Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 2.6 Total" lists the total number of relationships
in Version 2.6. The "Shared" value is the total number of
relationships in entries that were in both Version 2.6 and Version 2.5. The
"New" value is the total number of relationships involving
entries that did not exist in Version 2.5. Thus, the total number of
relationships in Version 2.6 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
19 |
Data Handling |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
20 |
Improper Input Validation |
|
Major |
Demonstrative_Examples, Related_Attack_Patterns |
|
Minor |
None |
21 |
Pathname Traversal and Equivalence Errors |
|
Major |
Potential_Mitigations |
|
Minor |
None |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes, Terminology_Notes |
|
Minor |
Potential_Mitigations |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Terminology_Notes |
|
Minor |
None |
91 |
XML Injection (aka Blind XPath Injection) |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
112 |
Missing XML Validation |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
129 |
Improper Validation of Array Index |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
131 |
Incorrect Calculation of Buffer Size |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
201 |
Information Exposure Through Sent Data |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
216 |
Containment Errors (Container Errors) |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
228 |
Improper Handling of Syntactically Invalid Structure |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
230 |
Improper Handling of Missing Values |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
233 |
Improper Handling of Parameters |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
250 |
Execution with Unnecessary Privileges |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
266 |
Incorrect Privilege Assignment |
|
Major |
Applicable_Platforms, Demonstrative_Examples |
|
Minor |
None |
270 |
Privilege Context Switching Error |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
284 |
Improper Access Control |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
287 |
Improper Authentication |
|
Major |
Relationships |
|
Minor |
None |
290 |
Authentication Bypass by Spoofing |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
291 |
Reliance on IP Address for Authentication |
|
Major |
Relationships |
|
Minor |
None |
300 |
Channel Accessible by Non-Endpoint ('Man-in-the-Middle') |
|
Major |
Relationships |
|
Minor |
None |
304 |
Missing Critical Step in Authentication |
|
Major |
Relationships |
|
Minor |
None |
310 |
Cryptographic Issues |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
311 |
Missing Encryption of Sensitive Data |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
319 |
Cleartext Transmission of Sensitive Information |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
328 |
Reversible One-Way Hash |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
330 |
Use of Insufficiently Random Values |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
346 |
Origin Validation Error |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Maintenance_Notes, References, Relationship_Notes, Relationships, Terminology_Notes |
|
Minor |
None |
350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
Major |
Description, Relationships |
|
Minor |
None |
359 |
Exposure of Private Information ('Privacy Violation') |
|
Major |
Alternate_Terms, Demonstrative_Examples, Description, Name, Other_Notes, References |
|
Minor |
None |
390 |
Detection of Error Condition Without Action |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
401 |
Improper Release of Memory Before Removing Last Reference ('Memory Leak') |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
404 |
Improper Resource Shutdown or Release |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
406 |
Insufficient Control of Network Message Volume (Network Amplification) |
|
Major |
Demonstrative_Examples, Observed_Examples, Relationships |
|
Minor |
None |
426 |
Untrusted Search Path |
|
Major |
Demonstrative_Examples, Detection_Factors, Potential_Mitigations |
|
Minor |
None |
427 |
Uncontrolled Search Path Element |
|
Major |
Demonstrative_Examples, Observed_Examples, Potential_Mitigations |
|
Minor |
None |
451 |
User Interface (UI) Misrepresentation of Critical Information |
|
Major |
Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, Other_Notes, References, Relationships, Research_Gaps |
|
Minor |
None |
469 |
Use of Pointer Subtraction to Determine Size |
|
Major |
Potential_Mitigations |
|
Minor |
None |
471 |
Modification of Assumed-Immutable Data (MAID) |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
476 |
NULL Pointer Dereference |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
532 |
Information Exposure Through Log Files |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
590 |
Free of Memory not on the Heap |
|
Major |
Potential_Mitigations |
|
Minor |
None |
642 |
External Control of Critical State Data |
|
Major |
Potential_Mitigations |
|
Minor |
None |
672 |
Operation on a Resource after Expiration or Release |
|
Major |
Applicable_Platforms |
|
Minor |
None |
674 |
Uncontrolled Recursion |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
682 |
Incorrect Calculation |
|
Major |
Relationships |
|
Minor |
None |
684 |
Incorrect Provision of Specified Functionality |
|
Major |
Relationships |
|
Minor |
None |
693 |
Protection Mechanism Failure |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
707 |
Improper Enforcement of Message or Data Structure |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
713 |
OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
749 |
Exposed Dangerous Method or Function |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
759 |
Use of a One-Way Hash without a Salt |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
760 |
Use of a One-Way Hash with a Predictable Salt |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
761 |
Free of Pointer not at Start of Buffer |
|
Major |
Potential_Mitigations |
|
Minor |
None |
762 |
Mismatched Memory Management Routines |
|
Major |
Demonstrative_Examples, Potential_Mitigations, References |
|
Minor |
None |
763 |
Release of Invalid Pointer or Reference |
|
Major |
Potential_Mitigations |
|
Minor |
None |
770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
772 |
Missing Release of Resource after Effective Lifetime |
|
Major |
Applicable_Platforms, Demonstrative_Examples |
|
Minor |
None |
805 |
Buffer Access with Incorrect Length Value |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
806 |
Buffer Access Using Size of Source Buffer |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
807 |
Reliance on Untrusted Inputs in a Security Decision |
|
Major |
Potential_Mitigations |
|
Minor |
None |
839 |
Numeric Range Comparison Without Minimum Check |
|
Major |
Relationships |
|
Minor |
None |
862 |
Missing Authorization |
|
Major |
Relationships |
|
Minor |
None |
916 |
Use of Password Hash With Insufficient Computational Effort |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
923 |
Improper Restriction of Communication Channel to Intended Endpoints |
|
Major |
Description, Name, Relationships |
|
Minor |
None |
925 |
Improper Verification of Intent by Broadcast Receiver |
|
Major |
Alternate_Terms, Demonstrative_Examples, Description, References |
|
Minor |
None |
926 |
Improper Export of Android Application Components |
|
Major |
Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References |
|
Minor |
None |
927 |
Use of Implicit Intent for Sensitive Communication |
|
Major |
Demonstrative_Examples, Description, References |
|
Minor |
None |