CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 4.5 and Version 4.6  
ID

Differences between Version 4.5 and Version 4.6

Summary
Summary
Total weaknesses/chains/composites (Version 4.6) 924
Total weaknesses/chains/composites (Version 4.5) 922
Total new 14
Total deprecated 0
Total with major changes 254
Total with only minor changes 4
Total unchanged 1085

Summary of Entry Types

Type Version 4.5 Version 4.6
Weakness 922 924
Category 316 326
View 44 46
Deprecated 61 61
Total 1343 1357

Back to top
Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 15 0
Description 26 0
Relationships 221 0
Applicable_Platforms 0 0
Modes_of_Introduction 2 0
Detection_Factors 16 0
Potential_Mitigations 16 5
Demonstrative_Examples 20 1
Observed_Examples 25 0
Related_Attack_Patterns 0 0
Weakness_Ordinalities 18 0
Time_of_Introduction 0 0
Likelihood_of_Exploit 0 0
References 16 0
Common_Consequences 5 1
Terminology_Notes 2 0
Alternate_Terms 0 0
Relationship_Notes 2 1
Taxonomy_Mappings 0 0
Maintenance_Notes 16 0
Research_Gaps 1 0
Background_Details 2 0
Theoretical_Notes 0 0
Other_Notes 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 2 0
Type 1 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1342
Weakness/Base Weakness/Variant 1 1255

Status Changes

From To Total
Unchanged 1328
Draft Stable 4
Incomplete Draft 1
Incomplete Stable 10

Relationship Changes

The "Version 4.6 Total" lists the total number of relationships in Version 4.6. The "Shared" value is the total number of relationships in entries that were in both Version 4.6 and Version 4.5. The "New" value is the total number of relationships involving entries that did not exist in Version 4.5. Thus, the total number of relationships in Version 4.6 would combine stats from Shared entries and New entries.

Relationship Version 4.6 Total Version 4.5 Total Version 4.6 Shared Unchanged Added to Version 4.6 Removed from Version 4.5 Version 4.6 New
ALL 10110 9658 9664 9642 22 16 446
ChildOf 4191 3989 3991 3981 10 8 200
ParentOf 4191 3989 3991 3981 10 8 200
MemberOf 611 589 589 589 22
HasMember 611 589 589 589 22
CanPrecede 135 134 134 134 1
CanFollow 135 134 134 134 1
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 27 27 27 27
PeerOf 180 178 180 178 2

Nodes Removed from Version 4.5

CWE-ID CWE Name
None.

Nodes Added to Version 4.6

CWE-ID CWE Name
1341 Multiple Releases of Same Resource or Handle
1342 Information Exposure through Microarchitectural State after Transient Execution
1343 Weaknesses in the 2021 CWE Most Important Hardware Weaknesses List
1344 Weaknesses in OWASP Top Ten (2021)
1345 OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
1346 OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
1347 OWASP Top Ten 2021 Category A03:2021 - Injection
1348 OWASP Top Ten 2021 Category A04:2021 - Insecure Design
1349 OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
1352 OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components
1353 OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
1354 OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
1355 OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
1356 OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)

Nodes Deprecated in Version 4.6

CWE-ID CWE Name
None.
Back to top
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 2 7PK - Environment
R 11 ASP.NET Misconfiguration: Creating Debug Binary
R 13 ASP.NET Misconfiguration: Password in Configuration File
R 15 External Control of System or Configuration Setting
R 16 Configuration
R 20 Improper Input Validation
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 23 Relative Path Traversal
R 35 Path Traversal: '.../...//'
R 59 Improper Link Resolution Before File Access ('Link Following')
R 73 External Control of File Name or Path
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
R 83 Improper Neutralization of Script in Attributes in a Web Page
R 87 Improper Neutralization of Alternate XSS Syntax
R 88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
R 95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
R 96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
R 97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
R 98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
R 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
R 116 Improper Encoding or Escaping of Output
R 117 Improper Output Neutralization for Logs
R 138 Improper Neutralization of Special Elements
R 183 Permissive List of Allowed Inputs
R 184 Incomplete List of Disallowed Inputs
R 200 Exposure of Sensitive Information to an Unauthorized Actor
R 201 Insertion of Sensitive Information Into Sent Data
R 205 Observable Behavioral Discrepancy
R 209 Generation of Error Message Containing Sensitive Information
R 213 Exposure of Sensitive Information Due to Incompatible Policies
R 219 Storage of File with Sensitive Data Under Web Root
R 223 Omission of Security-relevant Information
D R 226 Sensitive Information in Resource Not Removed Before Reuse
R 235 Improper Handling of Extra Parameters
R 255 Credentials Management Errors
R 256 Plaintext Storage of a Password
R 257 Storing Passwords in a Recoverable Format
R 259 Use of Hard-coded Password
R 260 Password in Configuration File
R 261 Weak Encoding for Password
R 264 Permissions, Privileges, and Access Controls
R 266 Incorrect Privilege Assignment
R 269 Improper Privilege Management
R 275 Permission Issues
R 276 Incorrect Default Permissions
R 280 Improper Handling of Insufficient Permissions or Privileges
R 284 Improper Access Control
R 285 Improper Authorization
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 290 Authentication Bypass by Spoofing
R 294 Authentication Bypass by Capture-replay
R 295 Improper Certificate Validation
R 296 Improper Following of a Certificate's Chain of Trust
R 297 Improper Validation of Certificate with Host Mismatch
R 300 Channel Accessible by Non-Endpoint
R 302 Authentication Bypass by Assumed-Immutable Data
R 304 Missing Critical Step in Authentication
R 306 Missing Authentication for Critical Function
R 307 Improper Restriction of Excessive Authentication Attempts
R 310 Cryptographic Issues
R 311 Missing Encryption of Sensitive Data
R 312 Cleartext Storage of Sensitive Information
R 313 Cleartext Storage in a File or on Disk
R 315 Cleartext Storage of Sensitive Information in a Cookie
R 316 Cleartext Storage of Sensitive Information in Memory
R 319 Cleartext Transmission of Sensitive Information
R 321 Use of Hard-coded Cryptographic Key
R 322 Key Exchange without Entity Authentication
R 323 Reusing a Nonce, Key Pair in Encryption
R 324 Use of a Key Past its Expiration Date
R 325 Missing Cryptographic Step
R 326 Inadequate Encryption Strength
R 327 Use of a Broken or Risky Cryptographic Algorithm
DNR 328 Use of Weak Hash
R 329 Generation of Predictable IV with CBC Mode
R 330 Use of Insufficiently Random Values
R 331 Insufficient Entropy
R 335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
R 336 Same Seed in Pseudo-Random Number Generator (PRNG)
R 337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
R 338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
R 340 Generation of Predictable Numbers or Identifiers
R 345 Insufficient Verification of Data Authenticity
R 346 Origin Validation Error
R 347 Improper Verification of Cryptographic Signature
R 352 Cross-Site Request Forgery (CSRF)
R 353 Missing Support for Integrity Check
R 359 Exposure of Private Personal Information to an Unauthorized Actor
R 377 Insecure Temporary File
R 384 Session Fixation
R 402 Transmission of Private Resources into a New Sphere ('Resource Leak')
R 415 Double Free
R 419 Unprotected Primary Channel
R 425 Direct Request ('Forced Browsing')
R 426 Untrusted Search Path
R 430 Deployment of Wrong Handler
R 434 Unrestricted Upload of File with Dangerous Type
R 441 Unintended Proxy or Intermediary ('Confused Deputy')
R 444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
R 451 User Interface (UI) Misrepresentation of Critical Information
R 470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
R 471 Modification of Assumed-Immutable Data (MAID)
R 472 External Control of Assumed-Immutable Web Parameter
R 494 Download of Code Without Integrity Check
R 497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
R 501 Trust Boundary Violation
R 502 Deserialization of Untrusted Data
R 520 .NET Misconfiguration: Use of Impersonation
R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
R 523 Unprotected Transport of Credentials
R 525 Use of Web Browser Cache Containing Sensitive Information
R 526 Exposure of Sensitive Information Through Environmental Variables
R 532 Insertion of Sensitive Information into Log File
R 537 Java Runtime Error Message Containing Sensitive Information
R 538 Insertion of Sensitive Information into Externally-Accessible File or Directory
R 539 Use of Persistent Cookies Containing Sensitive Information
R 540 Inclusion of Sensitive Information in Source Code
R 541 Inclusion of Sensitive Information in an Include File
R 547 Use of Hard-coded, Security-relevant Constants
R 548 Exposure of Information Through Directory Listing
R 552 Files or Directories Accessible to External Parties
R 564 SQL Injection: Hibernate
R 565 Reliance on Cookies without Validation and Integrity Checking
R 566 Authorization Bypass Through User-Controlled SQL Primary Key
R 579 J2EE Bad Practices: Non-serializable Object Stored in Session
R 598 Use of GET Request Method With Sensitive Query Strings
R 601 URL Redirection to Untrusted Site ('Open Redirect')
R 602 Client-Side Enforcement of Server-Side Security
R 610 Externally Controlled Reference to a Resource in Another Sphere
R 611 Improper Restriction of XML External Entity Reference
R 613 Insufficient Session Expiration
R 614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
R 620 Unverified Password Change
R 639 Authorization Bypass Through User-Controlled Key
R 640 Weak Password Recovery Mechanism for Forgotten Password
R 642 External Control of Critical State Data
R 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
R 644 Improper Neutralization of HTTP Headers for Scripting Syntax
R 646 Reliance on File Name or Extension of Externally-Supplied File
R 650 Trusting HTTP Permission Methods on the Server Side
R 651 Exposure of WSDL File Containing Sensitive Information
R 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
DNR 653 Improper Isolation or Compartmentalization
R 656 Reliance on Security Through Obscurity
R 657 Violation of Secure Design Principles
R 668 Exposure of Resource to Wrong Sphere
R 672 Operation on a Resource after Expiration or Release
NR 675 Multiple Operations on Resource in Single-Operation Context
R 693 Protection Mechanism Failure
R 703 Improper Check or Handling of Exceptional Conditions
R 706 Use of Incorrectly-Resolved Name or Reference
R 720 OWASP Top Ten 2007 Category A9 - Insecure Communications
R 756 Missing Custom Error Page
R 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
R 759 Use of a One-Way Hash without a Salt
R 760 Use of a One-Way Hash with a Predictable Salt
R 776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
R 778 Insufficient Logging
R 780 Use of RSA Algorithm without OAEP
R 784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
R 798 Use of Hard-coded Credentials
R 799 Improper Control of Interaction Frequency
R 807 Reliance on Untrusted Inputs in a Security Decision
R 818 OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection
R 829 Inclusion of Functionality from Untrusted Control Sphere
R 830 Inclusion of Web Functionality from an Untrusted Source
R 840 Business Logic Errors
R 841 Improper Enforcement of Behavioral Workflow
R 862 Missing Authorization
R 863 Incorrect Authorization
R 913 Improper Control of Dynamically-Managed Code Resources
R 915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
R 916 Use of Password Hash With Insufficient Computational Effort
R 917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
R 918 Server-Side Request Forgery (SSRF)
R 922 Insecure Storage of Sensitive Information
R 927 Use of Implicit Intent for Sensitive Communication
R 937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
R 940 Improper Verification of Source of a Communication Channel
R 942 Permissive Cross-domain Policy with Untrusted Domains
R 1004 Sensitive Cookie Without 'HttpOnly' Flag
R 1021 Improper Restriction of Rendered UI Layers or Frames
R 1032 OWASP Top Ten 2017 Category A6 - Security Misconfiguration
R 1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
R 1104 Use of Unmaintained Third Party Components
R 1173 Improper Use of Validation Framework
R 1174 ASP.NET Misconfiguration: Improper Model Validation
D R 1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
DNR 1191 On-Chip Debug and Test Interface With Improper Access Control
R 1201 Core and Compute Issues
R 1216 Lockout Mechanism Errors
DNR 1231 Improper Prevention of Lock Bit Modification
DNR 1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
R 1239 Improper Zeroization of Hardware Register
DNR 1240 Use of a Cryptographic Primitive with a Risky Implementation
DNR 1244 Internal Asset Exposed to Unsafe Debug Access Level or State
DN 1247 Improper Protection Against Voltage and Clock Glitches
D 1253 Incorrect Selection of Fuse Values
R 1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
DNR 1256 Improper Restriction of Software Interfaces to Hardware Features
D 1259 Improper Restriction of Security Token Assignment
D R 1260 Improper Handling of Overlap Between Protected Memory Ranges
DN 1262 Improper Access Control for Register Interface
D 1263 Improper Physical Access Control
D R 1272 Sensitive Information Uncleared Before Debug/Power State Transition
D 1273 Device Unlock Credential Sharing
DNR 1274 Improper Access Control for Volatile Memory Containing Boot Code
R 1275 Sensitive Cookie with Improper SameSite Attribute
D R 1277 Firmware Not Updateable
D 1289 Improper Validation of Unsafe Equivalence in Input
DNR 1300 Improper Protection of Physical Side Channels
D 1301 Insufficient or Incomplete Data Removal within Hardware Component
R 1302 Missing Security Identifier
R 1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
DNR 1331 Improper Isolation of Shared Resources in Network On Chip (NoC)
DNR 1332 Improper Handling of Faults that Lead to Instruction Skips
D 1333 Inefficient Regular Expression Complexity
Back to top
Detailed Difference Report
Detailed Difference Report
2 7PK - Environment
Major Relationships
Minor None
11 ASP.NET Misconfiguration: Creating Debug Binary
Major Relationships
Minor None
13 ASP.NET Misconfiguration: Password in Configuration File
Major Relationships
Minor None
15 External Control of System or Configuration Setting
Major Relationships
Minor None
16 Configuration
Major Relationships
Minor None
20 Improper Input Validation
Major Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Observed_Examples, Relationships
Minor None
23 Relative Path Traversal
Major Relationships
Minor None
35 Path Traversal: '.../...//'
Major Relationships
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Relationships
Minor None
73 External Control of File Name or Path
Major Relationships
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Relationships
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Relationships
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Relationships
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Relationships
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Relationships
Minor None
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Major Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Relationships
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Relationships
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Relationships
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Relationships
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Relationships
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Relationships
Minor None
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major Relationships
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Relationships
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Relationships
Minor None
116 Improper Encoding or Escaping of Output
Major Relationships
Minor None
117 Improper Output Neutralization for Logs
Major Relationships
Minor None
124 Buffer Underwrite ('Buffer Underflow')
Major Observed_Examples
Minor None
138 Improper Neutralization of Special Elements
Major Relationships
Minor None
183 Permissive List of Allowed Inputs
Major Relationships
Minor None
184 Incomplete List of Disallowed Inputs
Major Relationships
Minor None
200 Exposure of Sensitive Information to an Unauthorized Actor
Major Relationships
Minor None
201 Insertion of Sensitive Information Into Sent Data
Major Relationships
Minor None
203 Observable Discrepancy
Major Observed_Examples
Minor None
205 Observable Behavioral Discrepancy
Major Relationships
Minor None
209 Generation of Error Message Containing Sensitive Information
Major Relationships
Minor None
213 Exposure of Sensitive Information Due to Incompatible Policies
Major Relationships
Minor None
219 Storage of File with Sensitive Data Under Web Root
Major Relationships
Minor None
223 Omission of Security-relevant Information
Major Relationships
Minor None
226 Sensitive Information in Resource Not Removed Before Reuse
Major Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Potential_Mitigations, Relationships, Research_Gaps
Minor None
235 Improper Handling of Extra Parameters
Major Relationships
Minor None
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Major Demonstrative_Examples
Minor None
255 Credentials Management Errors
Major Relationships
Minor None
256 Plaintext Storage of a Password
Major Relationships
Minor None
257 Storing Passwords in a Recoverable Format
Major Relationships
Minor None
259 Use of Hard-coded Password
Major Relationships
Minor None
260 Password in Configuration File
Major Relationships
Minor None
261 Weak Encoding for Password
Major Relationships
Minor None
264 Permissions, Privileges, and Access Controls
Major Relationships
Minor None
266 Incorrect Privilege Assignment
Major Relationships
Minor None
269 Improper Privilege Management
Major Relationships
Minor None
275 Permission Issues
Major Relationships
Minor None
276 Incorrect Default Permissions
Major Relationships
Minor None
280 Improper Handling of Insufficient Permissions or Privileges
Major Relationships
Minor None
284 Improper Access Control
Major Relationships
Minor None
285 Improper Authorization
Major Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Relationships
Minor None
290 Authentication Bypass by Spoofing
Major Relationships
Minor None
294 Authentication Bypass by Capture-replay
Major Relationships
Minor None
295 Improper Certificate Validation
Major Observed_Examples, Relationships
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major Relationships
Minor None
297 Improper Validation of Certificate with Host Mismatch
Major Relationships
Minor None
300 Channel Accessible by Non-Endpoint
Major Relationships
Minor None
302 Authentication Bypass by Assumed-Immutable Data
Major Relationships
Minor None
304 Missing Critical Step in Authentication
Major Relationships
Minor None
306 Missing Authentication for Critical Function
Major Relationships
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Demonstrative_Examples, References, Relationships
Minor None
310 Cryptographic Issues
Major Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Relationships
Minor None
312 Cleartext Storage of Sensitive Information
Major Relationships
Minor None
313 Cleartext Storage in a File or on Disk
Major Relationships
Minor None
315 Cleartext Storage of Sensitive Information in a Cookie
Major Relationships
Minor None
316 Cleartext Storage of Sensitive Information in Memory
Major Relationships
Minor None
319 Cleartext Transmission of Sensitive Information
Major Relationships
Minor None
321 Use of Hard-coded Cryptographic Key
Major Relationships
Minor None
322 Key Exchange without Entity Authentication
Major Relationships
Minor None
323 Reusing a Nonce, Key Pair in Encryption
Major Relationships
Minor None
324 Use of a Key Past its Expiration Date
Major Relationships
Minor None
325 Missing Cryptographic Step
Major Relationships
Minor None
326 Inadequate Encryption Strength
Major Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Maintenance_Notes, Potential_Mitigations, Relationships
Minor None
328 Use of Weak Hash
Major Description, Maintenance_Notes, Name, Observed_Examples, References, Relationships
Minor None
329 Generation of Predictable IV with CBC Mode
Major Relationships
Minor None
330 Use of Insufficiently Random Values
Major Relationships
Minor None
331 Insufficient Entropy
Major Relationships
Minor None
332 Insufficient Entropy in PRNG
Major Observed_Examples
Minor None
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Major Relationships
Minor None
336 Same Seed in Pseudo-Random Number Generator (PRNG)
Major Relationships
Minor None
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
Major Relationships
Minor None
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major Relationships
Minor None
340 Generation of Predictable Numbers or Identifiers
Major Relationships
Minor None
345 Insufficient Verification of Data Authenticity
Major Relationships
Minor None
346 Origin Validation Error
Major Relationships
Minor None
347 Improper Verification of Cryptographic Signature
Major Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Relationships
Minor None
353 Missing Support for Integrity Check
Major Relationships
Minor None
359 Exposure of Private Personal Information to an Unauthorized Actor
Major Relationships
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Observed_Examples, References
Minor None
377 Insecure Temporary File
Major Relationships
Minor None
384 Session Fixation
Major Relationships
Minor None
402 Transmission of Private Resources into a New Sphere ('Resource Leak')
Major Relationships
Minor None
415 Double Free
Major Relationships
Minor None
419 Unprotected Primary Channel
Major Relationships
Minor None
425 Direct Request ('Forced Browsing')
Major Relationships
Minor None
426 Untrusted Search Path
Major Relationships
Minor None
430 Deployment of Wrong Handler
Major Relationships
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Relationships
Minor None
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Relationships
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Relationships
Minor None
451 User Interface (UI) Misrepresentation of Critical Information
Major Relationships
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Relationships
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Relationships
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Relationships
Minor None
494 Download of Code Without Integrity Check
Major Observed_Examples, Relationships
Minor None
497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
Major Relationships
Minor None
501 Trust Boundary Violation
Major Relationships
Minor None
502 Deserialization of Untrusted Data
Major Relationships
Minor None
520 .NET Misconfiguration: Use of Impersonation
Major Relationships
Minor None
521 Weak Password Requirements
Major Relationships
Minor None
522 Insufficiently Protected Credentials
Major Relationships
Minor None
523 Unprotected Transport of Credentials
Major Relationships
Minor None
525 Use of Web Browser Cache Containing Sensitive Information
Major Relationships
Minor None
526 Exposure of Sensitive Information Through Environmental Variables
Major Relationships
Minor None
532 Insertion of Sensitive Information into Log File
Major Relationships
Minor None
537 Java Runtime Error Message Containing Sensitive Information
Major Relationships
Minor None
538 Insertion of Sensitive Information into Externally-Accessible File or Directory
Major Relationships
Minor None
539 Use of Persistent Cookies Containing Sensitive Information
Major Relationships
Minor None
540 Inclusion of Sensitive Information in Source Code
Major Relationships
Minor None
541 Inclusion of Sensitive Information in an Include File
Major Relationships
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Relationships
Minor None
548 Exposure of Information Through Directory Listing
Major Relationships
Minor None
552 Files or Directories Accessible to External Parties
Major Relationships
Minor None
564 SQL Injection: Hibernate
Major Relationships
Minor None
565 Reliance on Cookies without Validation and Integrity Checking
Major Relationships
Minor None
566 Authorization Bypass Through User-Controlled SQL Primary Key
Major Relationships
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Relationships
Minor None
598 Use of GET Request Method With Sensitive Query Strings
Major Relationships
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Relationships
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Relationships
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Relationships
Minor None
611 Improper Restriction of XML External Entity Reference
Major Relationships
Minor None
613 Insufficient Session Expiration
Major Relationships
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Relationships
Minor None
620 Unverified Password Change
Major Relationships
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Relationships
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major Relationships
Minor None
642 External Control of Critical State Data
Major Relationships
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Relationships
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Relationships
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Relationships
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Relationships
Minor None
651 Exposure of WSDL File Containing Sensitive Information
Major Relationships
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Relationships
Minor None
653 Improper Isolation or Compartmentalization
Major Description, Name, Observed_Examples, References, Relationships
Minor Potential_Mitigations, Relationship_Notes
656 Reliance on Security Through Obscurity
Major Relationships
Minor None
657 Violation of Secure Design Principles
Major Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
670 Always-Incorrect Control Flow Implementation
Major Observed_Examples
Minor None
672 Operation on a Resource after Expiration or Release
Major Relationships
Minor None
675 Multiple Operations on Resource in Single-Operation Context
Major Name, Relationships
Minor None
693 Protection Mechanism Failure
Major Relationships
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Relationships
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Relationships
Minor None
720 OWASP Top Ten 2007 Category A9 - Insecure Communications
Major Relationships
Minor None
755 Improper Handling of Exceptional Conditions
Major Observed_Examples
Minor None
756 Missing Custom Error Page
Major Relationships
Minor None
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Relationships
Minor None
759 Use of a One-Way Hash without a Salt
Major Relationships
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Relationships
Minor None
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Major Relationships
Minor None
778 Insufficient Logging
Major Relationships
Minor None
780 Use of RSA Algorithm without OAEP
Major Relationships
Minor None
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Major Relationships
Minor None
798 Use of Hard-coded Credentials
Major Relationships
Minor None
799 Improper Control of Interaction Frequency
Major Relationships
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Relationships
Minor None
818 OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection
Major Relationships
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Relationships
Minor None
830 Inclusion of Web Functionality from an Untrusted Source
Major Relationships
Minor None
840 Business Logic Errors
Major Relationships
Minor None
841 Improper Enforcement of Behavioral Workflow
Major Relationships
Minor None
862 Missing Authorization
Major Relationships
Minor None
863 Incorrect Authorization
Major Relationships
Minor None
913 Improper Control of Dynamically-Managed Code Resources
Major Relationships
Minor None
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Major Relationships
Minor None
916 Use of Password Hash With Insufficient Computational Effort
Major Relationships
Minor None
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Major Relationships
Minor None
918 Server-Side Request Forgery (SSRF)
Major Relationships
Minor None
922 Insecure Storage of Sensitive Information
Major Relationships
Minor None
927 Use of Implicit Intent for Sensitive Communication
Major Relationships
Minor None
937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
Major Relationships
Minor None
940 Improper Verification of Source of a Communication Channel
Major Relationships
Minor None
942 Permissive Cross-domain Policy with Untrusted Domains
Major Relationships
Minor None
1004 Sensitive Cookie Without 'HttpOnly' Flag
Major Relationships
Minor None
1021 Improper Restriction of Rendered UI Layers or Frames
Major Relationships
Minor None
1032 OWASP Top Ten 2017 Category A6 - Security Misconfiguration
Major Relationships
Minor None
1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Major Relationships
Minor None
1104 Use of Unmaintained Third Party Components
Major Relationships
Minor None
1173 Improper Use of Validation Framework
Major Relationships
Minor None
1174 ASP.NET Misconfiguration: Improper Model Validation
Major Relationships
Minor None
1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
Major Description, Observed_Examples, References, Relationships, Weakness_Ordinalities
Minor Demonstrative_Examples
1191 On-Chip Debug and Test Interface With Improper Access Control
Major Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, Relationship_Notes, Relationships, Weakness_Ordinalities
Minor None
1201 Core and Compute Issues
Major Relationships
Minor None
1209 Failure to Disable Reserved Bits
Major Potential_Mitigations
Minor None
1216 Lockout Mechanism Errors
Major Relationships
Minor None
1221 Incorrect Register Defaults or Module Parameters
Major Common_Consequences
Minor None
1231 Improper Prevention of Lock Bit Modification
Major Demonstrative_Examples, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
Major Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
Minor None
1239 Improper Zeroization of Hardware Register
Major Relationships
Minor None
1240 Use of a Cryptographic Primitive with a Risky Implementation
Major Background_Details, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Terminology_Notes, Weakness_Ordinalities
Minor None
1241 Use of Predictable Algorithm in Random Number Generator
Major None
Minor Potential_Mitigations
1244 Internal Asset Exposed to Unsafe Debug Access Level or State
Major Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Weakness_Ordinalities
Minor None
1247 Improper Protection Against Voltage and Clock Glitches
Major Description, Detection_Factors, Name, References, Weakness_Ordinalities
Minor None
1253 Incorrect Selection of Fuse Values
Major Description
Minor None
1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
Major Maintenance_Notes, References, Relationships, Type
Minor None
1256 Improper Restriction of Software Interfaces to Hardware Features
Major Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Modes_of_Introduction, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities
Minor None
1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
Major Potential_Mitigations
Minor None
1259 Improper Restriction of Security Token Assignment
Major Description
Minor None
1260 Improper Handling of Overlap Between Protected Memory Ranges
Major Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
1262 Improper Access Control for Register Interface
Major Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, Weakness_Ordinalities
Minor None
1263 Improper Physical Access Control
Major Description
Minor None
1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels
Major Weakness_Ordinalities
Minor None
1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents
Major Potential_Mitigations
Minor None
1271 Uninitialized Value on Reset for Registers Holding Security Settings
Major Weakness_Ordinalities
Minor None
1272 Sensitive Information Uncleared Before Debug/Power State Transition
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
Minor None
1273 Device Unlock Credential Sharing
Major Demonstrative_Examples, Description
Minor None
1274 Improper Access Control for Volatile Memory Containing Boot Code
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
1275 Sensitive Cookie with Improper SameSite Attribute
Major Relationships
Minor None
1277 Firmware Not Updateable
Major Common_Consequences, Description, Detection_Factors, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, References, Relationships, Terminology_Notes, Weakness_Ordinalities
Minor None
1289 Improper Validation of Unsafe Equivalence in Input
Major Description
Minor None
1290 Incorrect Decoding of Security Identifiers
Major Demonstrative_Examples
Minor None
1292 Incorrect Conversion of Security Identifiers
Major None
Minor Potential_Mitigations
1294 Insecure Security Identifier Mechanism
Major None
Minor Potential_Mitigations
1300 Improper Protection of Physical Side Channels
Major Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities
Minor None
1301 Insufficient or Incomplete Data Removal within Hardware Component
Major Description
Minor None
1302 Missing Security Identifier
Major Demonstrative_Examples, Relationships
Minor None
1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
Major Potential_Mitigations
Minor None
1315 Improper Setting of Bus Controlling Capability in Fabric End-point
Major Maintenance_Notes
Minor None
1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
Major Maintenance_Notes
Minor None
1317 Missing Security Checks in Fabric Bridge
Major Observed_Examples
Minor None
1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Major Relationships
Minor None
1323 Improper Management of Sensitive Trace Data
Major Common_Consequences
Minor None
1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
Major Potential_Mitigations
Minor None
1326 Missing Immutable Root of Trust in Hardware
Major Demonstrative_Examples
Minor None
1328 Security Version Number Mutable to Older Versions
Major Demonstrative_Examples
Minor None
1331 Improper Isolation of Shared Resources in Network On Chip (NoC)
Major Background_Details, Demonstrative_Examples, Description, Detection_Factors, Name, References, Relationships, Weakness_Ordinalities
Minor None
1332 Improper Handling of Faults that Lead to Instruction Skips
Major Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
Minor None
1333 Inefficient Regular Expression Complexity
Major Description
Minor None
1337 Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
Major View_Audience
Minor None
1350 Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
Major View_Audience
Minor None
1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments
Major None
Minor Common_Consequences, Potential_Mitigations
Back to top
Page Last Updated: December 22, 2021
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.