, References, Relationships, Type
	Minor	None
769	File Descriptor Exhaustion
	Major	Maintenance_Notes
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Relationships
	Minor	None
776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
	Major	Alternate_Terms, Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships
	Minor	None
788	Access of Memory Location After End of Buffer
	Major	Demonstrative_Examples
	Minor	None
798	Use of Hard-coded Credentials
	Major	Applicable_Platforms, References
	Minor	None
813	OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
	Major	Relationships
	Minor	None
825	Expired Pointer Dereference
	Major	Alternate_Terms
	Minor	None
827	Improper Control of Document Type Definition
	Major	Applicable_Platforms
	Minor	None
863	Incorrect Authorization
	Major	Description
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration