Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 1.4 Total" lists the total number of relationships
in Version 1.4. The "Shared" value is the total number of
relationships in entries that were in both Version 1.4 and Version 1.3. The
"New" value is the total number of relationships involving
entries that did not exist in Version 1.3. Thus, the total number of
relationships in Version 1.4 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
D | | |
6 |
J2EE Misconfiguration: Insufficient Session-ID Length |
| N | |
41 |
Improper Resolution of Path Equivalence |
| | R |
45 |
Path Equivalence: 'file...name' (Multiple Internal Dot) |
D | N | |
59 |
Improper Link Resolution Before File Access ('Link Following') |
| N | |
72 |
Improper Handling of Apple HFS+ Alternate Data Stream Path |
| N | |
74 |
Failure to Sanitize Data into a Different Plane ('Injection') |
| N | |
77 |
Failure to Sanitize Data into a Control Plane ('Command Injection') |
| N | |
78 |
Failure to Preserve OS Command Structure ('OS Command Injection') |
| N | |
79 |
Failure to Preserve Web Page Structure ('Cross-site Scripting') |
D | N | |
80 |
Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS) |
D | N | |
81 |
Improper Sanitization of Script in an Error Message Web Page |
D | N | |
82 |
Improper Sanitization of Script in Attributes of IMG Tags in a Web Page |
| N | |
89 |
Failure to Preserve SQL Query Structure ('SQL Injection') |
| N | |
90 |
Failure to Sanitize Data into LDAP Queries ('LDAP Injection') |
D | N | |
92 |
Improper Sanitization of Custom Special Characters |
| N | |
93 |
Failure to Sanitize CRLF Sequences ('CRLF Injection') |
| N | |
94 |
Failure to Control Generation of Code ('Code Injection') |
D | N | |
95 |
Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection') |
D | N | |
96 |
Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection') |
D | N | |
98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
D | N | |
99 |
Improper Control of Resource Identifiers ('Resource Injection') |
| N | |
113 |
Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
D | N | |
117 |
Improper Output Sanitization for Logs |
| N | |
118 |
Improper Access of Indexable Resource ('Range Error') |
| | R |
123 |
Write-what-where Condition |
D | | |
135 |
Incorrect Calculation of Multi-Byte String Length |
D | N | |
160 |
Improper Sanitization of Leading Special Elements |
D | N | |
161 |
Improper Sanitization of Multiple Leading Special Elements |
D | N | |
162 |
Improper Sanitization of Trailing Special Elements |
D | N | R |
163 |
Improper Sanitization of Multiple Trailing Special Elements |
D | N | |
164 |
Improper Sanitization of Internal Special Elements |
D | N | R |
165 |
Improper Sanitization of Multiple Internal Special Elements |
D | N | |
166 |
Improper Handling of Missing Special Element |
D | N | |
167 |
Improper Handling of Additional Special Element |
| | R |
171 |
Cleansing, Canonicalization, and Comparison Errors |
D | | |
184 |
Incomplete Blacklist |
D | | |
198 |
Use of Incorrect Byte Ordering |
| | R |
216 |
Containment Errors (Container Errors) |
D | N | R |
217 |
DEPRECATED: Failure to Protect Stored Data from Modification |
| | R |
226 |
Sensitive Information Uncleared Before Release |
| N | R |
227 |
Failure to Fulfill API Contract ('API Abuse') |
| N | |
244 |
Failure to Clear Heap Memory Before Release ('Heap Inspection') |
| | R |
247 |
Reliance on DNS Lookups in a Security Decision |
| N | |
269 |
Improper Privilege Management |
| N | |
273 |
Improper Check for Dropped Privileges |
D | N | |
274 |
Improper Handling of Insufficient Privileges |
D | N | |
276 |
Incorrect Default Permissions |
D | N | |
279 |
Incorrect Execution-Assigned Permissions |
D | N | |
281 |
Improper Preservation of Permissions |
D | | |
285 |
Improper Access Control (Authorization) |
D | | |
287 |
Improper Authentication |
| | R |
299 |
Improper Check for Certificate Revocation |
| N | |
300 |
Channel Accessible by Non-Endpoint ('Man-in-the-Middle') |
D | N | |
303 |
Incorrect Implementation of Authentication Algorithm |
D | N | |
333 |
Improper Handling of Insufficient Entropy in TRNG |
D | N | |
347 |
Improper Verification of Cryptographic Signature |
| | R |
350 |
Improperly Trusted Reverse DNS |
D | | |
357 |
Insufficient UI Warning of Dangerous Operations |
D | | |
358 |
Improperly Implemented Security Check for Standard |
| | R |
362 |
Race Condition |
| N | R |
370 |
Missing Check for Certificate Revocation after Initial Check |
D | N | |
379 |
Creation of Temporary File in Directory with Incorrect Permissions |
| | R |
399 |
Resource Management Errors |
| N | R |
400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
| N | |
401 |
Failure to Release Memory Before Removing Last Reference ('Memory Leak') |
| N | |
402 |
Transmission of Private Resources into a New Sphere ('Resource Leak') |
D | | R |
404 |
Improper Resource Shutdown or Release |
D | | |
408 |
Incorrect Behavior Order: Early Amplification |
D | N | |
409 |
Improper Handling of Highly Compressed Data (Data Amplification) |
| N | |
444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
| | R |
459 |
Incomplete Cleanup |
D | | |
460 |
Improper Cleanup on Thrown Exception |
| N | |
470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
D | N | |
478 |
Missing Default Case in Switch Statement |
| | R |
485 |
Insufficient Encapsulation |
| N | |
491 |
Public cloneable() Method Without Final ('Object Hijack') |
D | | R |
493 |
Critical Public Variable Without Final Modifier |
| | R |
500 |
Public Static Field Not Marked Final |
D | | |
585 |
Empty Synchronized Block |
D | N | R |
590 |
Free of Memory not on the Heap |
D | | |
591 |
Sensitive Data Storage in Improperly Locked Memory |
| N | |
595 |
Comparison of Object References Instead of Object Contents |
| N | |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
| | R |
604 |
Deprecated Entries |
| | R |
609 |
Double-Checked Locking |
| N | |
619 |
Dangling Database Cursor ('Cursor Injection') |
| | R |
633 |
Weaknesses that Affect Memory |
| N | |
636 |
Not Failing Securely ('Failing Open') |
| | R |
639 |
Access Control Bypass Through User-Controlled Key |
| N | |
643 |
Failure to Sanitize Data within XPath Expressions ('XPath injection') |
D | N | |
644 |
Improper Sanitization of HTTP Headers for Scripting Syntax |
| N | |
648 |
Incorrect Use of Privileged APIs |
| N | |
652 |
Failure to Sanitize Data within XQuery Expressions ('XQuery Injection') |
| | R |
654 |
Reliance on a Single Factor in a Security Decision |
| N | |
655 |
Insufficient Psychological Acceptability |
| | R |
662 |
Insufficient Synchronization |
D | N | R |
664 |
Improper Control of a Resource Through its Lifetime |
D | | R |
665 |
Improper Initialization |
| | R |
667 |
Insufficient Locking |
| | R |
668 |
Exposure of Resource to Wrong Sphere |
| | R |
675 |
Duplicate Operations on Resource |
D | | |
685 |
Function Call With Incorrect Number of Arguments |
D | | |
686 |
Function Call With Incorrect Argument Type |
D | | |
687 |
Function Call With Incorrectly Specified Argument Value |
D | | |
688 |
Function Call With Incorrect Variable or Reference as Argument |
| | R |
691 |
Insufficient Control Flow Management |
D | | |
693 |
Protection Mechanism Failure |
D | | |
696 |
Incorrect Behavior Order |
D | | |
697 |
Insufficient Comparison |
D | | |
704 |
Incorrect Type Conversion or Cast |
D | N | |
707 |
Improper Enforcement of Message or Data Structure |
D | | |
708 |
Incorrect Ownership Assignment |
| | R |
715 |
OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference |
| N | |
732 |
Incorrect Permission Assignment for Critical Resource |
6 |
J2EE Misconfiguration: Insufficient Session-ID Length |
|
Major |
Description, Other_Notes, References |
|
Minor |
None |
14 |
Compiler Removal of Code to Clear Buffers |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
15 |
External Control of System or Configuration Setting |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
20 |
Improper Input Validation |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
41 |
Improper Resolution of Path Equivalence |
|
Major |
Name |
|
Minor |
None |
45 |
Path Equivalence: 'file...name' (Multiple Internal Dot) |
|
Major |
Relationships |
|
Minor |
None |
59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Description, Name |
|
Minor |
None |
72 |
Improper Handling of Apple HFS+ Alternate Data Stream Path |
|
Major |
Name |
|
Minor |
None |
74 |
Failure to Sanitize Data into a Different Plane ('Injection') |
|
Major |
Name, Related_Attack_Patterns |
|
Minor |
None |
77 |
Failure to Sanitize Data into a Control Plane ('Command Injection') |
|
Major |
Demonstrative_Examples, Name |
|
Minor |
None |
78 |
Failure to Preserve OS Command Structure ('OS Command Injection') |
|
Major |
Name, Related_Attack_Patterns |
|
Minor |
None |
79 |
Failure to Preserve Web Page Structure ('Cross-site Scripting') |
|
Major |
Name |
|
Minor |
None |
80 |
Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
Major |
Demonstrative_Examples, Description, Name |
|
Minor |
None |
81 |
Improper Sanitization of Script in an Error Message Web Page |
|
Major |
Description, Name |
|
Minor |
None |
82 |
Improper Sanitization of Script in Attributes of IMG Tags in a Web Page |
|
Major |
Description, Name |
|
Minor |
None |
89 |
Failure to Preserve SQL Query Structure ('SQL Injection') |
|
Major |
Demonstrative_Examples, Name, Related_Attack_Patterns |
|
Minor |
None |
90 |
Failure to Sanitize Data into LDAP Queries ('LDAP Injection') |
|
Major |
Name |
|
Minor |
None |
92 |
Improper Sanitization of Custom Special Characters |
|
Major |
Description, Name |
|
Minor |
None |
93 |
Failure to Sanitize CRLF Sequences ('CRLF Injection') |
|
Major |
Name |
|
Minor |
None |
94 |
Failure to Control Generation of Code ('Code Injection') |
|
Major |
Demonstrative_Examples, Name |
|
Minor |
None |
95 |
Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
Major |
Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Name, References |
|
Minor |
None |
96 |
Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection') |
|
Major |
Description, Name |
|
Minor |
None |
98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
|
Major |
Description, Name |
|
Minor |
None |
99 |
Improper Control of Resource Identifiers ('Resource Injection') |
|
Major |
Description, Name |
|
Minor |
None |
100 |
Technology-Specific Input Validation Problems |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
112 |
Missing XML Validation |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
113 |
Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
|
Major |
Name |
|
Minor |
None |
114 |
Process Control |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
116 |
Improper Encoding or Escaping of Output |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
117 |
Improper Output Sanitization for Logs |
|
Major |
Demonstrative_Examples, Description, Name, Related_Attack_Patterns |
|
Minor |
None |
118 |
Improper Access of Indexable Resource ('Range Error') |
|
Major |
Name |
|
Minor |
None |
119 |
Failure to Constrain Operations within the Bounds of a Memory Buffer |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
123 |
Write-what-where Condition |
|
Major |
Relationships |
|
Minor |
None |
134 |
Uncontrolled Format String |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
135 |
Incorrect Calculation of Multi-Byte String Length |
|
Major |
Description |
|
Minor |
None |
160 |
Improper Sanitization of Leading Special Elements |
|
Major |
Description, Name |
|
Minor |
None |
161 |
Improper Sanitization of Multiple Leading Special Elements |
|
Major |
Description, Name |
|
Minor |
None |
162 |
Improper Sanitization of Trailing Special Elements |
|
Major |
Description, Name |
|
Minor |
None |
163 |
Improper Sanitization of Multiple Trailing Special Elements |
|
Major |
Description, Name, Relationships |
|
Minor |
None |
164 |
Improper Sanitization of Internal Special Elements |
|
Major |
Description, Name |
|
Minor |
None |
165 |
Improper Sanitization of Multiple Internal Special Elements |
|
Major |
Description, Name, Relationships |
|
Minor |
None |
166 |
Improper Handling of Missing Special Element |
|
Major |
Description, Name |
|
Minor |
None |
167 |
Improper Handling of Additional Special Element |
|
Major |
Description, Name |
|
Minor |
None |
170 |
Improper Null Termination |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
171 |
Cleansing, Canonicalization, and Comparison Errors |
|
Major |
Relationships |
|
Minor |
None |
176 |
Failure to Handle Unicode Encoding |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
180 |
Incorrect Behavior Order: Validate Before Canonicalize |
|
Major |
Other_Notes, Relationship_Notes |
|
Minor |
None |
184 |
Incomplete Blacklist |
|
Major |
Description, Other_Notes, Relationship_Notes, Time_of_Introduction |
|
Minor |
None |
190 |
Integer Overflow or Wraparound |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
191 |
Integer Underflow (Wrap or Wraparound) |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
194 |
Unexpected Sign Extension |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
195 |
Signed to Unsigned Conversion Error |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
196 |
Unsigned to Signed Conversion Error |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
197 |
Numeric Truncation Error |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
198 |
Use of Incorrect Byte Ordering |
|
Major |
Description |
|
Minor |
None |
215 |
Information Leak Through Debug Information |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
216 |
Containment Errors (Container Errors) |
|
Major |
Relationships |
|
Minor |
None |
217 |
DEPRECATED: Failure to Protect Stored Data from Modification |
|
Major |
Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
226 |
Sensitive Information Uncleared Before Release |
|
Major |
Relationships |
|
Minor |
None |
227 |
Failure to Fulfill API Contract ('API Abuse') |
|
Major |
Name, Relationships |
|
Minor |
None |
243 |
Failure to Change Working Directory in chroot Jail |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
244 |
Failure to Clear Heap Memory Before Release ('Heap Inspection') |
|
Major |
Demonstrative_Examples, Name |
|
Minor |
None |
247 |
Reliance on DNS Lookups in a Security Decision |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
249 |
Often Misused: Path Manipulation |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
250 |
Execution with Unnecessary Privileges |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
252 |
Unchecked Return Value |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
269 |
Improper Privilege Management |
|
Major |
Name |
|
Minor |
None |
272 |
Least Privilege Violation |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
273 |
Improper Check for Dropped Privileges |
|
Major |
Name |
|
Minor |
None |
274 |
Improper Handling of Insufficient Privileges |
|
Major |
Description, Name |
|
Minor |
None |
276 |
Incorrect Default Permissions |
|
Major |
Description, Name |
|
Minor |
None |
279 |
Incorrect Execution-Assigned Permissions |
|
Major |
Description, Name |
|
Minor |
None |
281 |
Improper Preservation of Permissions |
|
Major |
Description, Name |
|
Minor |
None |
285 |
Improper Access Control (Authorization) |
|
Major |
Description, Related_Attack_Patterns |
|
Minor |
None |
287 |
Improper Authentication |
|
Major |
Description, Related_Attack_Patterns |
|
Minor |
None |
292 |
Trusting Self-reported DNS Name |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
294 |
Authentication Bypass by Capture-replay |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
296 |
Improper Following of Chain of Trust for Certificate Validation |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
297 |
Improper Validation of Host-specific Certificate Data |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
298 |
Improper Validation of Certificate Expiration |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
299 |
Improper Check for Certificate Revocation |
|
Major |
Relationships |
|
Minor |
None |
300 |
Channel Accessible by Non-Endpoint ('Man-in-the-Middle') |
|
Major |
Name |
|
Minor |
None |
303 |
Incorrect Implementation of Authentication Algorithm |
|
Major |
Description, Name |
|
Minor |
None |
319 |
Cleartext Transmission of Sensitive Information |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
321 |
Use of Hard-coded Cryptographic Key |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
324 |
Use of a Key Past its Expiration Date |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
326 |
Weak Encryption |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
330 |
Use of Insufficiently Random Values |
|
Major |
Demonstrative_Examples, Related_Attack_Patterns |
|
Minor |
None |
333 |
Improper Handling of Insufficient Entropy in TRNG |
|
Major |
Description, Name |
|
Minor |
None |
345 |
Insufficient Verification of Data Authenticity |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
346 |
Origin Validation Error |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
347 |
Improper Verification of Cryptographic Signature |
|
Major |
Description, Name |
|
Minor |
None |
350 |
Improperly Trusted Reverse DNS |
|
Major |
Relationships |
|
Minor |
None |
352 |
Cross-Site Request Forgery (CSRF) |
|
Major |
Demonstrative_Examples, Related_Attack_Patterns |
|
Minor |
None |
357 |
Insufficient UI Warning of Dangerous Operations |
|
Major |
Description |
|
Minor |
None |
358 |
Improperly Implemented Security Check for Standard |
|
Major |
Description |
|
Minor |
None |
362 |
Race Condition |
|
Major |
Relationships |
|
Minor |
None |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
369 |
Divide By Zero |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
370 |
Missing Check for Certificate Revocation after Initial Check |
|
Major |
Name, Relationships |
|
Minor |
None |
377 |
Insecure Temporary File |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
379 |
Creation of Temporary File in Directory with Incorrect Permissions |
|
Major |
Description, Name |
|
Minor |
None |
391 |
Unchecked Error Condition |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
395 |
Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
396 |
Declaration of Catch for Generic Exception |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
397 |
Declaration of Throws for Generic Exception |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
399 |
Resource Management Errors |
|
Major |
Relationships |
|
Minor |
None |
400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
|
Major |
Name, Relationships |
|
Minor |
None |
401 |
Failure to Release Memory Before Removing Last Reference ('Memory Leak') |
|
Major |
Name |
|
Minor |
None |
402 |
Transmission of Private Resources into a New Sphere ('Resource Leak') |
|
Major |
Name |
|
Minor |
None |
404 |
Improper Resource Shutdown or Release |
|
Major |
Description, Relationships |
|
Minor |
None |
408 |
Incorrect Behavior Order: Early Amplification |
|
Major |
Description |
|
Minor |
None |
409 |
Improper Handling of Highly Compressed Data (Data Amplification) |
|
Major |
Description, Name |
|
Minor |
None |
415 |
Double Free |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
416 |
Use After Free |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
431 |
Missing Handler |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
436 |
Interpretation Conflict |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
|
Major |
Name, Related_Attack_Patterns |
|
Minor |
None |
457 |
Use of Uninitialized Variable |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
459 |
Incomplete Cleanup |
|
Major |
Relationship_Notes, Relationships |
|
Minor |
None |
460 |
Improper Cleanup on Thrown Exception |
|
Major |
Description |
|
Minor |
None |
468 |
Incorrect Pointer Scaling |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
Major |
Demonstrative_Examples, Name |
|
Minor |
None |
476 |
NULL Pointer Dereference |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
477 |
Use of Obsolete Functions |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
478 |
Missing Default Case in Switch Statement |
|
Major |
Description, Name |
|
Minor |
None |
481 |
Assigning instead of Comparing |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
483 |
Incorrect Block Delimitation |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
485 |
Insufficient Encapsulation |
|
Major |
Relationships |
|
Minor |
None |
488 |
Data Leak Between Sessions |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
491 |
Public cloneable() Method Without Final ('Object Hijack') |
|
Major |
Name |
|
Minor |
None |
493 |
Critical Public Variable Without Final Modifier |
|
Major |
Background_Details, Demonstrative_Examples, Description, Relationships |
|
Minor |
None |
497 |
Information Leak of System Data |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
500 |
Public Static Field Not Marked Final |
|
Major |
Relationships |
|
Minor |
None |
521 |
Weak Password Requirements |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
522 |
Insufficiently Protected Credentials |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
523 |
Unprotected Transport of Credentials |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
558 |
Use of getlogin() in Multithreaded Application |
|
Major |
Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
None |
561 |
Dead Code |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
562 |
Return of Stack Variable Address |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
563 |
Unused Variable |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
564 |
SQL Injection: Hibernate |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
572 |
Call to Thread run() instead of start() |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
579 |
J2EE Bad Practices: Non-serializable Object Stored in Session |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
582 |
Array Declared Public, Final, and Static |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
583 |
finalize() Method Declared Public |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
584 |
Return Inside Finally Block |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
585 |
Empty Synchronized Block |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References |
|
Minor |
None |
586 |
Explicit Call to Finalize() |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
590 |
Free of Memory not on the Heap |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, References, Relationships |
|
Minor |
None |
591 |
Sensitive Data Storage in Improperly Locked Memory |
|
Major |
Description, Other_Notes |
|
Minor |
None |
592 |
Authentication Bypass Issues |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
593 |
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
|
Major |
None |
|
Minor |
Other_Notes |
595 |
Comparison of Object References Instead of Object Contents |
|
Major |
Name |
|
Minor |
None |
597 |
Use of Wrong Operator in String Comparison |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
600 |
Failure to Catch All Exceptions in Servlet |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
|
Major |
Name |
|
Minor |
None |
602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
604 |
Deprecated Entries |
|
Major |
Relationships |
|
Minor |
None |
605 |
Multiple Binds to the Same Port |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
606 |
Unchecked Input for Loop Condition |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
609 |
Double-Checked Locking |
|
Major |
Relationships |
|
Minor |
None |
614 |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
619 |
Dangling Database Cursor ('Cursor Injection') |
|
Major |
Name |
|
Minor |
None |
620 |
Unverified Password Change |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
625 |
Permissive Regular Expression |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
633 |
Weaknesses that Affect Memory |
|
Major |
Relationships |
|
Minor |
None |
636 |
Not Failing Securely ('Failing Open') |
|
Major |
Name |
|
Minor |
None |
638 |
Failure to Use Complete Mediation |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
639 |
Access Control Bypass Through User-Controlled Key |
|
Major |
Relationships |
|
Minor |
None |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
643 |
Failure to Sanitize Data within XPath Expressions ('XPath injection') |
|
Major |
Name |
|
Minor |
None |
644 |
Improper Sanitization of HTTP Headers for Scripting Syntax |
|
Major |
Description, Name |
|
Minor |
None |
648 |
Incorrect Use of Privileged APIs |
|
Major |
Name, Related_Attack_Patterns |
|
Minor |
None |
652 |
Failure to Sanitize Data within XQuery Expressions ('XQuery Injection') |
|
Major |
Name |
|
Minor |
None |
654 |
Reliance on a Single Factor in a Security Decision |
|
Major |
Relationships |
|
Minor |
None |
655 |
Insufficient Psychological Acceptability |
|
Major |
Name |
|
Minor |
None |
662 |
Insufficient Synchronization |
|
Major |
Relationships |
|
Minor |
None |
664 |
Improper Control of a Resource Through its Lifetime |
|
Major |
Description, Name, Relationships |
|
Minor |
None |
665 |
Improper Initialization |
|
Major |
Description, Relationships |
|
Minor |
None |
667 |
Insufficient Locking |
|
Major |
Relationships |
|
Minor |
None |
668 |
Exposure of Resource to Wrong Sphere |
|
Major |
Relationships |
|
Minor |
None |
675 |
Duplicate Operations on Resource |
|
Major |
Relationships |
|
Minor |
None |
682 |
Incorrect Calculation |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
683 |
Function Call With Incorrect Order of Arguments |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
685 |
Function Call With Incorrect Number of Arguments |
|
Major |
Description |
|
Minor |
None |
686 |
Function Call With Incorrect Argument Type |
|
Major |
Description |
|
Minor |
None |
687 |
Function Call With Incorrectly Specified Argument Value |
|
Major |
Description |
|
Minor |
None |
688 |
Function Call With Incorrect Variable or Reference as Argument |
|
Major |
Description |
|
Minor |
None |
691 |
Insufficient Control Flow Management |
|
Major |
Relationships |
|
Minor |
None |
693 |
Protection Mechanism Failure |
|
Major |
Description, Related_Attack_Patterns |
|
Minor |
None |
696 |
Incorrect Behavior Order |
|
Major |
Description |
|
Minor |
None |
697 |
Insufficient Comparison |
|
Major |
Description |
|
Minor |
None |
704 |
Incorrect Type Conversion or Cast |
|
Major |
Description |
|
Minor |
None |
707 |
Improper Enforcement of Message or Data Structure |
|
Major |
Description, Name |
|
Minor |
None |
708 |
Incorrect Ownership Assignment |
|
Major |
Description |
|
Minor |
None |
715 |
OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference |
|
Major |
Relationships |
|
Minor |
None |
732 |
Incorrect Permission Assignment for Critical Resource |
|
Major |
Name |
|
Minor |
None |