CWE - Differences between Version 2.10 and Version 2.11

Home > CWE List > Reports > Differences between Version 2.10 and Version 2.11

Differences between Version 2.10 and Version 2.11

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 2.11)	1006
Total (Version 2.10)	1005
Total new	1
Total deprecated	2
Total shared	1005
Total important changes	30
Total major changes	116
Total minor changes	2
Total minor changes (no major)	2
Total unchanged	887

Summary of Entry Types

Type	Version 2.10	Version 2.11
Category	242	243
Chain	3	3
Composite	5	5
Deprecated	15	17
View	33	33
Weakness	707	705

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	4	0
Description	4	0
Applicable_Platforms	2	0
Time_of_Introduction	2	0
Demonstrative_Examples	5	2
Detection_Factors	0	0
Likelihood_of_Exploit	0	0
Common_Consequences	2	0
Relationships	28	0
References	2	0
Potential_Mitigations	47	0
Observed_Examples	2	0
Terminology_Notes	0	0
Alternate_Terms	0	0
Related_Attack_Patterns	52	0
Relationship_Notes	0	0
Taxonomy_Mappings	2	0
Maintenance_Notes	1	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	0	0
Background_Details	0	0
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	1	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	2	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		1003
Weakness/Class	Deprecated	1
Weakness/Variant	Deprecated	1

Status Changes

From	To	Total
Unchanged		1003
Incomplete	Deprecated	2

Relationship Changes

The "Version 2.11 Total" lists the total number of relationships in Version 2.11. The "Shared" value is the total number of relationships in entries that were in both Version 2.11 and Version 2.10. The "New" value is the total number of relationships involving entries that did not exist in Version 2.10. Thus, the total number of relationships in Version 2.11 would combine stats from Shared entries and New entries.

Relationship	Version 2.11 Total	Version 2.10 Total	Version 2.11 Shared	Unchanged	Added to Version 2.11	Removed from Version 2.10	Version 2.11 New
ALL	7935	7953	7923	7889	34	64	12
ChildOf	3375	3384	3370	3355	15	29	5
ParentOf	3375	3384	3370	3355	15	29	5
MemberOf	365	365	364	363	1	2	1
HasMember	365	365	364	363	1	2	1
CanPrecede	122	121	122	121	1
CanFollow	122	121	122	121	1
StartsWith	3	3	3	3
Requires	17	17	17	17
RequiredBy	17	17	17	17
CanAlsoBe	34	34	34	34
PeerOf	140	142	140	140		2

Nodes Removed from Version 2.10

CWE-ID	CWE Name
None.

Nodes Added to Version 2.11

CWE-ID	CWE Name
1005	Input Validation and Representation

Nodes Deprecated in Version 2.11

CWE-ID	CWE Name
545	DEPRECATED: Use of Dynamic Class Loading
592	DEPRECATED: Authentication Bypass Issues

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

	N	R	19	Data Processing Errors
		R	20	Improper Input Validation
		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
		R	89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
		R	99	Improper Control of Resource Identifiers ('Resource Injection')
	N	R	118	Incorrect Access of Indexable Resource ('Range Error')
		R	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
		R	287	Improper Authentication
		R	288	Authentication Bypass Using an Alternate Path or Channel
		R	289	Authentication Bypass by Alternate Name
		R	290	Authentication Bypass by Spoofing
		R	294	Authentication Bypass by Capture-replay
		R	302	Authentication Bypass by Assumed-Immutable Data
		R	305	Authentication Bypass by Primary Weakness
		R	398	Indicator of Poor Code Quality
		R	485	Insufficient Encapsulation
D			502	Deserialization of Untrusted Data
D	N	R	545	DEPRECATED: Use of Dynamic Class Loading
		R	569	Expression Issues
D	N	R	592	DEPRECATED: Authentication Bypass Issues
		R	593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
		R	603	Use of Client-Side Authentication
		R	699	Development Concepts
		R	700	Seven Pernicious Kingdoms
		R	724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
D			788	Access of Memory Location After End of Buffer
		R	884	CWE Cross-section
		R	947	SFP Secondary Cluster: Authentication Bypass
		R	991	SFP Secondary Cluster: Tainted Input to Environment

Detailed Difference Report

19	Data Processing Errors
	Major	Name, Relationships
	Minor	None
20	Improper Input Validation
	Major	Related_Attack_Patterns, Relationships
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Demonstrative_Examples
	Minor	None
71	Apple '.DS_Store'
	Major	Related_Attack_Patterns
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
76	Improper Neutralization of Equivalent Special Elements
	Major	Potential_Mitigations
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Potential_Mitigations, Related_Attack_Patterns, Relationships
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Related_Attack_Patterns, Relationships
	Minor	None
80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
81	Improper Neutralization of Script in an Error Message Web Page
	Major	Potential_Mitigations
	Minor	None
82	Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
	Major	Related_Attack_Patterns
	Minor	None
83	Improper Neutralization of Script in Attributes in a Web Page
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
84	Improper Neutralization of Encoded URI Schemes in a Web Page
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
85	Doubled Character XSS Manipulations
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
86	Improper Neutralization of Invalid Characters in Identifiers in Web Pages
	Major	Related_Attack_Patterns
	Minor	None
87	Improper Neutralization of Alternate XSS Syntax
	Major	Potential_Mitigations
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Relationships
	Minor	None
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
	Major	Related_Attack_Patterns
	Minor	None
97	Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
	Major	Potential_Mitigations
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	Related_Attack_Patterns, Relationships
	Minor	None
109	Struts: Validator Turned Off
	Major	None
	Minor	Demonstrative_Examples
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
	Major	Related_Attack_Patterns
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	Related_Attack_Patterns
	Minor	None
117	Improper Output Neutralization for Logs
	Major	Related_Attack_Patterns
	Minor	None
118	Incorrect Access of Indexable Resource ('Range Error')
	Major	Name, Relationships
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Relationships
	Minor	None
138	Improper Neutralization of Special Elements
	Major	Potential_Mitigations
	Minor	None
140	Improper Neutralization of Delimiters
	Major	Potential_Mitigations
	Minor	None
141	Improper Neutralization of Parameter/Argument Delimiters
	Major	Potential_Mitigations
	Minor	None
142	Improper Neutralization of Value Delimiters
	Major	Potential_Mitigations
	Minor	None
143	Improper Neutralization of Record Delimiters
	Major	Potential_Mitigations
	Minor	None
144	Improper Neutralization of Line Delimiters
	Major	Potential_Mitigations
	Minor	None
145	Improper Neutralization of Section Delimiters
	Major	Potential_Mitigations
	Minor	None
147	Improper Neutralization of Input Terminators
	Major	Potential_Mitigations
	Minor	None
148	Improper Neutralization of Input Leaders
	Major	Potential_Mitigations
	Minor	None
149	Improper Neutralization of Quoting Syntax
	Major	Potential_Mitigations
	Minor	None
150	Improper Neutralization of Escape, Meta, or Control Sequences
	Major	Potential_Mitigations
	Minor	None
151	Improper Neutralization of Comment Delimiters
	Major	Potential_Mitigations
	Minor	None
152	Improper Neutralization of Macro Symbols
	Major	Potential_Mitigations
	Minor	None
153	Improper Neutralization of Substitution Characters
	Major	Potential_Mitigations
	Minor	None
154	Improper Neutralization of Variable Name Delimiters
	Major	Potential_Mitigations
	Minor	None
155	Improper Neutralization of Wildcards or Matching Symbols
	Major	Potential_Mitigations
	Minor	None
156	Improper Neutralization of Whitespace
	Major	Potential_Mitigations
	Minor	None
157	Failure to Sanitize Paired Delimiters
	Major	Potential_Mitigations
	Minor	None
158	Improper Neutralization of Null Byte or NUL Character
	Major	Potential_Mitigations
	Minor	None
159	Failure to Sanitize Special Element
	Major	Potential_Mitigations
	Minor	None
160	Improper Neutralization of Leading Special Elements
	Major	Potential_Mitigations
	Minor	None
161	Improper Neutralization of Multiple Leading Special Elements
	Major	Potential_Mitigations
	Minor	None
162	Improper Neutralization of Trailing Special Elements
	Major	Potential_Mitigations
	Minor	None
163	Improper Neutralization of Multiple Trailing Special Elements
	Major	Potential_Mitigations
	Minor	None
164	Improper Neutralization of Internal Special Elements
	Major	Potential_Mitigations
	Minor	None
165	Improper Neutralization of Multiple Internal Special Elements
	Major	Potential_Mitigations
	Minor	None
166	Improper Handling of Missing Special Element
	Major	Potential_Mitigations
	Minor	None
167	Improper Handling of Additional Special Element
	Major	Potential_Mitigations
	Minor	None
168	Improper Handling of Inconsistent Special Elements
	Major	Potential_Mitigations
	Minor	None
184	Incomplete Blacklist
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
193	Off-by-one Error
	Major	Demonstrative_Examples
	Minor	None
200	Information Exposure
	Major	Related_Attack_Patterns
	Minor	None
202	Exposure of Sensitive Data Through Data Queries
	Major	Related_Attack_Patterns
	Minor	None
208	Information Exposure Through Timing Discrepancy
	Major	Related_Attack_Patterns
	Minor	None
227	Improper Fulfillment of API Contract ('API Abuse')
	Major	Observed_Examples, Related_Attack_Patterns
	Minor	None
232	Improper Handling of Undefined Values
	Major	Demonstrative_Examples
	Minor	None
259	Use of Hard-coded Password
	Major	Related_Attack_Patterns
	Minor	None
276	Incorrect Default Permissions
	Major	Related_Attack_Patterns
	Minor	None
279	Incorrect Execution-Assigned Permissions
	Major	Related_Attack_Patterns
	Minor	None
287	Improper Authentication
	Major	Related_Attack_Patterns, Relationships
	Minor	None
288	Authentication Bypass Using an Alternate Path or Channel
	Major	Related_Attack_Patterns, Relationships
	Minor	None
289	Authentication Bypass by Alternate Name
	Major	Relationships
	Minor	None
290	Authentication Bypass by Spoofing
	Major	Relationships
	Minor	None
294	Authentication Bypass by Capture-replay
	Major	Relationships
	Minor	None
302	Authentication Bypass by Assumed-Immutable Data
	Major	Relationships
	Minor	None
305	Authentication Bypass by Primary Weakness
	Major	Relationships
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Related_Attack_Patterns
	Minor	None
312	Cleartext Storage of Sensitive Information
	Major	Related_Attack_Patterns
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Related_Attack_Patterns
	Minor	None
345	Insufficient Verification of Data Authenticity
	Major	Related_Attack_Patterns
	Minor	None
348	Use of Less Trusted Source
	Major	Related_Attack_Patterns
	Minor	None
350	Reliance on Reverse DNS Resolution for a Security-Critical Action
	Major	Related_Attack_Patterns
	Minor	None
372	Incomplete Internal State Distinction
	Major	Related_Attack_Patterns
	Minor	None
398	Indicator of Poor Code Quality
	Major	Relationships
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Related_Attack_Patterns
	Minor	None
471	Modification of Assumed-Immutable Data (MAID)
	Major	Related_Attack_Patterns
	Minor	None
485	Insufficient Encapsulation
	Major	Relationships
	Minor	None
497	Exposure of System Data to an Unauthorized Control Sphere
	Major	Related_Attack_Patterns
	Minor	None
502	Deserialization of Untrusted Data
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References
	Minor	None
505	Intentionally Introduced Weakness
	Major	Maintenance_Notes
	Minor	None
510	Trapdoor
	Major	Related_Attack_Patterns
	Minor	None
522	Insufficiently Protected Credentials
	Major	Related_Attack_Patterns
	Minor	None
538	File and Directory Information Exposure
	Major	Related_Attack_Patterns
	Minor	None
545	DEPRECATED: Use of Dynamic Class Loading
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
	Minor	None
564	SQL Injection: Hibernate
	Major	Potential_Mitigations
	Minor	None
569	Expression Issues
	Major	Relationships
	Minor	None
592	DEPRECATED: Authentication Bypass Issues
	Major	Common_Consequences, Description, Name, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
	Minor	None
593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
	Major	Potential_Mitigations, Relationships
	Minor	None
602	Client-Side Enforcement of Server-Side Security
	Major	Related_Attack_Patterns
	Minor	None
603	Use of Client-Side Authentication
	Major	Relationships
	Minor	None
641	Improper Restriction of Names for Files and Other Resources
	Major	Potential_Mitigations
	Minor	None
667	Improper Locking
	Major	Related_Attack_Patterns
	Minor	None
676	Use of Potentially Dangerous Function
	Major	Related_Attack_Patterns
	Minor	None
692	Incomplete Blacklist to Cross-Site Scripting
	Major	Related_Attack_Patterns
	Minor	None
693	Protection Mechanism Failure
	Major	Related_Attack_Patterns
	Minor	None
696	Incorrect Behavior Order
	Major	Observed_Examples
	Minor	None
697	Insufficient Comparison
	Major	Related_Attack_Patterns
	Minor	None
699	Development Concepts
	Major	Relationships
	Minor	None
700	Seven Pernicious Kingdoms
	Major	Relationships
	Minor	None
713	OWASP Top Ten 2007 Category A2 - Injection Flaws
	Major	Related_Attack_Patterns
	Minor	None
721	OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
	Major	Related_Attack_Patterns
	Minor	None
724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
	Major	Relationships
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Related_Attack_Patterns
	Minor	None
788	Access of Memory Location After End of Buffer
	Major	Description
	Minor	None
829	Inclusion of Functionality from Untrusted Control Sphere
	Major	Related_Attack_Patterns
	Minor	None
833	Deadlock
	Major	Related_Attack_Patterns
	Minor	None
839	Numeric Range Comparison Without Minimum Check
	Major	None
	Minor	Demonstrative_Examples
884	CWE Cross-section
	Major	Relationships
	Minor	None
915	Improperly Controlled Modification of Dynamically-Determined Object Attributes
	Major	Potential_Mitigations
	Minor	None
947	SFP Secondary Cluster: Authentication Bypass
	Major	Relationships
	Minor	None
991	SFP Secondary Cluster: Tainted Input to Environment
	Major	Relationships
	Minor	None

Page Last Updated: May 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration