CWE - Differences between Version 3.2 and Version 3.3

Home > CWE List > Reports > Differences between Version 3.2 and Version 3.3

Differences between Version 3.2 and Version 3.3

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total weaknesses/chains/composites (Version 3.3)	808
Total weaknesses/chains/composites (Version 3.2)	806
Total new	11
Total deprecated	2
Total with major changes	238
Total with only minor changes
Total unchanged	937

Summary of Entry Types

Type	Version 3.2	Version 3.3
Weakness	806	808
Category	289	295
View	36	37
Deprecated	46	48
Total	1177	1188

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	6	0
Description	8	0
Applicable_Platforms	0	0
Time_of_Introduction	0	0
Demonstrative_Examples	4	0
Detection_Factors	0	0
Likelihood_of_Exploit	0	0
Common_Consequences	0	0
Relationships	161	0
References	15	0
Potential_Mitigations	0	0
Observed_Examples	0	0
Terminology_Notes	0	0
Alternate_Terms	0	0
Related_Attack_Patterns	75	0
Relationship_Notes	0	0
Taxonomy_Mappings	1	0
Maintenance_Notes	3	0
Modes_of_Introduction	0	0
Research_Gaps	0	0
Background_Details	0	0
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
Other_Notes	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Type	49	0
Source_Taxonomy	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged		1128
Category	Deprecated	2	17, 18
Weakness/Base	Weakness/Class	10	311, 327, 406, 407, 436, 662, 666, 672, 674, 834
Weakness/Base	Weakness/Variant	15	95, 98, 323, 336, 337, 339, 379, 416, 453, 456, 759, 760, 827, 830, 911
Weakness/Class	Weakness/Base	8	22, 94, 185, 203, 681, 757, 829, 924
Weakness/Variant	Weakness/Base	14	256, 276, 306, 312, 319, 457, 502, 561, 601, 611, 617, 765, 776, 783

Status Changes

From	To	Total
Unchanged		1175
Draft	Deprecated	2

Relationship Changes

The "Version 3.3 Total" lists the total number of relationships in Version 3.3. The "Shared" value is the total number of relationships in entries that were in both Version 3.3 and Version 3.2. The "New" value is the total number of relationships involving entries that did not exist in Version 3.2. Thus, the total number of relationships in Version 3.3 would combine stats from Shared entries and New entries.

Relationship	Version 3.3 Total	Version 3.2 Total	Version 3.3 Shared	Unchanged	Added to Version 3.3	Removed from Version 3.2	Version 3.3 New
ALL	9307	9267	9271	9051	220	216	36
ChildOf	3989	4009	3979	3904	75	105	10
ParentOf	3989	4009	3979	3904	75	105	10
MemberOf	440	401	432	398	34	3	8
HasMember	440	401	432	398	34	3	8
CanPrecede	128	127	128	127	1
CanFollow	128	127	128	127	1
StartsWith	3	3	3	3
Requires	14	14	14	14
RequiredBy	14	14	14	14
CanAlsoBe	30	30	30	30
PeerOf	132	132	132	132

Nodes Removed from Version 3.2

CWE-ID	CWE Name
None.

Nodes Added to Version 3.3

CWE-ID	CWE Name
1178	Weaknesses Addressed by the SEI CERT Perl Coding Standard
1179	SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS)
1180	SEI CERT Perl Coding Standard - Guidelines 02. Declarations and Initialization (DCL)
1181	SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP)
1182	SEI CERT Perl Coding Standard - Guidelines 04. Integers (INT)
1183	SEI CERT Perl Coding Standard - Guidelines 05. Strings (STR)
1184	SEI CERT Perl Coding Standard - Guidelines 06. Object-Oriented Programming (OOP)
1185	SEI CERT Perl Coding Standard - Guidelines 07. File Input and Output (FIO)
1186	SEI CERT Perl Coding Standard - Guidelines 50. Miscellaneous (MSC)
1187	Use of Uninitialized Resource
1188	Insecure Default Initialization of Resource

Nodes Deprecated in Version 3.3

CWE-ID	CWE Name
17	DEPRECATED: Code
18	DEPRECATED: Source Code

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	2	7PK - Environment
		R	16	Configuration
D	N	R	17	DEPRECATED: Code
D	N	R	18	DEPRECATED: Source Code
		R	19	Data Processing Errors
		R	20	Improper Input Validation
		R	21	Pathname Traversal and Equivalence Errors
		R	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
		R	59	Improper Link Resolution Before File Access ('Link Following')
		R	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
		R	88	Argument Injection or Modification
		R	89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
		R	90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
		R	93	Improper Neutralization of CRLF Sequences ('CRLF Injection')
		R	99	Improper Control of Resource Identifiers ('Resource Injection')
		R	113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
		R	116	Improper Encoding or Escaping of Output
		R	118	Incorrect Access of Indexable Resource ('Range Error')
		R	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
		R	120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
		R	123	Write-what-where Condition
D			125	Out-of-bounds Read
		R	131	Incorrect Calculation of Buffer Size
		R	134	Use of Externally-Controlled Format String
		R	137	Representation Errors
		R	171	Cleansing, Canonicalization, and Comparison Errors
		R	172	Encoding Error
		R	178	Improper Handling of Case Sensitivity
		R	183	Permissive Whitelist
		R	184	Incomplete Blacklist
		R	185	Incorrect Regular Expression
		R	189	Numeric Errors
		R	193	Off-by-one Error
		R	200	Information Exposure
		R	203	Information Exposure Through Discrepancy
		R	209	Information Exposure Through an Error Message
		R	212	Improper Cross-boundary Removal of Sensitive Data
		R	220	Sensitive Data Under FTP Root
		R	252	Unchecked Return Value
		R	254	7PK - Security Features
		R	255	Credentials Management
		R	264	Permissions, Privileges, and Access Controls
		R	269	Improper Privilege Management
		R	273	Improper Check for Dropped Privileges
		R	276	Incorrect Default Permissions
		R	280	Improper Handling of Insufficient Permissions or Privileges
		R	281	Improper Preservation of Permissions
		R	284	Improper Access Control
		R	285	Improper Authorization
		R	287	Improper Authentication
		R	290	Authentication Bypass by Spoofing
		R	294	Authentication Bypass by Capture-replay
		R	295	Improper Certificate Validation
		R	297	Improper Validation of Certificate with Host Mismatch
		R	304	Missing Critical Step in Authentication
		R	307	Improper Restriction of Excessive Authentication Attempts
		R	310	Cryptographic Issues
		R	311	Missing Encryption of Sensitive Data
		R	312	Cleartext Storage of Sensitive Information
		R	319	Cleartext Transmission of Sensitive Information
		R	320	Key Management Errors
		R	326	Inadequate Encryption Strength
		R	327	Use of a Broken or Risky Cryptographic Algorithm
		R	330	Use of Insufficiently Random Values
		R	331	Insufficient Entropy
		R	332	Insufficient Entropy in PRNG
		R	335	Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
		R	345	Insufficient Verification of Data Authenticity
		R	346	Origin Validation Error
		R	354	Improper Validation of Integrity Check Value
		R	358	Improperly Implemented Security Check for Standard
		R	361	7PK - Time and State
		R	362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
		R	367	Time-of-check Time-of-use (TOCTOU) Race Condition
		R	371	State Issues
		R	384	Session Fixation
		R	389	Error Conditions, Return Values, Status Codes
D			391	Unchecked Error Condition
		R	398	7PK - Code Quality
		R	399	Resource Management Errors
		R	400	Uncontrolled Resource Consumption
D	N		401	Missing Release of Memory after Effective Lifetime
		R	404	Improper Resource Shutdown or Release
		R	405	Asymmetric Resource Consumption (Amplification)
	N	R	407	Inefficient Algorithmic Complexity
		R	415	Double Free
		R	416	Use After Free
		R	417	Channel and Path Errors
		R	425	Direct Request ('Forced Browsing')
		R	426	Untrusted Search Path
		R	427	Uncontrolled Search Path Element
		R	428	Unquoted Search Path or Element
		R	435	Improper Interaction Between Multiple Correctly-Behaving Entities
		R	436	Interpretation Conflict
		R	441	Unintended Proxy or Intermediary ('Confused Deputy')
		R	452	Initialization and Cleanup Errors
		R	453	Insecure Default Variable Initialization
		R	456	Missing Initialization of a Variable
		R	457	Use of Uninitialized Variable
		R	459	Incomplete Cleanup
		R	470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
		R	472	External Control of Assumed-Immutable Web Parameter
		R	476	NULL Pointer Dereference
		R	485	7PK - Encapsulation
		R	494	Download of Code Without Integrity Check
		R	521	Weak Password Requirements
		R	522	Insufficiently Protected Credentials
	N	R	532	Inclusion of Sensitive Information in Log Files
		R	538	File and Directory Information Exposure
		R	565	Reliance on Cookies without Validation and Integrity Checking
		R	601	URL Redirection to Untrusted Site ('Open Redirect')
		R	610	Externally Controlled Reference to a Resource in Another Sphere
	N		611	Improper Restriction of XML External Entity Reference
		R	613	Insufficient Session Expiration
		R	617	Reachable Assertion
		R	639	Authorization Bypass Through User-Controlled Key
		R	640	Weak Password Recovery Mechanism for Forgotten Password
		R	664	Improper Control of a Resource Through its Lifetime
		R	665	Improper Initialization
		R	668	Exposure of Resource to Wrong Sphere
		R	669	Incorrect Resource Transfer Between Spheres
		R	670	Always-Incorrect Control Flow Implementation
		R	672	Operation on a Resource after Expiration or Release
		R	674	Uncontrolled Recursion
		R	681	Incorrect Conversion between Numeric Types
		R	682	Incorrect Calculation
		R	693	Protection Mechanism Failure
		R	694	Use of Multiple Resources with Duplicate Identifier
		R	703	Improper Check or Handling of Exceptional Conditions
		R	704	Incorrect Type Conversion or Cast
		R	706	Use of Incorrectly-Resolved Name or Reference
		R	707	Improper Enforcement of Message or Data Structure
		R	732	Incorrect Permission Assignment for Critical Resource
		R	749	Exposed Dangerous Method or Function
D		R	754	Improper Check for Unusual or Exceptional Conditions
		R	755	Improper Handling of Exceptional Conditions
		R	763	Release of Invalid Pointer or Reference
		R	770	Allocation of Resources Without Limits or Throttling
		R	772	Missing Release of Resource after Effective Lifetime
		R	774	Allocation of File Descriptors or Handles Without Limits or Throttling
		R	775	Missing Release of File Descriptor or Handle after Effective Lifetime
		R	776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
		R	789	Uncontrolled Memory Allocation
		R	798	Use of Hard-coded Credentials
		R	829	Inclusion of Functionality from Untrusted Control Sphere
		R	834	Excessive Iteration
		R	835	Loop with Unreachable Exit Condition ('Infinite Loop')
		R	838	Inappropriate Encoding for Output Context
		R	843	Access of Resource Using Incompatible Type ('Type Confusion')
		R	862	Missing Authorization
		R	863	Incorrect Authorization
		R	909	Missing Initialization of Resource
		R	913	Improper Control of Dynamically-Managed Code Resources
		R	915	Improperly Controlled Modification of Dynamically-Determined Object Attributes
		R	916	Use of Password Hash With Insufficient Computational Effort
		R	918	Server-Side Request Forgery (SSRF)
		R	920	Improper Restriction of Power Consumption
		R	922	Insecure Storage of Sensitive Information
		R	924	Improper Enforcement of Message Integrity During Transmission in a Communication Channel
		R	942	Overly Permissive Cross-domain Whitelist
		R	943	Improper Neutralization of Special Elements in Data Query Logic
		R	1003	Weaknesses for Simplified Mapping of Published Vulnerabilities
		R	1021	Improper Restriction of Rendered UI Layers or Frames
D			1153	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 50. Android (DRD)
D			1175	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 18. Concurrency (CON)

Detailed Difference Report

2	7PK - Environment
	Major	Relationships
	Minor	None
15	External Control of System or Configuration Setting
	Major	Related_Attack_Patterns
	Minor	None
16	Configuration
	Major	Relationships
	Minor	None
17	DEPRECATED: Code
	Major	Description, Maintenance_Notes, Name, Relationships, Type
	Minor	None
18	DEPRECATED: Source Code
	Major	Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Type
	Minor	None
19	Data Processing Errors
	Major	Relationships
	Minor	None
20	Improper Input Validation
	Major	Related_Attack_Patterns, Relationships
	Minor	None
21	Pathname Traversal and Equivalence Errors
	Major	Relationships
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Related_Attack_Patterns, Relationships, Type
	Minor	None
23	Relative Path Traversal
	Major	Related_Attack_Patterns
	Minor	None
41	Improper Resolution of Path Equivalence
	Major	Related_Attack_Patterns
	Minor	None
46	Path Equivalence: 'filename ' (Trailing Space)
	Major	Related_Attack_Patterns
	Minor	None
59	Improper Link Resolution Before File Access ('Link Following')
	Major	Relationships
	Minor	None
64	Windows Shortcut Following (.LNK)
	Major	Related_Attack_Patterns
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Related_Attack_Patterns, Relationships
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Related_Attack_Patterns, Relationships
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Relationships
	Minor	None
83	Improper Neutralization of Script in Attributes in a Web Page
	Major	Related_Attack_Patterns
	Minor	None
84	Improper Neutralization of Encoded URI Schemes in a Web Page
	Major	Related_Attack_Patterns
	Minor	None
88	Argument Injection or Modification
	Major	Related_Attack_Patterns, Relationships
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Relationships
	Minor	None
90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
	Major	Relationships
	Minor	None
91	XML Injection (aka Blind XPath Injection)
	Major	Related_Attack_Patterns
	Minor	None
93	Improper Neutralization of CRLF Sequences ('CRLF Injection')
	Major	Relationships
	Minor	None
94	Improper Control of Generation of Code ('Code Injection')
	Major	Related_Attack_Patterns, Type
	Minor	None
95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
	Major	Type
	Minor	None
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
	Major	Type
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	Relationships
	Minor	None
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
	Major	Relationships
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Relationships
	Minor	None
117	Improper Output Neutralization for Logs
	Major	Related_Attack_Patterns
	Minor	None
118	Incorrect Access of Indexable Resource ('Range Error')
	Major	Relationships
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Related_Attack_Patterns, Relationships
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Relationships
	Minor	None
123	Write-what-where Condition
	Major	Relationships
	Minor	None
125	Out-of-bounds Read
	Major	Description, Related_Attack_Patterns
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Relationships
	Minor	None
134	Use of Externally-Controlled Format String
	Major	Relationships
	Minor	None
137	Representation Errors
	Major	Relationships
	Minor	None
150	Improper Neutralization of Escape, Meta, or Control Sequences
	Major	Related_Attack_Patterns
	Minor	None
171	Cleansing, Canonicalization, and Comparison Errors
	Major	Relationships
	Minor	None
172	Encoding Error
	Major	Relationships
	Minor	None
173	Improper Handling of Alternate Encoding
	Major	Related_Attack_Patterns
	Minor	None
178	Improper Handling of Case Sensitivity
	Major	Relationships
	Minor	None
180	Incorrect Behavior Order: Validate Before Canonicalize
	Major	Related_Attack_Patterns
	Minor	None
183	Permissive Whitelist
	Major	Relationships
	Minor	None
184	Incomplete Blacklist
	Major	Related_Attack_Patterns, Relationships
	Minor	None
185	Incorrect Regular Expression
	Major	Related_Attack_Patterns, Relationships, Type
	Minor	None
189	Numeric Errors
	Major	Relationships
	Minor	None
193	Off-by-one Error
	Major	Demonstrative_Examples, Relationships
	Minor	None
200	Information Exposure
	Major	Related_Attack_Patterns, Relationships
	Minor	None
203	Information Exposure Through Discrepancy
	Major	Relationships, Type
	Minor	None
209	Information Exposure Through an Error Message
	Major	Relationships
	Minor	None
212	Improper Cross-boundary Removal of Sensitive Data
	Major	Relationships
	Minor	None
216	Containment Errors (Container Errors)
	Major	Related_Attack_Patterns
	Minor	None
220	Sensitive Data Under FTP Root
	Major	Relationships
	Minor	None
248	Uncaught Exception
	Major	Related_Attack_Patterns
	Minor	None
252	Unchecked Return Value
	Major	Relationships
	Minor	None
254	7PK - Security Features
	Major	Relationships
	Minor	None
255	Credentials Management
	Major	Relationships
	Minor	None
256	Unprotected Storage of Credentials
	Major	Type
	Minor	None
259	Use of Hard-coded Password
	Major	Related_Attack_Patterns
	Minor	None
264	Permissions, Privileges, and Access Controls
	Major	Relationships
	Minor	None
269	Improper Privilege Management
	Major	Related_Attack_Patterns, Relationships
	Minor	None
273	Improper Check for Dropped Privileges
	Major	Relationships
	Minor	None
276	Incorrect Default Permissions
	Major	Relationships, Type
	Minor	None
280	Improper Handling of Insufficient Permissions or Privileges
	Major	Relationships
	Minor	None
281	Improper Preservation of Permissions
	Major	Relationships
	Minor	None
284	Improper Access Control
	Major	Related_Attack_Patterns, Relationships
	Minor	None
285	Improper Authorization
	Major	Related_Attack_Patterns, Relationships
	Minor	None
287	Improper Authentication
	Major	Demonstrative_Examples, Related_Attack_Patterns, Relationships
	Minor	None
290	Authentication Bypass by Spoofing
	Major	Related_Attack_Patterns, Relationships
	Minor	None
294	Authentication Bypass by Capture-replay
	Major	Relationships
	Minor	None
295	Improper Certificate Validation
	Major	Relationships
	Minor	None
297	Improper Validation of Certificate with Host Mismatch
	Major	Relationships
	Minor	None
300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
	Major	Related_Attack_Patterns
	Minor	None
304	Missing Critical Step in Authentication
	Major	Relationships
	Minor	None
306	Missing Authentication for Critical Function
	Major	Related_Attack_Patterns, Type
	Minor	None
307	Improper Restriction of Excessive Authentication Attempts
	Major	Demonstrative_Examples, Relationships
	Minor	None
310	Cryptographic Issues
	Major	Relationships
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Related_Attack_Patterns, Relationships, Type
	Minor	None
312	Cleartext Storage of Sensitive Information
	Major	Relationships, Type
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Relationships, Type
	Minor	None
320	Key Management Errors
	Major	Relationships
	Minor	None
323	Reusing a Nonce, Key Pair in Encryption
	Major	Type
	Minor	None
326	Inadequate Encryption Strength
	Major	Relationships
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Related_Attack_Patterns, Relationships, Type
	Minor	None
329	Not Using a Random IV with CBC Mode
	Major	Demonstrative_Examples
	Minor	None
330	Use of Insufficiently Random Values
	Major	Relationships
	Minor	None
331	Insufficient Entropy
	Major	Relationships
	Minor	None
332	Insufficient Entropy in PRNG
	Major	Relationships
	Minor	None
335	Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
	Major	Relationships
	Minor	None
336	Same Seed in Pseudo-Random Number Generator (PRNG)
	Major	Type
	Minor	None
337	Predictable Seed in Pseudo-Random Number Generator (PRNG)
	Major	Type
	Minor	None
339	Small Seed Space in PRNG
	Major	Type
	Minor	None
345	Insufficient Verification of Data Authenticity
	Major	Related_Attack_Patterns, Relationships
	Minor	None
346	Origin Validation Error
	Major	Related_Attack_Patterns, Relationships
	Minor	None
353	Missing Support for Integrity Check
	Major	Related_Attack_Patterns
	Minor	None
354	Improper Validation of Integrity Check Value
	Major	Related_Attack_Patterns, Relationships
	Minor	None
358	Improperly Implemented Security Check for Standard
	Major	Relationships
	Minor	None
361	7PK - Time and State
	Major	Relationships
	Minor	None
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
	Major	Relationships
	Minor	None
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	Relationships
	Minor	None
371	State Issues
	Major	Relationships
	Minor	None
372	Incomplete Internal State Distinction
	Major	Related_Attack_Patterns
	Minor	None
377	Insecure Temporary File
	Major	Related_Attack_Patterns
	Minor	None
379	Creation of Temporary File in Directory with Incorrect Permissions
	Major	Type
	Minor	None
384	Session Fixation
	Major	Relationships
	Minor	None
389	Error Conditions, Return Values, Status Codes
	Major	Relationships
	Minor	None
391	Unchecked Error Condition
	Major	Description, Maintenance_Notes
	Minor	None
398	7PK - Code Quality
	Major	Relationships
	Minor	None
399	Resource Management Errors
	Major	Relationships
	Minor	None
400	Uncontrolled Resource Consumption
	Major	Related_Attack_Patterns, Relationships
	Minor	None
401	Missing Release of Memory after Effective Lifetime
	Major	Description, Name
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Related_Attack_Patterns, Relationships
	Minor	None
405	Asymmetric Resource Consumption (Amplification)
	Major	Relationships
	Minor	None
406	Insufficient Control of Network Message Volume (Network Amplification)
	Major	Type
	Minor	None
407	Inefficient Algorithmic Complexity
	Major	Name, Relationships, Type
	Minor	None
415	Double Free
	Major	Relationships
	Minor	None
416	Use After Free
	Major	Relationships, Type
	Minor	None
417	Channel and Path Errors
	Major	Relationships
	Minor	None
424	Improper Protection of Alternate Path
	Major	Related_Attack_Patterns
	Minor	None
425	Direct Request ('Forced Browsing')
	Major	Relationships
	Minor	None
426	Untrusted Search Path
	Major	Related_Attack_Patterns, Relationships
	Minor	None
427	Uncontrolled Search Path Element
	Major	Related_Attack_Patterns, Relationships
	Minor	None
428	Unquoted Search Path or Element
	Major	Related_Attack_Patterns, Relationships
	Minor	None
430	Deployment of Wrong Handler
	Major	Related_Attack_Patterns
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Related_Attack_Patterns
	Minor	None
435	Improper Interaction Between Multiple Correctly-Behaving Entities
	Major	Relationships
	Minor	None
436	Interpretation Conflict
	Major	Relationships, Type
	Minor	None
441	Unintended Proxy or Intermediary ('Confused Deputy')
	Major	Relationships
	Minor	None
452	Initialization and Cleanup Errors
	Major	Relationships
	Minor	None
453	Insecure Default Variable Initialization
	Major	Relationships, Type
	Minor	None
456	Missing Initialization of a Variable
	Major	Relationships, Type
	Minor	None
457	Use of Uninitialized Variable
	Major	Relationships, Type
	Minor	None
459	Incomplete Cleanup
	Major	Relationships
	Minor	None
470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
	Major	Relationships
	Minor	None
472	External Control of Assumed-Immutable Web Parameter
	Major	Related_Attack_Patterns, Relationships
	Minor	None
476	NULL Pointer Dereference
	Major	Relationships
	Minor	None
485	7PK - Encapsulation
	Major	Relationships
	Minor	None
489	Leftover Debug Code
	Major	Related_Attack_Patterns
	Minor	None
494	Download of Code Without Integrity Check
	Major	Related_Attack_Patterns, Relationships
	Minor	None
497	Exposure of System Data to an Unauthorized Control Sphere
	Major	Related_Attack_Patterns
	Minor	None
502	Deserialization of Untrusted Data
	Major	Type
	Minor	None
521	Weak Password Requirements
	Major	Relationships
	Minor	None
522	Insufficiently Protected Credentials
	Major	Related_Attack_Patterns, Relationships
	Minor	None
532	Inclusion of Sensitive Information in Log Files
	Major	Name, Relationships
	Minor	None
538	File and Directory Information Exposure
	Major	Relationships
	Minor	None
552	Files or Directories Accessible to External Parties
	Major	Related_Attack_Patterns
	Minor	None
561	Dead Code
	Major	Type
	Minor	None
565	Reliance on Cookies without Validation and Integrity Checking
	Major	Related_Attack_Patterns, Relationships
	Minor	None
601	URL Redirection to Untrusted Site ('Open Redirect')
	Major	Relationships, Type
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	Related_Attack_Patterns
	Minor	None
610	Externally Controlled Reference to a Resource in Another Sphere
	Major	Relationships
	Minor	None
611	Improper Restriction of XML External Entity Reference
	Major	Name, Type
	Minor	None
613	Insufficient Session Expiration
	Major	Relationships
	Minor	None
617	Reachable Assertion
	Major	Relationships, Type
	Minor	None
639	Authorization Bypass Through User-Controlled Key
	Major	Relationships
	Minor	None
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	Relationships
	Minor	None
645	Overly Restrictive Account Lockout Mechanism
	Major	Related_Attack_Patterns
	Minor	None
656	Reliance on Security Through Obscurity
	Major	Related_Attack_Patterns
	Minor	None
662	Improper Synchronization
	Major	Type
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Relationships
	Minor	None
665	Improper Initialization
	Major	Relationships
	Minor	None
666	Operation on Resource in Wrong Phase of Lifetime
	Major	Type
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
669	Incorrect Resource Transfer Between Spheres
	Major	Relationships
	Minor	None
670	Always-Incorrect Control Flow Implementation
	Major	Relationships
	Minor	None
672	Operation on a Resource after Expiration or Release
	Major	Relationships, Type
	Minor	None
674	Uncontrolled Recursion
	Major	Related_Attack_Patterns, Relationships, Type
	Minor	None
681	Incorrect Conversion between Numeric Types
	Major	Relationships, Type
	Minor	None
682	Incorrect Calculation
	Major	Related_Attack_Patterns, Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Related_Attack_Patterns, Relationships
	Minor	None
694	Use of Multiple Resources with Duplicate Identifier
	Major	Relationships
	Minor	None
697	Incorrect Comparison
	Major	Related_Attack_Patterns
	Minor	None
703	Improper Check or Handling of Exceptional Conditions
	Major	Relationships
	Minor	None
704	Incorrect Type Conversion or Cast
	Major	Relationships
	Minor	None
706	Use of Incorrectly-Resolved Name or Reference
	Major	Related_Attack_Patterns, Relationships
	Minor	None
707	Improper Enforcement of Message or Data Structure
	Major	Related_Attack_Patterns, Relationships
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Relationships
	Minor	None
749	Exposed Dangerous Method or Function
	Major	Relationships
	Minor	None
750	Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
	Major	References
	Minor	None
751	2009 Top 25 - Insecure Interaction Between Components
	Major	References
	Minor	None
752	2009 Top 25 - Risky Resource Management
	Major	References
	Minor	None
753	2009 Top 25 - Porous Defenses
	Major	References
	Minor	None
754	Improper Check for Unusual or Exceptional Conditions
	Major	Description, Relationships
	Minor	None
755	Improper Handling of Exceptional Conditions
	Major	Relationships
	Minor	None
757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
	Major	Type
	Minor	None
759	Use of a One-Way Hash without a Salt
	Major	Type
	Minor	None
760	Use of a One-Way Hash with a Predictable Salt
	Major	Type
	Minor	None
763	Release of Invalid Pointer or Reference
	Major	Relationships
	Minor	None
765	Multiple Unlocks of a Critical Resource
	Major	Type
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Related_Attack_Patterns, Relationships
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Relationships
	Minor	None
774	Allocation of File Descriptors or Handles Without Limits or Throttling
	Major	Relationships
	Minor	None
775	Missing Release of File Descriptor or Handle after Effective Lifetime
	Major	Relationships
	Minor	None
776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
	Major	Relationships, Type
	Minor	None
783	Operator Precedence Logic Error
	Major	Type
	Minor	None
789	Uncontrolled Memory Allocation
	Major	Relationships
	Minor	None
798	Use of Hard-coded Credentials
	Major	Related_Attack_Patterns, Relationships
	Minor	None
800	Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
	Major	References
	Minor	None
801	2010 Top 25 - Insecure Interaction Between Components
	Major	References
	Minor	None
802	2010 Top 25 - Risky Resource Management
	Major	References
	Minor	None
803	2010 Top 25 - Porous Defenses
	Major	References
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Related_Attack_Patterns
	Minor	None
808	2010 Top 25 - Weaknesses On the Cusp
	Major	References
	Minor	None
822	Untrusted Pointer Dereference
	Major	Related_Attack_Patterns
	Minor	None
823	Use of Out-of-range Pointer Offset
	Major	Related_Attack_Patterns
	Minor	None
827	Improper Control of Document Type Definition
	Major	Type
	Minor	None
829	Inclusion of Functionality from Untrusted Control Sphere
	Major	Related_Attack_Patterns, Relationships, Type
	Minor	None
830	Inclusion of Web Functionality from an Untrusted Source
	Major	Type
	Minor	None
834	Excessive Iteration
	Major	Relationships, Type
	Minor	None
835	Loop with Unreachable Exit Condition ('Infinite Loop')
	Major	Relationships
	Minor	None
838	Inappropriate Encoding for Output Context
	Major	Relationships
	Minor	None
843	Access of Resource Using Incompatible Type ('Type Confusion')
	Major	Relationships
	Minor	None
862	Missing Authorization
	Major	Relationships
	Minor	None
863	Incorrect Authorization
	Major	Relationships
	Minor	None
864	2011 Top 25 - Insecure Interaction Between Components
	Major	References
	Minor	None
865	2011 Top 25 - Risky Resource Management
	Major	References
	Minor	None
866	2011 Top 25 - Porous Defenses
	Major	References
	Minor	None
867	2011 Top 25 - Weaknesses On the Cusp
	Major	References
	Minor	None
900	Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors
	Major	References
	Minor	None
909	Missing Initialization of Resource
	Major	Relationships
	Minor	None
911	Improper Update of Reference Count
	Major	Type
	Minor	None
912	Hidden Functionality
	Major	Related_Attack_Patterns
	Minor	None
913	Improper Control of Dynamically-Managed Code Resources
	Major	Relationships
	Minor	None
915	Improperly Controlled Modification of Dynamically-Determined Object Attributes
	Major	Relationships
	Minor	None
916	Use of Password Hash With Insufficient Computational Effort
	Major	Related_Attack_Patterns, Relationships
	Minor	None
918	Server-Side Request Forgery (SSRF)
	Major	Relationships
	Minor	None
920	Improper Restriction of Power Consumption
	Major	Relationships
	Minor	None
922	Insecure Storage of Sensitive Information
	Major	Relationships
	Minor	None
924	Improper Enforcement of Message Integrity During Transmission in a Communication Channel
	Major	Relationships, Type
	Minor	None
940	Improper Verification of Source of a Communication Channel
	Major	Related_Attack_Patterns
	Minor	None
942	Overly Permissive Cross-domain Whitelist
	Major	Relationships
	Minor	None
943	Improper Neutralization of Special Elements in Data Query Logic
	Major	Relationships
	Minor	None
1003	Weaknesses for Simplified Mapping of Published Vulnerabilities
	Major	Relationships
	Minor	None
1021	Improper Restriction of Rendered UI Layers or Frames
	Major	Related_Attack_Patterns, Relationships
	Minor	None
1039	Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
	Major	References
	Minor	None
1153	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 50. Android (DRD)
	Major	Description
	Minor	None
1175	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 18. Concurrency (CON)
	Major	Description
	Minor	None

Page Last Updated: June 20, 2019


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration