CWE - Differences between Version 1.10 and Version 1.11

Home > CWE List > Reports > Differences between Version 1.10 and Version 1.11

Differences between Version 1.10 and Version 1.11

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 1.11)	835
Total (Version 1.10)	828
Total new	7
Total deprecated	1
Total shared	828
Total important changes	78
Total major changes	135
Total minor changes	7
Total minor changes (no major)	4
Total unchanged	689

Summary of Entry Types

Type	Version 1.10	Version 1.11
Category	119	119
Chain	3	3
Composite	6	6
Deprecated	11	12
View	24	24
Weakness	665	671

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	26	0
Description	40	1
Applicable_Platforms	7	0
Time_of_Introduction	1	0
Demonstrative_Examples	23	1
Detection_Factors	0	0
Likelihood_of_Exploit	1	0
Common_Consequences	18	4
Relationships	35	0
References	1	0
Potential_Mitigations	20	0
Observed_Examples	13	1
Terminology_Notes	1	0
Alternate_Terms	2	0
Related_Attack_Patterns	7	0
Relationship_Notes	6	0
Taxonomy_Mappings	4	0
Maintenance_Notes	1	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	2	0
Background_Details	1	0
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	1	0
Other_Notes	15	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	1	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		827
Weakness/Base	Deprecated	1

Status Changes

From	To	Total
Unchanged		827
Draft	Deprecated	1

Relationship Changes

The "Version 1.11 Total" lists the total number of relationships in Version 1.11. The "Shared" value is the total number of relationships in entries that were in both Version 1.11 and Version 1.10. The "New" value is the total number of relationships involving entries that did not exist in Version 1.10. Thus, the total number of relationships in Version 1.11 would combine stats from Shared entries and New entries.

Relationship	Version 1.11 Total	Version 1.10 Total	Version 1.11 Shared	Unchanged	Added to Version 1.11	Removed from Version 1.10	Version 1.11 New
ALL	4974	4956	4938	4904	34	52	36
ChildOf	2136	2124	2119	2107	12	17	17
ParentOf	2136	2124	2119	2107	12	17	17
MemberOf	119	119	119	119
HasMember	119	119	119	119
CanPrecede	107	103	106	101	5	2	1
CanFollow	107	103	106	101	5	2	1
StartsWith	3	3	3	3
Requires	19	19	19	19
RequiredBy	19	19	19	19
CanAlsoBe	35	35	35	35
PeerOf	174	188	174	174		14

Nodes Removed from Version 1.10

CWE-ID	CWE Name
None.

Nodes Added to Version 1.11

CWE-ID	CWE Name
827	Improper Control of Document Type Definition
828	Signal Handler with Functionality that is not Asynchronous-Safe
829	Inclusion of Functionality from Untrusted Control Sphere
830	Inclusion of Web Functionality from an Untrusted Source
831	Signal Handler Function Associated with Multiple Signals
832	Unlock of a Resource that is not Locked
833	Deadlock

Nodes Deprecated in Version 1.11

CWE-ID	CWE Name
373	DEPRECATED: State Synchronization Error

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			20	Improper Input Validation
		R	34	Path Traversal: '....//'
		R	35	Path Traversal: '.../...//'
	N		69	Improper Handling of Windows ::DATA Alternate Data Stream
D			75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
D			76	Improper Neutralization of Equivalent Special Elements
D			78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
D			85	Doubled Character XSS Manipulations
D			103	Struts: Incomplete validate() Method Definition
	N		119	Improper Restriction of Operations within the Bounds of a Memory Buffer
		R	123	Write-what-where Condition
D			138	Improper Neutralization of Special Elements
	N		168	Improper Handling of Inconsistent Special Elements
D			172	Encoding Error
	N		173	Improper Handling of Alternate Encoding
	N		175	Improper Handling of Mixed Encoding
	N		176	Improper Handling of Unicode Encoding
	N		177	Improper Handling of URL Encoding (Hex Encoding)
	N		178	Improper Handling of Case Sensitivity
		R	182	Collapse of Data into Unsafe Value
D			226	Sensitive Information Uncleared Before Release
D			227	Failure to Fulfill API Contract ('API Abuse')
	N		243	Creation of chroot Jail Without Changing Working Directory
	N		244	Improper Clearing of Heap Memory Before Release ('Heap Inspection')
		R	259	Use of Hard-coded Password
D			297	Improper Validation of Host-specific Certificate Data
D			300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
		R	321	Use of Hard-coded Cryptographic Key
		R	344	Use of Invariant Value in Dynamically Changing Context
D	N		353	Missing Support for Integrity Check
D			354	Improper Validation of Integrity Check Value
D	N	R	362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
D		R	364	Signal Handler Race Condition
		R	367	Time-of-check Time-of-use (TOCTOU) Race Condition
		R	371	State Issues
D	N	R	373	DEPRECATED: State Synchronization Error
		R	381	J2EE Time and State Issues
D		R	383	J2EE Bad Practices: Direct Use of Threads
D	N		392	Missing Report of Error Condition
		R	398	Indicator of Poor Code Quality
	N		401	Improper Release of Memory Before Removing Last Reference ('Memory Leak')
D			405	Asymmetric Resource Consumption (Amplification)
		R	415	Double Free
D		R	416	Use After Free
	N		424	Improper Protection of Alternate Path
D			431	Missing Handler
D	N	R	432	Dangerous Signal Handler not Disabled During Sensitive Operations
D			472	External Control of Assumed-Immutable Web Parameter
		R	476	NULL Pointer Dereference
D	N	R	479	Signal Handler Use of a Non-reentrant Function
		R	488	Data Leak Between Sessions
D		R	543	Use of Singleton Pattern Without Synchronization in a Multithreaded Context
	N		544	Missing Standardized Error Handling Mechanism
D	N	R	567	Unsynchronized Access to Shared Data in a Multithreaded Context
		R	574	EJB Bad Practices: Use of Synchronization Primitives
D			580	clone() Method Without super.clone()
D			599	Trust of OpenSSL Certificate Without Validation
D	N		600	Uncaught Exception in Servlet
		R	609	Double-Checked Locking
	N		637	Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
	N		638	Not Using Complete Mediation
D			648	Incorrect Use of Privileged APIs
D			649	Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
D		R	662	Improper Synchronization
D	N	R	663	Use of a Non-reentrant Function in a Concurrent Context
D		R	664	Improper Control of a Resource Through its Lifetime
D	N	R	667	Improper Locking
		R	669	Incorrect Resource Transfer Between Spheres
		R	691	Insufficient Control Flow Management
	N		703	Improper Check or Handling of Exceptional Conditions
		R	706	Use of Incorrectly-Resolved Name or Reference
D			755	Improper Handling of Exceptional Conditions
D			756	Missing Custom Error Page
D			769	File Descriptor Exhaustion
		R	776	Unrestricted Recursive Entity References in DTDs ('XML Bomb')
D			798	Use of Hard-coded Credentials
		R	820	Missing Synchronization
		R	821	Incorrect Synchronization

Detailed Difference Report

20	Improper Input Validation
	Major	Demonstrative_Examples, Description
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Potential_Mitigations
	Minor	None
34	Path Traversal: '....//'
	Major	Relationships
	Minor	None
35	Path Traversal: '.../...//'
	Major	Relationships
	Minor	None
49	Path Equivalence: 'filename/' (Trailing Slash)
	Major	Observed_Examples
	Minor	None
69	Improper Handling of Windows ::DATA Alternate Data Stream
	Major	Name
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Common_Consequences, Relationship_Notes
	Minor	None
75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
	Major	Description
	Minor	None
76	Improper Neutralization of Equivalent Special Elements
	Major	Description
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Description, Potential_Mitigations
	Minor	None
85	Doubled Character XSS Manipulations
	Major	Description
	Minor	None
87	Improper Neutralization of Alternate XSS Syntax
	Major	Demonstrative_Examples
	Minor	None
94	Failure to Control Generation of Code ('Code Injection')
	Major	None
	Minor	Common_Consequences
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
	Major	Potential_Mitigations
	Minor	None
103	Struts: Incomplete validate() Method Definition
	Major	Description
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	None
	Minor	Common_Consequences
117	Improper Output Neutralization for Logs
	Major	Demonstrative_Examples
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Name
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Potential_Mitigations
	Minor	None
123	Write-what-where Condition
	Major	Relationships
	Minor	None
128	Wrap-around Error
	Major	Background_Details
	Minor	None
129	Improper Validation of Array Index
	Major	Demonstrative_Examples, Observed_Examples, Potential_Mitigations
	Minor	None
130	Improper Handling of Length Parameter Inconsistency
	Major	Potential_Mitigations
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Potential_Mitigations
	Minor	None
138	Improper Neutralization of Special Elements
	Major	Description
	Minor	None
168	Improper Handling of Inconsistent Special Elements
	Major	Name
	Minor	None
170	Improper Null Termination
	Major	None
	Minor	Common_Consequences
172	Encoding Error
	Major	Description
	Minor	None
173	Improper Handling of Alternate Encoding
	Major	Name
	Minor	None
175	Improper Handling of Mixed Encoding
	Major	Name
	Minor	None
176	Improper Handling of Unicode Encoding
	Major	Name
	Minor	None
177	Improper Handling of URL Encoding (Hex Encoding)
	Major	Name
	Minor	None
178	Improper Handling of Case Sensitivity
	Major	Name
	Minor	None
182	Collapse of Data into Unsafe Value
	Major	Relationships
	Minor	None
193	Off-by-one Error
	Major	Demonstrative_Examples
	Minor	None
194	Unexpected Sign Extension
	Major	Applicable_Platforms
	Minor	None
196	Unsigned to Signed Conversion Error
	Major	Other_Notes
	Minor	None
197	Numeric Truncation Error
	Major	Demonstrative_Examples
	Minor	None
201	Information Exposure Through Sent Data
	Major	Common_Consequences
	Minor	None
211	Product-External Error Message Information Leak
	Major	Observed_Examples
	Minor	None
226	Sensitive Information Uncleared Before Release
	Major	Description
	Minor	None
227	Failure to Fulfill API Contract ('API Abuse')
	Major	Description
	Minor	None
243	Creation of chroot Jail Without Changing Working Directory
	Major	Demonstrative_Examples, Name
	Minor	None
244	Improper Clearing of Heap Memory Before Release ('Heap Inspection')
	Major	Name
	Minor	None
252	Unchecked Return Value
	Major	Demonstrative_Examples
	Minor	None
258	Empty Password in Configuration File
	Major	Demonstrative_Examples
	Minor	None
259	Use of Hard-coded Password
	Major	Relationships
	Minor	None
272	Least Privilege Violation
	Major	Other_Notes
	Minor	None
296	Improper Following of Chain of Trust for Certificate Validation
	Major	Other_Notes
	Minor	None
297	Improper Validation of Host-specific Certificate Data
	Major	Description, Other_Notes
	Minor	None
299	Improper Check for Certificate Revocation
	Major	Other_Notes
	Minor	None
300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
	Major	Description
	Minor	None
309	Use of Password System for Primary Authentication
	Major	Common_Consequences
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns
	Minor	None
313	Plaintext Storage in a File or on Disk
	Major	Demonstrative_Examples
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Observed_Examples, Related_Attack_Patterns
	Minor	None
321	Use of Hard-coded Cryptographic Key
	Major	Relationships
	Minor	None
344	Use of Invariant Value in Dynamically Changing Context
	Major	Relationships
	Minor	None
345	Insufficient Verification of Data Authenticity
	Major	Related_Attack_Patterns
	Minor	None
346	Origin Validation Error
	Major	Related_Attack_Patterns
	Minor	None
353	Missing Support for Integrity Check
	Major	Description, Name
	Minor	None
354	Improper Validation of Integrity Check Value
	Major	Description
	Minor	None
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships
	Minor	None
363	Race Condition Enabling Link Following
	Major	Other_Notes, Relationship_Notes
	Minor	None
364	Signal Handler Race Condition
	Major	Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships
	Minor	None
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	Alternate_Terms, Relationships
	Minor	None
368	Context Switching Race Condition
	Major	Observed_Examples
	Minor	None
371	State Issues
	Major	Relationships
	Minor	None
372	Incomplete Internal State Distinction
	Major	Maintenance_Notes
	Minor	None
373	DEPRECATED: State Synchronization Error
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
	Minor	None
374	Passing Mutable Objects to an Untrusted Method
	Major	Demonstrative_Examples
	Minor	None
381	J2EE Time and State Issues
	Major	Relationships
	Minor	None
383	J2EE Bad Practices: Direct Use of Threads
	Major	Description, Other_Notes, Relationships
	Minor	None
392	Missing Report of Error Condition
	Major	Description, Name
	Minor	None
398	Indicator of Poor Code Quality
	Major	Relationships
	Minor	None
401	Improper Release of Memory Before Removing Last Reference ('Memory Leak')
	Major	Demonstrative_Examples, Name
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Demonstrative_Examples
	Minor	None
405	Asymmetric Resource Consumption (Amplification)
	Major	Description
	Minor	None
413	Improper Resource Locking
	Major	Demonstrative_Examples
	Minor	None
415	Double Free
	Major	Observed_Examples, Relationships
	Minor	None
416	Use After Free
	Major	Alternate_Terms, Common_Consequences, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships
	Minor	Demonstrative_Examples
419	Unprotected Primary Channel
	Major	Related_Attack_Patterns
	Minor	None
424	Improper Protection of Alternate Path
	Major	Name
	Minor	None
431	Missing Handler
	Major	Description, Other_Notes
	Minor	None
432	Dangerous Signal Handler not Disabled During Sensitive Operations
	Major	Applicable_Platforms, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Potential_Mitigations
	Minor	None
437	Incomplete Model of Endpoint Features
	Major	Other_Notes, Relationship_Notes
	Minor	None
471	Modification of Assumed-Immutable Data (MAID)
	Major	Related_Attack_Patterns
	Minor	None
472	External Control of Assumed-Immutable Web Parameter
	Major	Description
	Minor	None
476	NULL Pointer Dereference
	Major	Relationships
	Minor	None
479	Signal Handler Use of a Non-reentrant Function
	Major	Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships
	Minor	None
488	Data Leak Between Sessions
	Major	Relationships
	Minor	None
494	Download of Code Without Integrity Check
	Major	Potential_Mitigations
	Minor	None
543	Use of Singleton Pattern Without Synchronization in a Multithreaded Context
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
	Minor	None
544	Missing Standardized Error Handling Mechanism
	Major	Name
	Minor	None
567	Unsynchronized Access to Shared Data in a Multithreaded Context
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships
	Minor	None
574	EJB Bad Practices: Use of Synchronization Primitives
	Major	Relationships
	Minor	None
580	clone() Method Without super.clone()
	Major	Description
	Minor	None
581	Object Model Violation: Just One of Equals and Hashcode Defined
	Major	Common_Consequences
	Minor	None
595	Comparison of Object References Instead of Object Contents
	Major	Demonstrative_Examples
	Minor	None
599	Trust of OpenSSL Certificate Without Validation
	Major	Description
	Minor	None
600	Uncaught Exception in Servlet
	Major	Description, Name
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	Related_Attack_Patterns
	Minor	None
609	Double-Checked Locking
	Major	Relationships
	Minor	None
636	Not Failing Securely ('Failing Open')
	Major	Research_Gaps
	Minor	None
637	Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
	Major	Name, Research_Gaps
	Minor	None
638	Not Using Complete Mediation
	Major	Name
	Minor	None
639	Access Control Bypass Through User-Controlled Key
	Major	None
	Minor	Common_Consequences
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	Common_Consequences
	Minor	None
641	Improper Restriction of Names for Files and Other Resources
	Major	Common_Consequences
	Minor	None
643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')
	Major	Common_Consequences
	Minor	None
644	Improper Neutralization of HTTP Headers for Scripting Syntax
	Major	Common_Consequences
	Minor	None
646	Reliance on File Name or Extension of Externally-Supplied File
	Major	Applicable_Platforms, Common_Consequences
	Minor	None
647	Use of Non-Canonical URL Paths for Authorization Decisions
	Major	Common_Consequences
	Minor	Observed_Examples
648	Incorrect Use of Privileged APIs
	Major	Common_Consequences, Description
	Minor	None
649	Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
	Major	Common_Consequences, Description, Enabling_Factors_for_Exploitation, Observed_Examples
	Minor	None
651	Information Exposure through WSDL File
	Major	Common_Consequences
	Minor	Description
652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
	Major	Common_Consequences
	Minor	None
653	Insufficient Compartmentalization
	Major	Other_Notes, Relationship_Notes, Terminology_Notes
	Minor	None
662	Improper Synchronization
	Major	Description, Relationships, Taxonomy_Mappings
	Minor	None
663	Use of a Non-reentrant Function in a Concurrent Context
	Major	Description, Name, Relationships
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Description, Relationships
	Minor	None
667	Improper Locking
	Major	Description, Name, Relationships
	Minor	None
669	Incorrect Resource Transfer Between Spheres
	Major	Relationships
	Minor	None
684	Failure to Provide Specified Functionality
	Major	Potential_Mitigations
	Minor	None
691	Insufficient Control Flow Management
	Major	Relationships
	Minor	None
703	Improper Check or Handling of Exceptional Conditions
	Major	Name, Relationship_Notes
	Minor	None
706	Use of Incorrectly-Resolved Name or Reference
	Major	Relationships
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Potential_Mitigations
	Minor	None
754	Improper Check for Unusual or Exceptional Conditions
	Major	Relationship_Notes
	Minor	None
755	Improper Handling of Exceptional Conditions
	Major	Description, Observed_Examples
	Minor	None
756	Missing Custom Error Page
	Major	Description
	Minor	None
766	Critical Variable Declared Public
	Major	Observed_Examples
	Minor	None
769	File Descriptor Exhaustion
	Major	Description
	Minor	None
776	Unrestricted Recursive Entity References in DTDs ('XML Bomb')
	Major	Relationships
	Minor	None
798	Use of Hard-coded Credentials
	Major	Description
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Potential_Mitigations
	Minor	None
820	Missing Synchronization
	Major	Demonstrative_Examples, Relationships
	Minor	None
821	Incorrect Synchronization
	Major	Relationships
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration