CWE - Differences between Version 2.6 and Version 2.7

Home > CWE List > Reports > Differences between Version 2.6 and Version 2.7

Differences between Version 2.6 and Version 2.7

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 2.7)	945
Total (Version 2.6)	943
Total new	2
Total deprecated	0
Total shared	943
Total important changes	75
Total major changes	141
Total minor changes	3
Total minor changes (no major)	1
Total unchanged	801

Summary of Entry Types

Type	Version 2.6	Version 2.7
Category	186	186
Chain	3	3
Composite	5	5
Deprecated	14	14
View	31	31
Weakness	704	706

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	2	0
Description	42	0
Applicable_Platforms	11	0
Time_of_Introduction	2	0
Demonstrative_Examples	14	1
Detection_Factors	1	0
Likelihood_of_Exploit	0	0
Common_Consequences	10	0
Relationships	35	0
References	7	0
Potential_Mitigations	20	0
Observed_Examples	12	2
Terminology_Notes	1	0
Alternate_Terms	1	0
Related_Attack_Patterns	8	0
Relationship_Notes	10	0
Taxonomy_Mappings	0	0
Maintenance_Notes	0	0
Modes_of_Introduction	11	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	3	0
Background_Details	1	0
Theoretical_Notes	3	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	3	0
Other_Notes	76	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	0	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		943

Status Changes

From	To	Total
Unchanged		943

Relationship Changes

The "Version 2.7 Total" lists the total number of relationships in Version 2.7. The "Shared" value is the total number of relationships in entries that were in both Version 2.7 and Version 2.6. The "New" value is the total number of relationships involving entries that did not exist in Version 2.6. Thus, the total number of relationships in Version 2.7 would combine stats from Shared entries and New entries.

Relationship	Version 2.7 Total	Version 2.6 Total	Version 2.7 Shared	Unchanged	Added to Version 2.7	Removed from Version 2.6	Version 2.7 New
ALL	7573	7509	7545	7501	44	8	28
ChildOf	3215	3183	3201	3179	22	4	14
ParentOf	3215	3183	3201	3179	22	4	14
MemberOf	344	344	344	344
HasMember	344	344	344	344
CanPrecede	121	121	121	121
CanFollow	121	121	121	121
StartsWith	3	3	3	3
Requires	17	17	17	17
RequiredBy	17	17	17	17
CanAlsoBe	34	34	34	34
PeerOf	142	142	142	142

Nodes Removed from Version 2.6

CWE-ID	CWE Name
None.

Nodes Added to Version 2.7

CWE-ID	CWE Name
942	Overly Permissive Cross-domain Whitelist
943	Improper Neutralization of Special Elements in Data Query Logic

Nodes Deprecated in Version 2.7

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			7	J2EE Misconfiguration: Missing Custom Error Page
D			9	J2EE Misconfiguration: Weak Access Permissions for EJB Methods
		R	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
		R	88	Argument Injection or Modification
		R	89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
		R	90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
		R	91	XML Injection (aka Blind XPath Injection)
D		R	99	Improper Control of Resource Identifiers ('Resource Injection')
D			105	Struts: Form Field Without Validator
D			106	Struts: Plug-in Framework not in Use
D			110	Struts: Validator Without Form Field
D			157	Failure to Sanitize Paired Delimiters
		R	183	Permissive Whitelist
D			188	Reliance on Data/Memory Layout
D			195	Signed to Unsigned Conversion Error
D			196	Unsigned to Signed Conversion Error
		R	209	Information Exposure Through an Error Message
		R	215	Information Exposure Through Debug Information
D			245	J2EE Bad Practices: Direct Management of Connections
D			246	J2EE Bad Practices: Direct Use of Sockets
D			253	Incorrect Check of Function Return Value
D		R	256	Plaintext Storage of a Password
D			257	Storing Passwords in a Recoverable Format
		R	284	Improper Access Control
		R	287	Improper Authentication
		R	311	Missing Encryption of Sensitive Data
		R	319	Cleartext Transmission of Sensitive Information
		R	320	Key Management Errors
		R	325	Missing Required Cryptographic Step
		R	327	Use of a Broken or Risky Cryptographic Algorithm
		R	328	Reversible One-Way Hash
D	N		338	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
D			365	Race Condition in Switch
D			374	Passing Mutable Objects to an Untrusted Method
D			375	Returning a Mutable Object to an Untrusted Caller
D			382	J2EE Bad Practices: Use of System.exit()
D			395	Use of NullPointerException Catch to Detect NULL Pointer Dereference
D			436	Interpretation Conflict
D			460	Improper Cleanup on Thrown Exception
D			467	Use of sizeof() on a Pointer Type
D			471	Modification of Assumed-Immutable Data (MAID)
D			474	Use of Function with Inconsistent Implementations
D			477	Use of Obsolete Functions
D			478	Missing Default Case in Switch Statement
D			480	Use of Incorrect Operator
D			487	Reliance on Package-level Scope
D			489	Leftover Debug Code
D			492	Use of Inner Class Containing Sensitive Data
D			501	Trust Boundary Violation
D			520	.NET Misconfiguration: Use of Impersonation
		R	522	Insufficiently Protected Credentials
		R	523	Unprotected Transport of Credentials
		R	548	Information Exposure Through Directory Listing
D			562	Return of Stack Variable Address
D	N		563	Assignment to Variable without Use ('Unused Variable')
D			579	J2EE Bad Practices: Non-serializable Object Stored in Session
D			594	J2EE Framework: Saving Unserializable Objects to Disk
		R	613	Insufficient Session Expiration
D			617	Reachable Assertion
		R	620	Unverified Password Change
D			621	Variable Extraction Error
D			626	Null Byte Interaction Error (Poison Null Byte)
		R	640	Weak Password Recovery Mechanism for Forgotten Password
		R	643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')
		R	652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
		R	668	Exposure of Resource to Wrong Sphere
D			692	Incomplete Blacklist to Cross-Site Scripting
		R	929	OWASP Top Ten 2013 Category A1 - Injection
		R	930	OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
		R	932	OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
		R	933	OWASP Top Ten 2013 Category A5 - Security Misconfiguration
		R	934	OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
		R	935	OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control

Detailed Difference Report

7	J2EE Misconfiguration: Missing Custom Error Page
	Major	Common_Consequences, Description, Other_Notes, Potential_Mitigations
	Minor	None
9	J2EE Misconfiguration: Weak Access Permissions for EJB Methods
	Major	Description, Other_Notes
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Other_Notes, Research_Gaps
	Minor	Observed_Examples
44	Path Equivalence: 'file.name' (Internal Dot)
	Major	Other_Notes, Relationship_Notes
	Minor	None
45	Path Equivalence: 'file...name' (Multiple Internal Dot)
	Major	Other_Notes, Relationship_Notes
	Minor	None
48	Path Equivalence: 'file name' (Internal Whitespace)
	Major	Applicable_Platforms, Other_Notes, Relationship_Notes
	Minor	None
59	Improper Link Resolution Before File Access ('Link Following')
	Major	Common_Consequences, Other_Notes
	Minor	None
61	UNIX Symbolic Link (Symlink) Following
	Major	Modes_of_Introduction, Other_Notes
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Relationships
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Relationships
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Relationships
	Minor	None
88	Argument Injection or Modification
	Major	Relationships
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Relationships
	Minor	None
90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
	Major	Relationships
	Minor	None
91	XML Injection (aka Blind XPath Injection)
	Major	Relationships
	Minor	None
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
	Major	Enabling_Factors_for_Exploitation, Other_Notes, Relationship_Notes
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	Alternate_Terms, Description, Relationship_Notes, Relationships
	Minor	None
105	Struts: Form Field Without Validator
	Major	Common_Consequences, Description, Modes_of_Introduction, Other_Notes
	Minor	None
106	Struts: Plug-in Framework not in Use
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
108	Struts: Unvalidated Action Form
	Major	Other_Notes, Potential_Mitigations
	Minor	None
110	Struts: Validator Without Form Field
	Major	Description, Other_Notes
	Minor	None
112	Missing XML Validation
	Major	Demonstrative_Examples, Other_Notes, Potential_Mitigations
	Minor	None
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
	Major	Demonstrative_Examples
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	References
	Minor	None
122	Heap-based Buffer Overflow
	Major	Observed_Examples
	Minor	None
125	Out-of-bounds Read
	Major	Related_Attack_Patterns
	Minor	None
126	Buffer Over-read
	Major	Observed_Examples
	Minor	None
129	Improper Validation of Array Index
	Major	None
	Minor	Demonstrative_Examples
130	Improper Handling of Length Parameter Inconsistency
	Major	Observed_Examples
	Minor	None
135	Incorrect Calculation of Multi-Byte String Length
	Major	Enabling_Factors_for_Exploitation, Other_Notes
	Minor	None
157	Failure to Sanitize Paired Delimiters
	Major	Applicable_Platforms, Demonstrative_Examples, Description
	Minor	None
159	Failure to Sanitize Special Element
	Major	Other_Notes
	Minor	None
169	Technology-Specific Special Elements
	Major	Applicable_Platforms, Modes_of_Introduction, Other_Notes, Potential_Mitigations
	Minor	None
170	Improper Null Termination
	Major	Observed_Examples
	Minor	None
183	Permissive Whitelist
	Major	Relationships
	Minor	None
185	Incorrect Regular Expression
	Major	Applicable_Platforms, Common_Consequences, Other_Notes, Relationship_Notes
	Minor	None
188	Reliance on Data/Memory Layout
	Major	Description, Other_Notes
	Minor	None
193	Off-by-one Error
	Major	References
	Minor	None
195	Signed to Unsigned Conversion Error
	Major	Demonstrative_Examples, Description
	Minor	None
196	Unsigned to Signed Conversion Error
	Major	Demonstrative_Examples, Description, Other_Notes
	Minor	None
200	Information Exposure
	Major	Related_Attack_Patterns
	Minor	None
208	Information Exposure Through Timing Discrepancy
	Major	Other_Notes, Related_Attack_Patterns
	Minor	None
209	Information Exposure Through an Error Message
	Major	Relationships
	Minor	None
210	Information Exposure Through Self-generated Error Message
	Major	Other_Notes
	Minor	None
213	Intentional Information Exposure
	Major	Other_Notes, Relationship_Notes, Theoretical_Notes
	Minor	None
215	Information Exposure Through Debug Information
	Major	Relationships
	Minor	None
245	J2EE Bad Practices: Direct Management of Connections
	Major	Description, Other_Notes
	Minor	None
246	J2EE Bad Practices: Direct Use of Sockets
	Major	Description, Other_Notes
	Minor	None
252	Unchecked Return Value
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
253	Incorrect Check of Function Return Value
	Major	Description, Other_Notes
	Minor	None
256	Plaintext Storage of a Password
	Major	Description, Modes_of_Introduction, Other_Notes, Potential_Mitigations, Relationships
	Minor	None
257	Storing Passwords in a Recoverable Format
	Major	Description, Other_Notes
	Minor	None
262	Not Using Password Aging
	Major	Other_Notes, Potential_Mitigations
	Minor	None
273	Improper Check for Dropped Privileges
	Major	Background_Details, Other_Notes, Potential_Mitigations
	Minor	None
284	Improper Access Control
	Major	Relationships
	Minor	None
287	Improper Authentication
	Major	Relationships
	Minor	None
295	Improper Certificate Validation
	Major	Observed_Examples
	Minor	None
300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
	Major	Observed_Examples
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Relationships
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Relationships
	Minor	None
320	Key Management Errors
	Major	Relationships
	Minor	None
325	Missing Required Cryptographic Step
	Major	Relationships
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Relationships
	Minor	None
328	Reversible One-Way Hash
	Major	Relationships
	Minor	None
330	Use of Insufficiently Random Values
	Major	Related_Attack_Patterns
	Minor	None
338	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
	Major	Applicable_Platforms, Description, Name, Other_Notes
	Minor	None
344	Use of Invariant Value in Dynamically Changing Context
	Major	Other_Notes
	Minor	None
346	Origin Validation Error
	Major	Related_Attack_Patterns
	Minor	None
364	Signal Handler Race Condition
	Major	Demonstrative_Examples, References
	Minor	None
365	Race Condition in Switch
	Major	Common_Consequences, Description, Other_Notes, Potential_Mitigations
	Minor	None
374	Passing Mutable Objects to an Untrusted Method
	Major	Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References
	Minor	None
375	Returning a Mutable Object to an Untrusted Caller
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
378	Creation of Temporary File With Insecure Permissions
	Major	Potential_Mitigations
	Minor	None
382	J2EE Bad Practices: Use of System.exit()
	Major	Description, Modes_of_Introduction, Other_Notes, Potential_Mitigations
	Minor	None
391	Unchecked Error Condition
	Major	Other_Notes
	Minor	None
393	Return of Wrong Status Code
	Major	Observed_Examples
	Minor	None
395	Use of NullPointerException Catch to Detect NULL Pointer Dereference
	Major	Description, Other_Notes
	Minor	None
399	Resource Management Errors
	Major	Other_Notes
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Related_Attack_Patterns
	Minor	None
410	Insufficient Resource Pool
	Major	Other_Notes, Potential_Mitigations
	Minor	None
421	Race Condition During Access to Alternate Channel
	Major	Other_Notes
	Minor	None
436	Interpretation Conflict
	Major	Applicable_Platforms, Description, Observed_Examples, Other_Notes, References
	Minor	None
444	Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
	Major	Other_Notes, Potential_Mitigations, Theoretical_Notes
	Minor	None
452	Initialization and Cleanup Errors
	Major	Other_Notes, Research_Gaps
	Minor	None
457	Use of Uninitialized Variable
	Major	Modes_of_Introduction, Other_Notes
	Minor	None
459	Incomplete Cleanup
	Major	Common_Consequences, Other_Notes, Relationship_Notes
	Minor	None
460	Improper Cleanup on Thrown Exception
	Major	Description, Other_Notes
	Minor	None
467	Use of sizeof() on a Pointer Type
	Major	Description, Other_Notes
	Minor	None
468	Incorrect Pointer Scaling
	Major	Modes_of_Introduction, Other_Notes
	Minor	None
469	Use of Pointer Subtraction to Determine Size
	Major	Other_Notes
	Minor	None
471	Modification of Assumed-Immutable Data (MAID)
	Major	Applicable_Platforms, Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationship_Notes, Theoretical_Notes, Time_of_Introduction
	Minor	None
474	Use of Function with Inconsistent Implementations
	Major	Applicable_Platforms, Description, Other_Notes
	Minor	None
477	Use of Obsolete Functions
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
478	Missing Default Case in Switch Statement
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
480	Use of Incorrect Operator
	Major	Applicable_Platforms, Description, Detection_Factors, Other_Notes
	Minor	None
483	Incorrect Block Delimitation
	Major	Observed_Examples
	Minor	None
487	Reliance on Package-level Scope
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
489	Leftover Debug Code
	Major	Description, Modes_of_Introduction, Other_Notes, Time_of_Introduction
	Minor	None
492	Use of Inner Class Containing Sensitive Data
	Major	Description, Other_Notes
	Minor	None
501	Trust Boundary Violation
	Major	Description, Other_Notes
	Minor	None
514	Covert Channel
	Major	Related_Attack_Patterns
	Minor	None
520	.NET Misconfiguration: Use of Impersonation
	Major	Description, Other_Notes
	Minor	None
522	Insufficiently Protected Credentials
	Major	Other_Notes, Relationships
	Minor	None
523	Unprotected Transport of Credentials
	Major	Other_Notes, Relationships
	Minor	None
548	Information Exposure Through Directory Listing
	Major	Relationships
	Minor	None
549	Missing Password Field Masking
	Major	Other_Notes
	Minor	None
561	Dead Code
	Major	Observed_Examples
	Minor	None
562	Return of Stack Variable Address
	Major	Description, Other_Notes
	Minor	None
563	Assignment to Variable without Use ('Unused Variable')
	Major	Common_Consequences, Description, Name, Other_Notes
	Minor	None
579	J2EE Bad Practices: Non-serializable Object Stored in Session
	Major	Description, Other_Notes
	Minor	None
594	J2EE Framework: Saving Unserializable Objects to Disk
	Major	Description, Other_Notes
	Minor	None
595	Comparison of Object References Instead of Object Contents
	Major	Applicable_Platforms, Common_Consequences
	Minor	None
605	Multiple Binds to the Same Port
	Major	Enabling_Factors_for_Exploitation, Other_Notes
	Minor	None
613	Insufficient Session Expiration
	Major	Relationships
	Minor	None
617	Reachable Assertion
	Major	Common_Consequences, Description, Other_Notes
	Minor	None
620	Unverified Password Change
	Major	Relationships
	Minor	None
621	Variable Extraction Error
	Major	Description, Other_Notes
	Minor	None
624	Executable Regular Expression Error
	Major	Observed_Examples
	Minor	None
625	Permissive Regular Expression
	Major	Modes_of_Introduction, Other_Notes
	Minor	None
626	Null Byte Interaction Error (Poison Null Byte)
	Major	Description, Other_Notes, Research_Gaps, Terminology_Notes
	Minor	None
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	Relationships
	Minor	None
643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')
	Major	Relationships
	Minor	None
652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
	Major	Relationships
	Minor	None
655	Insufficient Psychological Acceptability
	Major	Demonstrative_Examples
	Minor	None
656	Reliance on Security Through Obscurity
	Major	Other_Notes, Relationship_Notes
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
689	Permission Race Condition During Resource Copy
	Major	Modes_of_Introduction, Other_Notes
	Minor	Observed_Examples
690	Unchecked Return Value to NULL Pointer Dereference
	Major	Modes_of_Introduction, Other_Notes
	Minor	None
692	Incomplete Blacklist to Cross-Site Scripting
	Major	Applicable_Platforms, Description, Other_Notes
	Minor	None
705	Incorrect Control Flow Scoping
	Major	Observed_Examples
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Related_Attack_Patterns
	Minor	None
787	Out-of-bounds Write
	Major	Demonstrative_Examples
	Minor	None
788	Access of Memory Location After End of Buffer
	Major	Demonstrative_Examples
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Demonstrative_Examples
	Minor	None
828	Signal Handler with Functionality that is not Asynchronous-Safe
	Major	Demonstrative_Examples, References
	Minor	None
831	Signal Handler Function Associated with Multiple Signals
	Major	Demonstrative_Examples, References
	Minor	None
929	OWASP Top Ten 2013 Category A1 - Injection
	Major	Relationships
	Minor	None
930	OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
	Major	Relationships
	Minor	None
932	OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
	Major	Relationships
	Minor	None
933	OWASP Top Ten 2013 Category A5 - Security Misconfiguration
	Major	Relationships
	Minor	None
934	OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
	Major	Relationships
	Minor	None
935	OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control
	Major	Relationships
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration