CWE - Differences between Version 1.4 and Version 1.5

Home > CWE List > Reports > Differences between Version 1.4 and Version 1.5

Differences between Version 1.4 and Version 1.5

Differences between Version 1.4 and Version 1.5

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 1.5)	787
Total (Version 1.4)	777
Total new	10
Total deprecated	2
Total shared	777
Total important changes	69
Total major changes	197
Total minor changes	1
Total minor changes (no major)
Total unchanged	580

Summary of Entry Types

Type	Version 1.4	Version 1.5
Category	104	104
Chain	3	3
Composite	9	9
Deprecated	9	11
View	22	22
Weakness	630	638

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Affected_Resources	1	0
Alternate_Terms	1	0
Applicable_Platforms	4	0
Background_Details	2	0
Black_Box_Definitions	0	0
Causal_Nature	1	0
Common_Consequences	12	0
Common_Methods_of_Exploitation	0	0
Context_Notes	0	0
Demonstrative_Examples	38	0
Description	29	1
Detection_Factors	0	0
Enabling_Factors_for_Exploitation	0	0
Functional_Areas	1	0
Likelihood_of_Exploit	1	0
Maintenance_Notes	8	0
Modes_of_Introduction	2	0
Name	8	0
Observed_Examples	11	0
Other_Notes	32	0
Potential_Mitigations	85	0
References	0	0
Related_Attack_Patterns	14	0
Relationship_Notes	8	0
Relationships	48	0
Relevant_Properties	0	0
Research_Gaps	3	0
Source_Taxonomy	0	0
Taxonomy_Mappings	6	0
Terminology_Notes	0	0
Theoretical_Notes	1	0
Time_of_Introduction	2	0
Type	2	0
View_Audience	0	0
View_Filter	0	0
View_Structure	0	0
View_Type	0	0
Weakness_Ordinalities	3	0
White_Box_Definitions	14	0

Form and Abstraction Changes

From	To	Total
Unchanged		775
Weakness/Base	Deprecated	1
Weakness/Variant	Deprecated	1

Relationship Changes

The "Version 1.5 Total" lists the total number of relationships in Version 1.5. The "Shared" value is the total number of relationships in entries that were in both Version 1.5 and Version 1.4. The "New" value is the total number of relationships involving entries that did not exist in Version 1.4. Thus, the total number of relationships in Version 1.5 would combine stats from Shared entries and New entries.

Relationship	Version 1.5 Total	Version 1.4 Total	Version 1.5 Shared	Unchanged	Added to Version 1.5	Removed from Version 1.5	Version 1.5 New
ALL	4629	4591	4561	4543	18	48	68
CanAlsoBe	38	38	38	38
CanFollow	80	79	79	79			1
CanPrecede	80	79	79	79			1
ChildOf	1977	1961	1944	1937	7	24	33
HasMember	117	115	117	115	2
MemberOf	117	115	117	115	2
ParentOf	1977	1961	1944	1937	7	24	33
PeerOf	186	186	186	186
RequiredBy	27	27	27	27
Requires	27	27	27	27
StartsWith	3	3	3	3

Nodes Removed from Version 1.4

CWE-ID	CWE Name
None.

Nodes Added to Version 1.5

CWE-ID	CWE Name
776	Unrestricted Recursive Entity References in DTDs ('XML Bomb')
777	Regular Expression without Anchors
778	Insufficient Logging
779	Logging of Excessive Data
780	Use of RSA Algorithm without OAEP
781	Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
782	Exposed IOCTL with Insufficient Access Control
783	Operator Precedence Logic Error
784	Reliance on Cookies without Validation and Integrity Checking in a Security Decision
785	Use of Path Manipulation Function without Maximum-sized Buffer

Nodes Deprecated in Version 1.5

CWE-ID	CWE Name
92	DEPRECATED: Improper Sanitization of Custom Special Characters
249	DEPRECATED: Often Misused: Path Manipulation

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			11	ASP.NET Misconfiguration: Creating Debug Binary
		R	20	Improper Input Validation
		R	74	Failure to Sanitize Data into a Different Plane ('Injection')
D	N		77	Improper Sanitization of Special Elements used in a Command ('Command Injection')
D	N		78	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
D			79	Failure to Preserve Web Page Structure ('Cross-site Scripting')
D	N		89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
	N	R	92	DEPRECATED: Improper Sanitization of Custom Special Characters
		R	120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
D		R	138	Improper Sanitization of Special Elements
D			197	Numeric Truncation Error
		R	199	Information Management Errors
		R	223	Omission of Security-relevant Information
D	N	R	249	DEPRECATED: Often Misused: Path Manipulation
		R	254	Security Features
		R	284	Access Control (Authorization) Issues
		R	285	Improper Access Control (Authorization)
		R	287	Improper Authentication
D			294	Authentication Bypass by Capture-replay
		R	297	Improper Validation of Host-specific Certificate Data
		R	310	Cryptographic Issues
		R	322	Key Exchange without Entity Authentication
D	N		326	Inadequate Encryption Strength
		R	327	Use of a Broken or Risky Cryptographic Algorithm
D			368	Context Switching Race Condition
D			379	Creation of Temporary File in Directory with Incorrect Permissions
D			385	Covert Timing Channel
D		R	400	Uncontrolled Resource Consumption ('Resource Exhaustion')
		R	409	Improper Handling of Highly Compressed Data (Data Amplification)
D	N		412	Unrestricted Externally Accessible Lock
D		R	427	Uncontrolled Search Path Element
D		R	428	Unquoted Search Path or Element
		R	442	Web Problems
D		R	464	Addition of Data Structure Sentinel
D			481	Assigning instead of Comparing
D			494	Download of Code Without Integrity Check
		R	513	Intentionally Introduced Nonmalicious Weakness
		R	514	Covert Channel
D			515	Covert Storage Channel
		R	518	Inadvertently Introduced Weakness
		R	531	Information Leak Through Test Code
D			532	Information Leak Through Log Files
		R	541	Information Leak Through Include Source Code
		R	549	Missing Password Field Masking
		R	551	Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
		R	552	Files or Directories Accessible to External Parties
D	N	R	565	Reliance on Cookies without Validation and Integrity Checking
D			566	Access Control Bypass Through User-Controlled SQL Primary Key
		R	569	Expression Issues
D			572	Call to Thread run() instead of start()
D			580	clone() Method Without super.clone()
D			587	Assignment of a Fixed Address to a Pointer
D			593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
		R	599	Trust of OpenSSL Certificate Without Validation
		R	602	Client-Side Enforcement of Server-Side Security
		R	604	Deprecated Entries
		R	625	Permissive Regular Expression
		R	632	Weaknesses that Affect Files or Directories
		R	633	Weaknesses that Affect Memory
		R	664	Improper Control of a Resource Through its Lifetime
D		R	668	Exposure of Resource to Wrong Sphere
		R	670	Always-Incorrect Control Flow Implementation
		R	676	Use of Potentially Dangerous Function
		R	693	Protection Mechanism Failure
		R	707	Improper Enforcement of Message or Data Structure
		R	737	CERT C Secure Coding Section 03 - Expressions (EXP)
		R	749	Exposed Dangerous Method or Function
		R	754	Improper Check for Exceptional Conditions
		R	771	Missing Reference to Active Allocated Resource

Detailed Difference Report

8	J2EE Misconfiguration: Entity Bean Declared Remote
	Major	Demonstrative_Examples
	Minor	None
9	J2EE Misconfiguration: Weak Access Permissions for EJB Methods
	Major	Demonstrative_Examples
	Minor	None
11	ASP.NET Misconfiguration: Creating Debug Binary
	Major	Background_Details, Common_Consequences, Demonstrative_Examples, Description, Other_Notes
	Minor	None
12	ASP.NET Misconfiguration: Missing Custom Error Page
	Major	Background_Details, Common_Consequences, Other_Notes
	Minor	None
13	ASP.NET Misconfiguration: Password in Configuration File
	Major	Demonstrative_Examples
	Minor	None
20	Improper Input Validation
	Major	Relationships
	Minor	None
22	Path Traversal
	Major	Potential_Mitigations
	Minor	None
23	Relative Path Traversal
	Major	Potential_Mitigations
	Minor	None
24	Path Traversal: '../filedir'
	Major	Potential_Mitigations
	Minor	Description
25	Path Traversal: '/../filedir'
	Major	Potential_Mitigations
	Minor	None
26	Path Traversal: '/dir/../filename'
	Major	Potential_Mitigations
	Minor	None
27	Path Traversal: 'dir/../../filename'
	Major	Potential_Mitigations
	Minor	None
28	Path Traversal: '..\filedir'
	Major	Potential_Mitigations
	Minor	None
29	Path Traversal: '\..\filename'
	Major	Potential_Mitigations
	Minor	None
30	Path Traversal: '\dir\..\filename'
	Major	Potential_Mitigations
	Minor	None
31	Path Traversal: 'dir\..\..\filename'
	Major	Potential_Mitigations
	Minor	None
32	Path Traversal: '...' (Triple Dot)
	Major	Potential_Mitigations
	Minor	None
33	Path Traversal: '....' (Multiple Dot)
	Major	Potential_Mitigations
	Minor	None
34	Path Traversal: '....//'
	Major	Potential_Mitigations
	Minor	None
35	Path Traversal: '.../...//'
	Major	Potential_Mitigations
	Minor	None
37	Path Traversal: '/absolute/pathname/here'
	Major	Potential_Mitigations
	Minor	None
38	Path Traversal: '\absolute\pathname\here'
	Major	Potential_Mitigations
	Minor	None
39	Path Traversal: 'C:dirname'
	Major	Potential_Mitigations
	Minor	None
40	Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
	Major	Potential_Mitigations
	Minor	None
41	Improper Resolution of Path Equivalence
	Major	Potential_Mitigations
	Minor	None
61	UNIX Symbolic Link (Symlink) Following
	Major	Observed_Examples
	Minor	None
73	External Control of File Name or Path
	Major	Demonstrative_Examples
	Minor	None
74	Failure to Sanitize Data into a Different Plane ('Injection')
	Major	Relationships
	Minor	None
77	Improper Sanitization of Special Elements used in a Command ('Command Injection')
	Major	Demonstrative_Examples, Description, Name
	Minor	None
78	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Description, Name, White_Box_Definitions
	Minor	None
79	Failure to Preserve Web Page Structure ('Cross-site Scripting')
	Major	Description
	Minor	None
80	Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)
	Major	White_Box_Definitions
	Minor	None
87	Failure to Sanitize Alternate XSS Syntax
	Major	Related_Attack_Patterns
	Minor	None
88	Argument Injection or Modification
	Major	Other_Notes, Relationship_Notes
	Minor	None
89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Description, Name, White_Box_Definitions
	Minor	None
92	DEPRECATED: Improper Sanitization of Custom Special Characters
	Major	Applicable_Platforms, Causal_Nature, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Time_of_Introduction, Type, Weakness_Ordinalities
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	White_Box_Definitions
	Minor	None
102	Struts: Duplicate Validation Forms
	Major	Demonstrative_Examples
	Minor	None
109	Struts: Validator Turned Off
	Major	Demonstrative_Examples
	Minor	None
110	Struts: Validator Without Form Field
	Major	Demonstrative_Examples
	Minor	None
113	Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	None
114	Process Control
	Major	Demonstrative_Examples
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Demonstrative_Examples
	Minor	None
117	Improper Output Sanitization for Logs
	Major	Potential_Mitigations
	Minor	None
119	Failure to Constrain Operations within the Bounds of a Memory Buffer
	Major	Observed_Examples
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Other_Notes, Potential_Mitigations, Relationships
	Minor	None
121	Stack-based Buffer Overflow
	Major	Potential_Mitigations, White_Box_Definitions
	Minor	None
134	Uncontrolled Format String
	Major	White_Box_Definitions
	Minor	None
138	Improper Sanitization of Special Elements
	Major	Applicable_Platforms, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
	Minor	None
140	Failure to Sanitize Delimiters
	Major	Potential_Mitigations
	Minor	None
141	Failure to Sanitize Parameter/Argument Delimiters
	Major	Potential_Mitigations
	Minor	None
142	Failure to Sanitize Value Delimiters
	Major	Potential_Mitigations
	Minor	None
143	Failure to Sanitize Record Delimiters
	Major	Potential_Mitigations
	Minor	None
144	Failure to Sanitize Line Delimiters
	Major	Potential_Mitigations
	Minor	None
145	Failure to Sanitize Section Delimiters
	Major	Potential_Mitigations
	Minor	None
146	Failure to Sanitize Expression/Command Delimiters
	Major	Potential_Mitigations
	Minor	None
147	Improper Sanitization of Input Terminators
	Major	Potential_Mitigations
	Minor	None
148	Failure to Sanitize Input Leaders
	Major	Potential_Mitigations
	Minor	None
149	Failure to Sanitize Quoting Syntax
	Major	Potential_Mitigations
	Minor	None
150	Failure to Sanitize Escape, Meta, or Control Sequences
	Major	Potential_Mitigations
	Minor	None
151	Improper Sanitization of Comment Delimiters
	Major	Observed_Examples, Potential_Mitigations
	Minor	None
152	Improper Sanitization of Macro Symbols
	Major	Potential_Mitigations
	Minor	None
153	Improper Sanitization of Substitution Characters
	Major	Potential_Mitigations
	Minor	None
154	Improper Sanitization of Variable Name Delimiters
	Major	Potential_Mitigations
	Minor	None
155	Improper Sanitization of Wildcards or Matching Symbols
	Major	Potential_Mitigations
	Minor	None
156	Improper Sanitization of Whitespace
	Major	Potential_Mitigations
	Minor	None
157	Failure to Sanitize Paired Delimiters
	Major	Potential_Mitigations
	Minor	None
158	Failure to Sanitize Null Byte or NUL Character
	Major	Potential_Mitigations
	Minor	None
159	Failure to Sanitize Special Element
	Major	Potential_Mitigations
	Minor	None
160	Improper Sanitization of Leading Special Elements
	Major	Potential_Mitigations
	Minor	None
161	Improper Sanitization of Multiple Leading Special Elements
	Major	Potential_Mitigations
	Minor	None
162	Improper Sanitization of Trailing Special Elements
	Major	Potential_Mitigations
	Minor	None
163	Improper Sanitization of Multiple Trailing Special Elements
	Major	Potential_Mitigations
	Minor	None
164	Improper Sanitization of Internal Special Elements
	Major	Potential_Mitigations
	Minor	None
165	Improper Sanitization of Multiple Internal Special Elements
	Major	Potential_Mitigations
	Minor	None
166	Improper Handling of Missing Special Element
	Major	Potential_Mitigations
	Minor	None
167	Improper Handling of Additional Special Element
	Major	Potential_Mitigations
	Minor	None
168	Failure to Resolve Inconsistent Special Elements
	Major	Potential_Mitigations
	Minor	None
170	Improper Null Termination
	Major	Common_Consequences, Other_Notes, Potential_Mitigations, White_Box_Definitions
	Minor	None
172	Encoding Error
	Major	Potential_Mitigations
	Minor	None
173	Failure to Handle Alternate Encoding
	Major	Potential_Mitigations
	Minor	None
174	Double Decoding of the Same Data
	Major	Potential_Mitigations
	Minor	None
175	Failure to Handle Mixed Encoding
	Major	Potential_Mitigations
	Minor	None
176	Failure to Handle Unicode Encoding
	Major	Potential_Mitigations
	Minor	None
177	Failure to Handle URL Encoding (Hex Encoding)
	Major	Potential_Mitigations
	Minor	None
178	Failure to Resolve Case Sensitivity
	Major	Potential_Mitigations
	Minor	None
182	Collapse of Data Into Unsafe Value
	Major	Potential_Mitigations
	Minor	None
183	Permissive Whitelist
	Major	Potential_Mitigations
	Minor	None
197	Numeric Truncation Error
	Major	Description, Observed_Examples, Other_Notes, Research_Gaps
	Minor	None
199	Information Management Errors
	Major	Relationships
	Minor	None
223	Omission of Security-relevant Information
	Major	Relationships
	Minor	None
241	Improper Handling of Unexpected Data Type
	Major	Potential_Mitigations
	Minor	None
247	Reliance on DNS Lookups in a Security Decision
	Major	Demonstrative_Examples
	Minor	None
249	DEPRECATED: Often Misused: Path Manipulation
	Major	Affected_Resources, Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type, White_Box_Definitions
	Minor	None
252	Unchecked Return Value
	Major	Demonstrative_Examples
	Minor	None
254	Security Features
	Major	Relationships
	Minor	None
256	Plaintext Storage of a Password
	Major	Demonstrative_Examples
	Minor	None
259	Hard-Coded Password
	Major	Demonstrative_Examples, Related_Attack_Patterns, White_Box_Definitions
	Minor	None
261	Weak Cryptography for Passwords
	Major	Demonstrative_Examples
	Minor	None
284	Access Control (Authorization) Issues
	Major	Alternate_Terms, Relationships
	Minor	None
285	Improper Access Control (Authorization)
	Major	Relationships
	Minor	None
287	Improper Authentication
	Major	Relationships
	Minor	None
289	Authentication Bypass by Alternate Name
	Major	Other_Notes, Potential_Mitigations, Theoretical_Notes
	Minor	None
290	Authentication Bypass by Spoofing
	Major	Relationship_Notes
	Minor	None
294	Authentication Bypass by Capture-replay
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
296	Improper Following of Chain of Trust for Certificate Validation
	Major	Demonstrative_Examples
	Minor	None
297	Improper Validation of Host-specific Certificate Data
	Major	Demonstrative_Examples, Relationships
	Minor	None
298	Improper Validation of Certificate Expiration
	Major	Demonstrative_Examples
	Minor	None
307	Failure to Restrict Excessive Authentication Attempts
	Major	Observed_Examples
	Minor	None
310	Cryptographic Issues
	Major	Maintenance_Notes, Relationship_Notes, Relationships
	Minor	None
322	Key Exchange without Entity Authentication
	Major	Relationships
	Minor	None
326	Inadequate Encryption Strength
	Major	Common_Consequences, Description, Maintenance_Notes, Name
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Maintenance_Notes, Relationships
	Minor	None
345	Insufficient Verification of Data Authenticity
	Major	Related_Attack_Patterns
	Minor	None
359	Privacy Violation
	Major	Demonstrative_Examples
	Minor	None
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	White_Box_Definitions
	Minor	None
368	Context Switching Race Condition
	Major	Description, Other_Notes, Relationship_Notes, Weakness_Ordinalities
	Minor	None
379	Creation of Temporary File in Directory with Incorrect Permissions
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
384	Session Fixation
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
385	Covert Timing Channel
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
387	Signal Errors
	Major	Observed_Examples
	Minor	None
390	Detection of Error Condition Without Action
	Major	Demonstrative_Examples
	Minor	None
391	Unchecked Error Condition
	Major	White_Box_Definitions
	Minor	None
400	Uncontrolled Resource Consumption ('Resource Exhaustion')
	Major	Description, Relationships
	Minor	None
401	Failure to Release Memory Before Removing Last Reference ('Memory Leak')
	Major	White_Box_Definitions
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
405	Asymmetric Resource Consumption (Amplification)
	Major	Common_Consequences, Other_Notes
	Minor	None
407	Algorithmic Complexity
	Major	Functional_Areas, Other_Notes
	Minor	None
409	Improper Handling of Highly Compressed Data (Data Amplification)
	Major	Relationships
	Minor	None
410	Insufficient Resource Pool
	Major	Demonstrative_Examples
	Minor	None
412	Unrestricted Externally Accessible Lock
	Major	Common_Consequences, Description, Name, Potential_Mitigations, White_Box_Definitions
	Minor	None
417	Channel and Path Errors
	Major	Other_Notes, Relationship_Notes
	Minor	None
427	Uncontrolled Search Path Element
	Major	Description, Maintenance_Notes, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships
	Minor	None
428	Unquoted Search Path or Element
	Major	Applicable_Platforms, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationships
	Minor	None
442	Web Problems
	Major	Relationships
	Minor	None
450	Multiple Interpretations of UI Input
	Major	Potential_Mitigations
	Minor	None
463	Deletion of Data Structure Sentinel
	Major	Potential_Mitigations
	Minor	None
464	Addition of Data Structure Sentinel
	Major	Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships
	Minor	None
468	Incorrect Pointer Scaling
	Major	White_Box_Definitions
	Minor	None
471	Modification of Assumed-Immutable Data (MAID)
	Major	Other_Notes
	Minor	None
472	External Control of Assumed-Immutable Web Parameter
	Major	Potential_Mitigations
	Minor	None
477	Use of Obsolete Functions
	Major	Demonstrative_Examples
	Minor	None
481	Assigning instead of Comparing
	Major	Description, Other_Notes
	Minor	None
482	Comparing instead of Assigning
	Major	Common_Consequences, Modes_of_Introduction
	Minor	None
486	Comparison of Classes by Name
	Major	Demonstrative_Examples
	Minor	None
489	Leftover Debug Code
	Major	Demonstrative_Examples
	Minor	None
491	Public cloneable() Method Without Final ('Object Hijack')
	Major	Demonstrative_Examples
	Minor	None
494	Download of Code Without Integrity Check
	Major	Description, Observed_Examples, Related_Attack_Patterns
	Minor	None
497	Information Leak of System Data
	Major	Demonstrative_Examples
	Minor	None
499	Serializable Class Containing Sensitive Data
	Major	Demonstrative_Examples
	Minor	None
513	Intentionally Introduced Nonmalicious Weakness
	Major	Relationships
	Minor	None
514	Covert Channel
	Major	Relationships
	Minor	None
515	Covert Storage Channel
	Major	Common_Consequences, Description
	Minor	None
518	Inadvertently Introduced Weakness
	Major	Relationships
	Minor	None
531	Information Leak Through Test Code
	Major	Relationships
	Minor	None
532	Information Leak Through Log Files
	Major	Common_Consequences, Description, Likelihood_of_Exploit, Potential_Mitigations
	Minor	None
541	Information Leak Through Include Source Code
	Major	Relationships
	Minor	None
549	Missing Password Field Masking
	Major	Relationships
	Minor	None
551	Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
	Major	Relationships
	Minor	None
552	Files or Directories Accessible to External Parties
	Major	Relationships
	Minor	None
554	ASP.NET Misconfiguration: Not Using Input Validation Framework
	Major	Other_Notes
	Minor	None
561	Dead Code
	Major	Demonstrative_Examples
	Minor	None
565	Reliance on Cookies without Validation and Integrity Checking
	Major	Description, Name, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings
	Minor	None
566	Access Control Bypass Through User-Controlled SQL Primary Key
	Major	Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Taxonomy_Mappings
	Minor	None
569	Expression Issues
	Major	Relationships
	Minor	None
570	Expression is Always False
	Major	Demonstrative_Examples, Other_Notes, Potential_Mitigations
	Minor	None
571	Expression is Always True
	Major	Demonstrative_Examples, Other_Notes, Potential_Mitigations
	Minor	None
572	Call to Thread run() instead of start()
	Major	Description, Other_Notes
	Minor	None
580	clone() Method Without super.clone()
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
587	Assignment of a Fixed Address to a Pointer
	Major	Common_Consequences, Description, Other_Notes
	Minor	None
588	Attempt to Access Child of a Non-structure Pointer
	Major	Common_Consequences, Other_Notes
	Minor	None
589	Call to Non-ubiquitous API
	Major	Other_Notes, Potential_Mitigations
	Minor	None
593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
	Major	Description, Other_Notes, Potential_Mitigations
	Minor	None
599	Trust of OpenSSL Certificate Without Validation
	Major	Relationships
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	Related_Attack_Patterns, Relationships
	Minor	None
604	Deprecated Entries
	Major	Relationships
	Minor	None
615	Information Leak Through Comments
	Major	Observed_Examples, Taxonomy_Mappings
	Minor	None
625	Permissive Regular Expression
	Major	Relationships
	Minor	None
632	Weaknesses that Affect Files or Directories
	Major	Relationships
	Minor	None
633	Weaknesses that Affect Memory
	Major	Relationships
	Minor	None
642	External Control of Critical State Data
	Major	Related_Attack_Patterns
	Minor	None
646	Reliance on File Name or Extension of Externally-Supplied File
	Major	Related_Attack_Patterns
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Relationships
	Minor	None
665	Improper Initialization
	Major	Related_Attack_Patterns
	Minor	None
667	Insufficient Locking
	Major	Common_Consequences
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Description, Relationships
	Minor	None
670	Always-Incorrect Control Flow Implementation
	Major	Maintenance_Notes, Modes_of_Introduction, Other_Notes, Relationships
	Minor	None
676	Use of Potentially Dangerous Function
	Major	Relationships
	Minor	None
682	Incorrect Calculation
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
693	Protection Mechanism Failure
	Major	Relationships
	Minor	None
707	Improper Enforcement of Message or Data Structure
	Major	Relationships
	Minor	None
715	OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
	Major	Related_Attack_Patterns
	Minor	None
737	CERT C Secure Coding Section 03 - Expressions (EXP)
	Major	Relationships
	Minor	None
749	Exposed Dangerous Method or Function
	Major	Relationships
	Minor	None
754	Improper Check for Exceptional Conditions
	Major	Relationships
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Related_Attack_Patterns
	Minor	None
771	Missing Reference to Active Allocated Resource
	Major	Relationships
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration