CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 1.3 and Version 1.4  
ID

Differences between Version 1.3 and Version 1.4
Differences between Version 1.3 and Version 1.4

Summary
Summary
Total (Version 1.4) 777
Total (Version 1.3) 762
Total new 15
Total deprecated 1
Total shared 762
Total important changes 114
Total major changes 197
Total minor changes 1
Total minor changes (no major) 1
Total unchanged 564

Summary of Entry Types

Type Version 1.3 Version 1.4
Category 103 104
Chain 3 3
Composite 9 9
Deprecated 8 9
View 22 22
Weakness 617 630

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Affected_Resources 0 0
Alternate_Terms 2 0
Applicable_Platforms 2 0
Background_Details 1 0
Black_Box_Definitions 0 0
Causal_Nature 0 0
Common_Consequences 3 0
Common_Methods_of_Exploitation 0 0
Context_Notes 0 0
Demonstrative_Examples 75 0
Description 57 0
Detection_Factors 0 0
Enabling_Factors_for_Exploitation 0 0
Functional_Areas 0 0
Likelihood_of_Exploit 1 0
Maintenance_Notes 1 0
Modes_of_Introduction 0 0
Name 66 0
Observed_Examples 0 0
Other_Notes 7 1
Potential_Mitigations 3 0
References 4 0
Related_Attack_Patterns 31 0
Relationship_Notes 3 0
Relationships 35 0
Relevant_Properties 0 0
Research_Gaps 0 0
Source_Taxonomy 0 0
Taxonomy_Mappings 3 0
Terminology_Notes 0 0
Theoretical_Notes 0 0
Time_of_Introduction 2 0
Type 1 0
View_Audience 0 0
View_Filter 0 0
View_Structure 0 0
View_Type 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 761
Weakness/Base Deprecated 1

Relationship Changes

The "Version 1.4 Total" lists the total number of relationships in Version 1.4. The "Shared" value is the total number of relationships in entries that were in both Version 1.4 and Version 1.3. The "New" value is the total number of relationships involving entries that did not exist in Version 1.3. Thus, the total number of relationships in Version 1.4 would combine stats from Shared entries and New entries.

Relationship Version 1.4 Total Version 1.3 Total Version 1.4 Shared Unchanged Added to Version 1.4 Removed from Version 1.4 Version 1.4 New
ALL 4591 4529 4521 4501 20 28 70
CanAlsoBe 38 38 38 38
CanFollow 79 78 79 78 1
CanPrecede 79 78 79 78 1
ChildOf 1961 1931 1926 1918 8 13 35
HasMember 115 114 115 114 1
MemberOf 115 114 115 114 1
ParentOf 1961 1931 1926 1918 8 13 35
PeerOf 186 188 186 186 2
RequiredBy 27 27 27 27
Requires 27 27 27 27
StartsWith 3 3 3 3

Nodes Removed from Version 1.3

CWE-ID CWE Name
None.

Nodes Added to Version 1.4

CWE-ID CWE Name
761 Free of Pointer not at Start of Buffer
762 Mismatched Memory Management Routines
763 Release of Invalid Pointer or Reference
764 Multiple Locks of a Critical Resource
765 Multiple Unlocks of a Critical Resource
766 Critical Variable Declared Public
767 Access to Critical Private Variable via Public Method
768 Incorrect Short Circuit Evaluation
769 File Descriptor Exhaustion
770 Allocation of Resources Without Limits or Throttling
771 Missing Reference to Active Allocated Resource
772 Missing Release of Resource after Effective Lifetime
773 Missing Reference to Active File Descriptor or Handle
774 Allocation of File Descriptors or Handles Without Limits or Throttling
775 Missing Release of File Descriptor or Handle after Effective Lifetime

Nodes Deprecated in Version 1.4

CWE-ID CWE Name
217 DEPRECATED: Failure to Protect Stored Data from Modification
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 6 J2EE Misconfiguration: Insufficient Session-ID Length
N 41 Improper Resolution of Path Equivalence
R 45 Path Equivalence: 'file...name' (Multiple Internal Dot)
DN 59 Improper Link Resolution Before File Access ('Link Following')
N 72 Improper Handling of Apple HFS+ Alternate Data Stream Path
N 74 Failure to Sanitize Data into a Different Plane ('Injection')
N 77 Failure to Sanitize Data into a Control Plane ('Command Injection')
N 78 Failure to Preserve OS Command Structure ('OS Command Injection')
N 79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
DN 80 Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)
DN 81 Improper Sanitization of Script in an Error Message Web Page
DN 82 Improper Sanitization of Script in Attributes of IMG Tags in a Web Page
N 89 Failure to Preserve SQL Query Structure ('SQL Injection')
N 90 Failure to Sanitize Data into LDAP Queries ('LDAP Injection')
DN 92 Improper Sanitization of Custom Special Characters
N 93 Failure to Sanitize CRLF Sequences ('CRLF Injection')
N 94 Failure to Control Generation of Code ('Code Injection')
DN 95 Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')
DN 96 Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')
DN 98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
DN 99 Improper Control of Resource Identifiers ('Resource Injection')
N 113 Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
DN 117 Improper Output Sanitization for Logs
N 118 Improper Access of Indexable Resource ('Range Error')
R 123 Write-what-where Condition
D 135 Incorrect Calculation of Multi-Byte String Length
DN 160 Improper Sanitization of Leading Special Elements
DN 161 Improper Sanitization of Multiple Leading Special Elements
DN 162 Improper Sanitization of Trailing Special Elements
DNR 163 Improper Sanitization of Multiple Trailing Special Elements
DN 164 Improper Sanitization of Internal Special Elements
DNR 165 Improper Sanitization of Multiple Internal Special Elements
DN 166 Improper Handling of Missing Special Element
DN 167 Improper Handling of Additional Special Element
R 171 Cleansing, Canonicalization, and Comparison Errors
D 184 Incomplete Blacklist
D 198 Use of Incorrect Byte Ordering
R 216 Containment Errors (Container Errors)
DNR 217 DEPRECATED: Failure to Protect Stored Data from Modification
R 226 Sensitive Information Uncleared Before Release
NR 227 Failure to Fulfill API Contract ('API Abuse')
N 244 Failure to Clear Heap Memory Before Release ('Heap Inspection')
R 247 Reliance on DNS Lookups in a Security Decision
N 269 Improper Privilege Management
N 273 Improper Check for Dropped Privileges
DN 274 Improper Handling of Insufficient Privileges
DN 276 Incorrect Default Permissions
DN 279 Incorrect Execution-Assigned Permissions
DN 281 Improper Preservation of Permissions
D 285 Improper Access Control (Authorization)
D 287 Improper Authentication
R 299 Improper Check for Certificate Revocation
N 300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
DN 303 Incorrect Implementation of Authentication Algorithm
DN 333 Improper Handling of Insufficient Entropy in TRNG
DN 347 Improper Verification of Cryptographic Signature
R 350 Improperly Trusted Reverse DNS
D 357 Insufficient UI Warning of Dangerous Operations
D 358 Improperly Implemented Security Check for Standard
R 362 Race Condition
NR 370 Missing Check for Certificate Revocation after Initial Check
DN 379 Creation of Temporary File in Directory with Incorrect Permissions
R 399 Resource Management Errors
NR 400 Uncontrolled Resource Consumption ('Resource Exhaustion')
N 401 Failure to Release Memory Before Removing Last Reference ('Memory Leak')
N 402 Transmission of Private Resources into a New Sphere ('Resource Leak')
D R 404 Improper Resource Shutdown or Release
D 408 Incorrect Behavior Order: Early Amplification
DN 409 Improper Handling of Highly Compressed Data (Data Amplification)
N 444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
R 459 Incomplete Cleanup
D 460 Improper Cleanup on Thrown Exception
N 470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
DN 478 Missing Default Case in Switch Statement
R 485 Insufficient Encapsulation
N 491 Public cloneable() Method Without Final ('Object Hijack')
D R 493 Critical Public Variable Without Final Modifier
R 500 Public Static Field Not Marked Final
D 585 Empty Synchronized Block
DNR 590 Free of Memory not on the Heap
D 591 Sensitive Data Storage in Improperly Locked Memory
N 595 Comparison of Object References Instead of Object Contents
N 601 URL Redirection to Untrusted Site ('Open Redirect')
R 604 Deprecated Entries
R 609 Double-Checked Locking
N 619 Dangling Database Cursor ('Cursor Injection')
R 633 Weaknesses that Affect Memory
N 636 Not Failing Securely ('Failing Open')
R 639 Access Control Bypass Through User-Controlled Key
N 643 Failure to Sanitize Data within XPath Expressions ('XPath injection')
DN 644 Improper Sanitization of HTTP Headers for Scripting Syntax
N 648 Incorrect Use of Privileged APIs
N 652 Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')
R 654 Reliance on a Single Factor in a Security Decision
N 655 Insufficient Psychological Acceptability
R 662 Insufficient Synchronization
DNR 664 Improper Control of a Resource Through its Lifetime
D R 665 Improper Initialization
R 667 Insufficient Locking
R 668 Exposure of Resource to Wrong Sphere
R 675 Duplicate Operations on Resource
D 685 Function Call With Incorrect Number of Arguments
D 686 Function Call With Incorrect Argument Type
D 687 Function Call With Incorrectly Specified Argument Value
D 688 Function Call With Incorrect Variable or Reference as Argument
R 691 Insufficient Control Flow Management
D 693 Protection Mechanism Failure
D 696 Incorrect Behavior Order
D 697 Insufficient Comparison
D 704 Incorrect Type Conversion or Cast
DN 707 Improper Enforcement of Message or Data Structure
D 708 Incorrect Ownership Assignment
R 715 OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
N 732 Incorrect Permission Assignment for Critical Resource
Detailed Difference Report
Detailed Difference Report
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Description, Other_Notes, References
Minor None
14 Compiler Removal of Code to Clear Buffers
Major Demonstrative_Examples
Minor None
15 External Control of System or Configuration Setting
Major Demonstrative_Examples
Minor None
20 Improper Input Validation
Major Related_Attack_Patterns
Minor None
41 Improper Resolution of Path Equivalence
Major Name
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Relationships
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Description, Name
Minor None
72 Improper Handling of Apple HFS+ Alternate Data Stream Path
Major Name
Minor None
74 Failure to Sanitize Data into a Different Plane ('Injection')
Major Name, Related_Attack_Patterns
Minor None
77 Failure to Sanitize Data into a Control Plane ('Command Injection')
Major Demonstrative_Examples, Name
Minor None
78 Failure to Preserve OS Command Structure ('OS Command Injection')
Major Name, Related_Attack_Patterns
Minor None
79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
Major Name
Minor None
80 Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Demonstrative_Examples, Description, Name
Minor None
81 Improper Sanitization of Script in an Error Message Web Page
Major Description, Name
Minor None
82 Improper Sanitization of Script in Attributes of IMG Tags in a Web Page
Major Description, Name
Minor None
89 Failure to Preserve SQL Query Structure ('SQL Injection')
Major Demonstrative_Examples, Name, Related_Attack_Patterns
Minor None
90 Failure to Sanitize Data into LDAP Queries ('LDAP Injection')
Major Name
Minor None
92 Improper Sanitization of Custom Special Characters
Major Description, Name
Minor None
93 Failure to Sanitize CRLF Sequences ('CRLF Injection')
Major Name
Minor None
94 Failure to Control Generation of Code ('Code Injection')
Major Demonstrative_Examples, Name
Minor None
95 Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Name, References
Minor None
96 Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')
Major Description, Name
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Major Description, Name
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Description, Name
Minor None
100 Technology-Specific Input Validation Problems
Major Related_Attack_Patterns
Minor None
112 Missing XML Validation
Major Demonstrative_Examples
Minor None
113 Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Name
Minor None
114 Process Control
Major Related_Attack_Patterns
Minor None
116 Improper Encoding or Escaping of Output
Major Related_Attack_Patterns
Minor None
117 Improper Output Sanitization for Logs
Major Demonstrative_Examples, Description, Name, Related_Attack_Patterns
Minor None
118 Improper Access of Indexable Resource ('Range Error')
Major Name
Minor None
119 Failure to Constrain Operations within the Bounds of a Memory Buffer
Major Demonstrative_Examples
Minor None
123 Write-what-where Condition
Major Relationships
Minor None
134 Uncontrolled Format String
Major Demonstrative_Examples
Minor None
135 Incorrect Calculation of Multi-Byte String Length
Major Description
Minor None
160 Improper Sanitization of Leading Special Elements
Major Description, Name
Minor None
161 Improper Sanitization of Multiple Leading Special Elements
Major Description, Name
Minor None
162 Improper Sanitization of Trailing Special Elements
Major Description, Name
Minor None
163 Improper Sanitization of Multiple Trailing Special Elements
Major Description, Name, Relationships
Minor None
164 Improper Sanitization of Internal Special Elements
Major Description, Name
Minor None
165 Improper Sanitization of Multiple Internal Special Elements
Major Description, Name, Relationships
Minor None
166 Improper Handling of Missing Special Element
Major Description, Name
Minor None
167 Improper Handling of Additional Special Element
Major Description, Name
Minor None
170 Improper Null Termination
Major Demonstrative_Examples
Minor None
171 Cleansing, Canonicalization, and Comparison Errors
Major Relationships
Minor None
176 Failure to Handle Unicode Encoding
Major Demonstrative_Examples
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Other_Notes, Relationship_Notes
Minor None
184 Incomplete Blacklist
Major Description, Other_Notes, Relationship_Notes, Time_of_Introduction
Minor None
190 Integer Overflow or Wraparound
Major Demonstrative_Examples
Minor None
191 Integer Underflow (Wrap or Wraparound)
Major Demonstrative_Examples
Minor None
194 Unexpected Sign Extension
Major Demonstrative_Examples
Minor None
195 Signed to Unsigned Conversion Error
Major Demonstrative_Examples
Minor None
196 Unsigned to Signed Conversion Error
Major Demonstrative_Examples
Minor None
197 Numeric Truncation Error
Major Demonstrative_Examples
Minor None
198 Use of Incorrect Byte Ordering
Major Description
Minor None
215 Information Leak Through Debug Information
Major Demonstrative_Examples
Minor None
216 Containment Errors (Container Errors)
Major Relationships
Minor None
217 DEPRECATED: Failure to Protect Stored Data from Modification
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
226 Sensitive Information Uncleared Before Release
Major Relationships
Minor None
227 Failure to Fulfill API Contract ('API Abuse')
Major Name, Relationships
Minor None
243 Failure to Change Working Directory in chroot Jail
Major Demonstrative_Examples
Minor None
244 Failure to Clear Heap Memory Before Release ('Heap Inspection')
Major Demonstrative_Examples, Name
Minor None
247 Reliance on DNS Lookups in a Security Decision
Major Relationships, Taxonomy_Mappings
Minor None
249 Often Misused: Path Manipulation
Major Demonstrative_Examples
Minor None
250 Execution with Unnecessary Privileges
Major Related_Attack_Patterns
Minor None
252 Unchecked Return Value
Major Demonstrative_Examples
Minor None
269 Improper Privilege Management
Major Name
Minor None
272 Least Privilege Violation
Major Demonstrative_Examples
Minor None
273 Improper Check for Dropped Privileges
Major Name
Minor None
274 Improper Handling of Insufficient Privileges
Major Description, Name
Minor None
276 Incorrect Default Permissions
Major Description, Name
Minor None
279 Incorrect Execution-Assigned Permissions
Major Description, Name
Minor None
281 Improper Preservation of Permissions
Major Description, Name
Minor None
285 Improper Access Control (Authorization)
Major Description, Related_Attack_Patterns
Minor None
287 Improper Authentication
Major Description, Related_Attack_Patterns
Minor None
292 Trusting Self-reported DNS Name
Major Demonstrative_Examples
Minor None
294 Authentication Bypass by Capture-replay
Major Related_Attack_Patterns
Minor None
296 Improper Following of Chain of Trust for Certificate Validation
Major Demonstrative_Examples
Minor None
297 Improper Validation of Host-specific Certificate Data
Major Demonstrative_Examples
Minor None
298 Improper Validation of Certificate Expiration
Major Demonstrative_Examples
Minor None
299 Improper Check for Certificate Revocation
Major Relationships
Minor None
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Major Name
Minor None
303 Incorrect Implementation of Authentication Algorithm
Major Description, Name
Minor None
319 Cleartext Transmission of Sensitive Information
Major Related_Attack_Patterns
Minor None
321 Use of Hard-coded Cryptographic Key
Major Demonstrative_Examples
Minor None
324 Use of a Key Past its Expiration Date
Major Demonstrative_Examples
Minor None
326 Weak Encryption
Major Related_Attack_Patterns
Minor None
330 Use of Insufficiently Random Values
Major Demonstrative_Examples, Related_Attack_Patterns
Minor None
333 Improper Handling of Insufficient Entropy in TRNG
Major Description, Name
Minor None
345 Insufficient Verification of Data Authenticity
Major Related_Attack_Patterns
Minor None
346 Origin Validation Error
Major Related_Attack_Patterns
Minor None
347 Improper Verification of Cryptographic Signature
Major Description, Name
Minor None
350 Improperly Trusted Reverse DNS
Major Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Demonstrative_Examples, Related_Attack_Patterns
Minor None
357 Insufficient UI Warning of Dangerous Operations
Major Description
Minor None
358 Improperly Implemented Security Check for Standard
Major Description
Minor None
362 Race Condition
Major Relationships
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Demonstrative_Examples
Minor None
369 Divide By Zero
Major Demonstrative_Examples
Minor None
370 Missing Check for Certificate Revocation after Initial Check
Major Name, Relationships
Minor None
377 Insecure Temporary File
Major Demonstrative_Examples
Minor None
379 Creation of Temporary File in Directory with Incorrect Permissions
Major Description, Name
Minor None
391 Unchecked Error Condition
Major Demonstrative_Examples
Minor None
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Demonstrative_Examples
Minor None
396 Declaration of Catch for Generic Exception
Major Demonstrative_Examples
Minor None
397 Declaration of Throws for Generic Exception
Major Demonstrative_Examples
Minor None
399 Resource Management Errors
Major Relationships
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Name, Relationships
Minor None
401 Failure to Release Memory Before Removing Last Reference ('Memory Leak')
Major Name
Minor None
402 Transmission of Private Resources into a New Sphere ('Resource Leak')
Major Name
Minor None
404 Improper Resource Shutdown or Release
Major Description, Relationships
Minor None
408 Incorrect Behavior Order: Early Amplification
Major Description
Minor None
409 Improper Handling of Highly Compressed Data (Data Amplification)
Major Description, Name
Minor None
415 Double Free
Major Demonstrative_Examples
Minor None
416 Use After Free
Major Demonstrative_Examples
Minor None
431 Missing Handler
Major Demonstrative_Examples
Minor None
436 Interpretation Conflict
Major Related_Attack_Patterns
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Name, Related_Attack_Patterns
Minor None
457 Use of Uninitialized Variable
Major Demonstrative_Examples
Minor None
459 Incomplete Cleanup
Major Relationship_Notes, Relationships
Minor None
460 Improper Cleanup on Thrown Exception
Major Description
Minor None
468 Incorrect Pointer Scaling
Major Demonstrative_Examples
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Demonstrative_Examples, Name
Minor None
476 NULL Pointer Dereference
Major Demonstrative_Examples
Minor None
477 Use of Obsolete Functions
Major Demonstrative_Examples
Minor None
478 Missing Default Case in Switch Statement
Major Description, Name
Minor None
481 Assigning instead of Comparing
Major Demonstrative_Examples
Minor None
483 Incorrect Block Delimitation
Major Demonstrative_Examples
Minor None
485 Insufficient Encapsulation
Major Relationships
Minor None
488 Data Leak Between Sessions
Major Demonstrative_Examples
Minor None
491 Public cloneable() Method Without Final ('Object Hijack')
Major Name
Minor None
493 Critical Public Variable Without Final Modifier
Major Background_Details, Demonstrative_Examples, Description, Relationships
Minor None
497 Information Leak of System Data
Major Demonstrative_Examples
Minor None
500 Public Static Field Not Marked Final
Major Relationships
Minor None
521 Weak Password Requirements
Major Related_Attack_Patterns
Minor None
522 Insufficiently Protected Credentials
Major Related_Attack_Patterns
Minor None
523 Unprotected Transport of Credentials
Major Related_Attack_Patterns
Minor None
558 Use of getlogin() in Multithreaded Application
Major Demonstrative_Examples, Taxonomy_Mappings
Minor None
561 Dead Code
Major Demonstrative_Examples
Minor None
562 Return of Stack Variable Address
Major Demonstrative_Examples
Minor None
563 Unused Variable
Major Demonstrative_Examples
Minor None
564 SQL Injection: Hibernate
Major Related_Attack_Patterns
Minor None
572 Call to Thread run() instead of start()
Major Demonstrative_Examples
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Demonstrative_Examples
Minor None
582 Array Declared Public, Final, and Static
Major Demonstrative_Examples
Minor None
583 finalize() Method Declared Public
Major Demonstrative_Examples
Minor None
584 Return Inside Finally Block
Major Demonstrative_Examples
Minor None
585 Empty Synchronized Block
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References
Minor None
586 Explicit Call to Finalize()
Major Demonstrative_Examples
Minor None
590 Free of Memory not on the Heap
Major Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, References, Relationships
Minor None
591 Sensitive Data Storage in Improperly Locked Memory
Major Description, Other_Notes
Minor None
592 Authentication Bypass Issues
Major Related_Attack_Patterns
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major None
Minor Other_Notes
595 Comparison of Object References Instead of Object Contents
Major Name
Minor None
597 Use of Wrong Operator in String Comparison
Major Demonstrative_Examples
Minor None
600 Failure to Catch All Exceptions in Servlet
Major Demonstrative_Examples
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Name
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Demonstrative_Examples
Minor None
604 Deprecated Entries
Major Relationships
Minor None
605 Multiple Binds to the Same Port
Major Demonstrative_Examples
Minor None
606 Unchecked Input for Loop Condition
Major Demonstrative_Examples
Minor None
609 Double-Checked Locking
Major Relationships
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Related_Attack_Patterns
Minor None
619 Dangling Database Cursor ('Cursor Injection')
Major Name
Minor None
620 Unverified Password Change
Major Demonstrative_Examples
Minor None
625 Permissive Regular Expression
Major Demonstrative_Examples
Minor None
633 Weaknesses that Affect Memory
Major Relationships
Minor None
636 Not Failing Securely ('Failing Open')
Major Name
Minor None
638 Failure to Use Complete Mediation
Major Related_Attack_Patterns
Minor None
639 Access Control Bypass Through User-Controlled Key
Major Relationships
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major Related_Attack_Patterns
Minor None
643 Failure to Sanitize Data within XPath Expressions ('XPath injection')
Major Name
Minor None
644 Improper Sanitization of HTTP Headers for Scripting Syntax
Major Description, Name
Minor None
648 Incorrect Use of Privileged APIs
Major Name, Related_Attack_Patterns
Minor None
652 Failure to Sanitize Data within XQuery Expressions ('XQuery Injection')
Major Name
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Relationships
Minor None
655 Insufficient Psychological Acceptability
Major Name
Minor None
662 Insufficient Synchronization
Major Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Description, Name, Relationships
Minor None
665 Improper Initialization
Major Description, Relationships
Minor None
667 Insufficient Locking
Major Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
675 Duplicate Operations on Resource
Major Relationships
Minor None
682 Incorrect Calculation
Major Demonstrative_Examples
Minor None
683 Function Call With Incorrect Order of Arguments
Major Demonstrative_Examples
Minor None
685 Function Call With Incorrect Number of Arguments
Major Description
Minor None
686 Function Call With Incorrect Argument Type
Major Description
Minor None
687 Function Call With Incorrectly Specified Argument Value
Major Description
Minor None
688 Function Call With Incorrect Variable or Reference as Argument
Major Description
Minor None
691 Insufficient Control Flow Management
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Description, Related_Attack_Patterns
Minor None
696 Incorrect Behavior Order
Major Description
Minor None
697 Insufficient Comparison
Major Description
Minor None
704 Incorrect Type Conversion or Cast
Major Description
Minor None
707 Improper Enforcement of Message or Data Structure
Major Description, Name
Minor None
708 Incorrect Ownership Assignment
Major Description
Minor None
715 OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Name
Minor None
Page Last Updated: January 05, 2017