CWE - Differences between Version 2.4 and Version 2.5

Home > CWE List > Reports > Differences between Version 2.4 and Version 2.5

Differences between Version 2.4 and Version 2.5

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total (Version 2.5)	940
Total (Version 2.4)	920
Total new	20
Total deprecated	2
Total shared	920
Total important changes	57
Total major changes	75
Total minor changes	5
Total minor changes (no major)	2
Total unchanged	843

Summary of Entry Types

Type	Version 2.4	Version 2.5
Category	176	186
Chain	3	3
Composite	6	5
Deprecated	12	14
View	29	31
Weakness	694	701

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	11	0
Description	16	2
Applicable_Platforms	15	0
Time_of_Introduction	2	0
Demonstrative_Examples	5	3
Detection_Factors	0	0
Likelihood_of_Exploit	0	0
Common_Consequences	4	0
Relationships	47	0
References	10	0
Potential_Mitigations	11	0
Observed_Examples	5	0
Terminology_Notes	7	0
Alternate_Terms	0	0
Related_Attack_Patterns	4	0
Relationship_Notes	2	0
Taxonomy_Mappings	2	0
Maintenance_Notes	1	0
Modes_of_Introduction	0	0
Affected_Resources	0	0
Functional_Areas	0	0
Research_Gaps	0	0
Background_Details	0	0
Theoretical_Notes	0	0
Weakness_Ordinalities	0	0
White_Box_Definitions	0	0
Enabling_Factors_for_Exploitation	0	0
Other_Notes	4	0
Relevant_Properties	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Common_Methods_of_Exploitation	0	0
Type	17	0
Causal_Nature	0	0
Source_Taxonomy	0	0
Context_Notes	0	0
Black_Box_Definitions	0	0

Form and Abstraction Changes

From	To	Total
Unchanged		903
Composite	Weakness/Variant	1
Weakness/Base	Weakness/Variant	11
Weakness/Class	Weakness/Base	3
Weakness/Variant	Deprecated	2

Status Changes

From	To	Total
Unchanged		918
Incomplete	Deprecated	2

Relationship Changes

The "Version 2.5 Total" lists the total number of relationships in Version 2.5. The "Shared" value is the total number of relationships in entries that were in both Version 2.5 and Version 2.4. The "New" value is the total number of relationships involving entries that did not exist in Version 2.4. Thus, the total number of relationships in Version 2.5 would combine stats from Shared entries and New entries.

Relationship	Version 2.5 Total	Version 2.4 Total	Version 2.5 Shared	Unchanged	Added to Version 2.5	Removed from Version 2.4	Version 2.5 New
ALL	7491	7419	7391	7369	22	50	100
ChildOf	3174	3141	3135	3124	11	17	39
ParentOf	3174	3141	3135	3124	11	17	39
MemberOf	344	334	334	334			10
HasMember	344	334	334	334			10
CanPrecede	121	120	120	120			1
CanFollow	121	120	120	120			1
StartsWith	3	3	3	3
Requires	17	19	17	17		2
RequiredBy	17	19	17	17		2
CanAlsoBe	34	34	34	34
PeerOf	142	154	142	142		12

Nodes Removed from Version 2.4

CWE-ID	CWE Name
None.

Nodes Added to Version 2.5

CWE-ID	CWE Name
919	Weaknesses in Mobile Applications
920	Improper Restriction of Power Consumption
921	Storage of Sensitive Data in a Mechanism without Access Control
922	Insecure Storage of Sensitive Information
923	Improper Authentication of Endpoint in a Communication Channel
924	Improper Enforcement of Message Integrity During Transmission in a Communication Channel
925	Improper Verification of Intent by Broadcast Receiver
926	Improper Restriction of Content Provider Export to Other Applications
927	Use of Implicit Intent for Sensitive Communication
928	Weaknesses in OWASP Top Ten (2013)
929	OWASP Top Ten 2013 Category A1 - Injection
930	OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
931	OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)
932	OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
933	OWASP Top Ten 2013 Category A5 - Security Misconfiguration
934	OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
935	OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control
936	OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF)
937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
938	OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards

Nodes Deprecated in Version 2.5

CWE-ID	CWE Name
247	DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
292	DEPRECATED (Duplicate): Trusting Self-reported DNS Name

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	2	Environment
		R	16	Configuration
		R	20	Improper Input Validation
		R	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
		R	89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
		R	99	Improper Control of Resource Identifiers ('Resource Injection')
		R	106	Struts: Plug-in Framework not in Use
		R	109	Struts: Validator Turned Off
		R	227	Improper Fulfillment of API Contract ('API Abuse')
D			229	Improper Handling of Values
D			231	Improper Handling of Extra Values
D	N		233	Improper Handling of Parameters
D			235	Improper Handling of Extra Parameters
D	N	R	247	DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
		R	285	Improper Authorization
		R	287	Improper Authentication
		R	290	Authentication Bypass by Spoofing
D	N	R	291	Reliance on IP Address for Authentication
D	N	R	292	DEPRECATED (Duplicate): Trusting Self-reported DNS Name
		R	296	Improper Following of a Certificate's Chain of Trust
		R	297	Improper Validation of Certificate with Host Mismatch
		R	298	Improper Validation of Certificate Expiration
		R	299	Improper Check for Certificate Revocation
		R	310	Cryptographic Issues
D		R	312	Cleartext Storage of Sensitive Information
D	N		313	Cleartext Storage in a File or on Disk
D	N		314	Cleartext Storage in the Registry
D	N		315	Cleartext Storage of Sensitive Information in a Cookie
D	N		316	Cleartext Storage of Sensitive Information in Memory
D	N		317	Cleartext Storage of Sensitive Information in GUI
D	N		318	Cleartext Storage of Sensitive Information in Executable
		R	319	Cleartext Transmission of Sensitive Information
		R	322	Key Exchange without Entity Authentication
		R	326	Inadequate Encryption Strength
		R	345	Insufficient Verification of Data Authenticity
		R	348	Use of Less Trusted Source
D	N	R	350	Reliance on Reverse DNS Resolution for a Security-Critical Action
		R	352	Cross-Site Request Forgery (CSRF)
		R	384	Session Fixation
		R	400	Uncontrolled Resource Consumption ('Resource Exhaustion')
		R	419	Unprotected Primary Channel
		R	420	Unprotected Alternate Channel
		R	471	Modification of Assumed-Immutable Data (MAID)
		R	564	SQL Injection: Hibernate
		R	567	Unsynchronized Access to Shared Data in a Multithreaded Context
		R	601	URL Redirection to Untrusted Site ('Open Redirect')
		R	639	Authorization Bypass Through User-Controlled Key
		R	662	Improper Synchronization
		R	664	Improper Control of a Resource Through its Lifetime
		R	668	Exposure of Resource to Wrong Sphere
		R	693	Protection Mechanism Failure
D		R	694	Use of Multiple Resources with Duplicate Identifier
		R	807	Reliance on Untrusted Inputs in a Security Decision
		R	820	Missing Synchronization
		R	898	SFP Cluster: Authentication

Detailed Difference Report

2	Environment
	Major	Relationships
	Minor	None
16	Configuration
	Major	Relationships
	Minor	None
20	Improper Input Validation
	Major	Relationships
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Related_Attack_Patterns, Relationships
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Relationships
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Relationships
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Relationships
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	Relationships
	Minor	None
106	Struts: Plug-in Framework not in Use
	Major	Relationships
	Minor	None
109	Struts: Validator Turned Off
	Major	Relationships
	Minor	None
123	Write-what-where Condition
	Major	None
	Minor	Demonstrative_Examples
130	Improper Handling of Length Parameter Inconsistency
	Major	Type
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	References
	Minor	None
190	Integer Overflow or Wraparound
	Major	References
	Minor	None
209	Information Exposure Through an Error Message
	Major	References
	Minor	None
227	Improper Fulfillment of API Contract ('API Abuse')
	Major	Relationships
	Minor	None
229	Improper Handling of Values
	Major	Description, Type
	Minor	None
230	Improper Handling of Missing Values
	Major	Type
	Minor	None
231	Improper Handling of Extra Values
	Major	Description, Type
	Minor	None
232	Improper Handling of Undefined Values
	Major	Type
	Minor	None
233	Improper Handling of Parameters
	Major	Description, Name, Type
	Minor	None
234	Failure to Handle Missing Parameter
	Major	Type
	Minor	None
235	Improper Handling of Extra Parameters
	Major	Description, Type
	Minor	None
236	Improper Handling of Undefined Parameters
	Major	Type
	Minor	None
237	Improper Handling of Structural Elements
	Major	Type
	Minor	None
238	Improper Handling of Incomplete Structural Elements
	Major	Type
	Minor	None
239	Failure to Handle Incomplete Element
	Major	Type
	Minor	None
240	Improper Handling of Inconsistent Structural Elements
	Major	Type
	Minor	None
247	DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Time_of_Introduction, Type
	Minor	None
250	Execution with Unnecessary Privileges
	Major	Applicable_Platforms
	Minor	None
285	Improper Authorization
	Major	Relationships
	Minor	None
287	Improper Authentication
	Major	Relationships
	Minor	Demonstrative_Examples
290	Authentication Bypass by Spoofing
	Major	Relationships
	Minor	None
291	Reliance on IP Address for Authentication
	Major	Applicable_Platforms, Description, Name, Relationships, Type
	Minor	None
292	DEPRECATED (Duplicate): Trusting Self-reported DNS Name
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
	Minor	None
296	Improper Following of a Certificate's Chain of Trust
	Major	Relationships
	Minor	None
297	Improper Validation of Certificate with Host Mismatch
	Major	Relationships
	Minor	Description
298	Improper Validation of Certificate Expiration
	Major	Relationships
	Minor	None
299	Improper Check for Certificate Revocation
	Major	Relationships
	Minor	None
307	Improper Restriction of Excessive Authentication Attempts
	Major	None
	Minor	Demonstrative_Examples
310	Cryptographic Issues
	Major	Relationships
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Relationship_Notes
	Minor	None
312	Cleartext Storage of Sensitive Information
	Major	Description, Relationships, Terminology_Notes
	Minor	None
313	Cleartext Storage in a File or on Disk
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes
	Minor	None
314	Cleartext Storage in the Registry
	Major	Applicable_Platforms, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes
	Minor	None
315	Cleartext Storage of Sensitive Information in a Cookie
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes
	Minor	None
316	Cleartext Storage of Sensitive Information in Memory
	Major	Applicable_Platforms, Description, Name, Other_Notes, Potential_Mitigations, Terminology_Notes
	Minor	None
317	Cleartext Storage of Sensitive Information in GUI
	Major	Applicable_Platforms, Description, Name, Potential_Mitigations, Terminology_Notes
	Minor	None
318	Cleartext Storage of Sensitive Information in Executable
	Major	Applicable_Platforms, Description, Name, Potential_Mitigations, Terminology_Notes
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	Relationships
	Minor	None
322	Key Exchange without Entity Authentication
	Major	Applicable_Platforms, Relationships
	Minor	None
326	Inadequate Encryption Strength
	Major	Relationships
	Minor	None
345	Insufficient Verification of Data Authenticity
	Major	Relationships
	Minor	None
348	Use of Less Trusted Source
	Major	Relationships
	Minor	None
350	Reliance on Reverse DNS Resolution for a Security-Critical Action
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Type
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	References, Relationships
	Minor	None
384	Session Fixation
	Major	Relationships
	Minor	None
400	Uncontrolled Resource Consumption ('Resource Exhaustion')
	Major	Relationships
	Minor	None
419	Unprotected Primary Channel
	Major	Applicable_Platforms, Relationships
	Minor	None
420	Unprotected Alternate Channel
	Major	Applicable_Platforms, Potential_Mitigations, Relationships
	Minor	None
471	Modification of Assumed-Immutable Data (MAID)
	Major	Relationships
	Minor	None
564	SQL Injection: Hibernate
	Major	Relationships
	Minor	None
567	Unsynchronized Access to Shared Data in a Multithreaded Context
	Major	Relationships
	Minor	None
601	URL Redirection to Untrusted Site ('Open Redirect')
	Major	References, Relationships
	Minor	None
639	Authorization Bypass Through User-Controlled Key
	Major	Relationships
	Minor	None
662	Improper Synchronization
	Major	Relationships
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Relationships
	Minor	None
668	Exposure of Resource to Wrong Sphere
	Major	Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Relationships
	Minor	None
694	Use of Multiple Resources with Duplicate Identifier
	Major	Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	References
	Minor	None
807	Reliance on Untrusted Inputs in a Security Decision
	Major	Relationships
	Minor	None
809	Weaknesses in OWASP Top Ten (2010)
	Major	References
	Minor	None
820	Missing Synchronization
	Major	Relationships
	Minor	None
893	SFP Cluster: Path Resolution
	Major	Related_Attack_Patterns
	Minor	None
898	SFP Cluster: Authentication
	Major	Relationships
	Minor	Description
915	Improperly Controlled Modification of Dynamically-Determined Object Attributes
	Major	References
	Minor	None

Page Last Updated: January 05, 2017


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration