Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "2.9 Total" lists the total number of relationships
in 2.9. The "Shared" value is the total number of
relationships in entries that were in both 2.9 and 2.8. The
"New" value is the total number of relationships involving
entries that did not exist in 2.8. Thus, the total number of
relationships in 2.9 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
| | | R |
2 |
Environment |
| | | R |
16 |
Configuration |
| | | R |
17 |
Code |
| | | R |
18 |
Source Code |
| | | R |
19 |
Data Handling |
| | | R |
20 |
Improper Input Validation |
| | | R |
21 |
Pathname Traversal and Equivalence Errors |
| | | R |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| | | R |
59 |
Improper Link Resolution Before File Access ('Link Following') |
| | | R |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| | | R |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| | | R |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| | | R |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| | | R |
88 |
Argument Injection or Modification |
| | | R |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| | | R |
90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
| | | R |
91 |
XML Injection (aka Blind XPath Injection) |
| | | R |
93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| | | R |
94 |
Improper Control of Generation of Code ('Code Injection') |
| | | R |
99 |
Improper Control of Resource Identifiers ('Resource Injection') |
| | | R |
113 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
| | | R |
116 |
Improper Encoding or Escaping of Output |
| | | R |
118 |
Improper Access of Indexable Resource ('Range Error') |
| | | R |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| | | R |
123 |
Write-what-where Condition |
| | | R |
125 |
Out-of-bounds Read |
| | | R |
129 |
Improper Validation of Array Index |
| D | N | R |
134 |
Use of Externally-Controlled Format String |
| | | R |
137 |
Representation Errors |
| | | R |
171 |
Cleansing, Canonicalization, and Comparison Errors |
| | | R |
172 |
Encoding Error |
| | | R |
184 |
Incomplete Blacklist |
| | | R |
185 |
Incorrect Regular Expression |
| | | R |
189 |
Numeric Errors |
| | | R |
190 |
Integer Overflow or Wraparound |
| | | R |
191 |
Integer Underflow (Wrap or Wraparound) |
| | | R |
200 |
Information Exposure |
| | | R |
220 |
Sensitive Data Under FTP Root |
| | | R |
254 |
Security Features |
| | | R |
255 |
Credentials Management |
| | | R |
264 |
Permissions, Privileges, and Access Controls |
| | | R |
284 |
Improper Access Control |
| | | R |
285 |
Improper Authorization |
| | | R |
287 |
Improper Authentication |
| | | R |
295 |
Improper Certificate Validation |
| | | R |
297 |
Improper Validation of Certificate with Host Mismatch |
| | | R |
306 |
Missing Authentication for Critical Function |
| | | R |
310 |
Cryptographic Issues |
| | | R |
320 |
Key Management Errors |
| | | R |
326 |
Inadequate Encryption Strength |
| | | R |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
| | | R |
330 |
Use of Insufficiently Random Values |
| | | R |
331 |
Insufficient Entropy |
| | | R |
332 |
Insufficient Entropy in PRNG |
| | | R |
338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| | | R |
345 |
Insufficient Verification of Data Authenticity |
| | | R |
347 |
Improper Verification of Cryptographic Signature |
| | | R |
352 |
Cross-Site Request Forgery (CSRF) |
| | | R |
358 |
Improperly Implemented Security Check for Standard |
| | | R |
361 |
Time and State |
| | | R |
362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| | | R |
369 |
Divide By Zero |
| | | R |
371 |
State Issues |
| | | R |
384 |
Session Fixation |
| | | R |
388 |
Error Handling |
| | | R |
398 |
Indicator of Poor Code Quality |
| | | R |
399 |
Resource Management Errors |
| | | R |
400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
| | | R |
404 |
Improper Resource Shutdown or Release |
| | | R |
405 |
Asymmetric Resource Consumption (Amplification) |
| | | R |
407 |
Algorithmic Complexity |
| | | R |
415 |
Double Free |
| | | R |
416 |
Use After Free |
| | | R |
417 |
Channel and Path Errors |
| | | R |
426 |
Untrusted Search Path |
| | | R |
427 |
Uncontrolled Search Path Element |
| | | R |
428 |
Unquoted Search Path or Element |
| | | R |
434 |
Unrestricted Upload of File with Dangerous Type |
| | | R |
435 |
Interaction Error |
| | | R |
436 |
Interpretation Conflict |
| | | R |
441 |
Unintended Proxy or Intermediary ('Confused Deputy') |
| | | R |
444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
| | | R |
472 |
External Control of Assumed-Immutable Web Parameter |
| | | R |
476 |
NULL Pointer Dereference |
| | | R |
485 |
Insufficient Encapsulation |
| | | R |
502 |
Deserialization of Untrusted Data |
| | | R |
532 |
Information Exposure Through Log Files |
| | | R |
534 |
Information Exposure Through Debug Log Files |
| | | R |
538 |
File and Directory Information Exposure |
| | | R |
552 |
Files or Directories Accessible to External Parties |
| | | R |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
| | | R |
610 |
Externally Controlled Reference to a Resource in Another Sphere |
| | | R |
611 |
Improper Restriction of XML External Entity Reference ('XXE') |
| | | R |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
| | | R |
664 |
Improper Control of a Resource Through its Lifetime |
| | | R |
665 |
Improper Initialization |
| | | R |
668 |
Exposure of Resource to Wrong Sphere |
| | | R |
669 |
Incorrect Resource Transfer Between Spheres |
| | | R |
682 |
Incorrect Calculation |
| | | R |
693 |
Protection Mechanism Failure |
| | | R |
694 |
Use of Multiple Resources with Duplicate Identifier |
| | | R |
704 |
Incorrect Type Conversion or Cast |
| | | R |
707 |
Improper Enforcement of Message or Data Structure |
| | | R |
749 |
Exposed Dangerous Method or Function |
| | | R |
754 |
Improper Check for Unusual or Exceptional Conditions |
| | | R |
769 |
File Descriptor Exhaustion |
| | | R |
774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
| | | R |
775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
| | | R |
787 |
Out-of-bounds Write |
| D | | |
788 |
Access of Memory Location After End of Buffer |
| | | R |
798 |
Use of Hard-coded Credentials |
| | | R |
824 |
Access of Uninitialized Pointer |
| | | R |
913 |
Improper Control of Dynamically-Managed Code Resources |
| | | R |
918 |
Server-Side Request Forgery (SSRF) |
| | | R |
943 |
Improper Neutralization of Special Elements in Data Query Logic |
| 2 |
Environment |
|
Major |
Relationships |
|
Minor |
None |
| 16 |
Configuration |
|
Major |
Relationships |
|
Minor |
None |
| 17 |
Code |
|
Major |
Relationships |
|
Minor |
None |
| 18 |
Source Code |
|
Major |
Relationships |
|
Minor |
None |
| 19 |
Data Handling |
|
Major |
Relationships |
|
Minor |
None |
| 20 |
Improper Input Validation |
|
Major |
Relationships |
|
Minor |
None |
| 21 |
Pathname Traversal and Equivalence Errors |
|
Major |
Relationships |
|
Minor |
None |
| 22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
Relationships |
|
Minor |
None |
| 59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Relationships |
|
Minor |
None |
| 74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Relationships |
|
Minor |
None |
| 77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
| 78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Relationships |
|
Minor |
None |
| 79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
Relationships |
|
Minor |
None |
| 88 |
Argument Injection or Modification |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
| 89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
Relationships |
|
Minor |
None |
| 90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
Major |
Relationships |
|
Minor |
None |
| 91 |
XML Injection (aka Blind XPath Injection) |
|
Major |
Relationships |
|
Minor |
None |
| 93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
|
Major |
Relationships |
|
Minor |
None |
| 94 |
Improper Control of Generation of Code ('Code Injection') |
|
Major |
Relationships |
|
Minor |
None |
| 99 |
Improper Control of Resource Identifiers ('Resource Injection') |
|
Major |
Relationships |
|
Minor |
None |
| 113 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
|
Major |
Relationships |
|
Minor |
None |
| 116 |
Improper Encoding or Escaping of Output |
|
Major |
Relationships |
|
Minor |
None |
| 118 |
Improper Access of Indexable Resource ('Range Error') |
|
Major |
Relationships |
|
Minor |
None |
| 119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
Relationships |
|
Minor |
None |
| 123 |
Write-what-where Condition |
|
Major |
Relationships |
|
Minor |
None |
| 125 |
Out-of-bounds Read |
|
Major |
Relationships |
|
Minor |
None |
| 129 |
Improper Validation of Array Index |
|
Major |
Relationships |
|
Minor |
None |
| 134 |
Use of Externally-Controlled Format String |
|
Major |
Description, Modes_of_Introduction, Name, Relationships |
|
Minor |
None |
| 137 |
Representation Errors |
|
Major |
Relationships |
|
Minor |
None |
| 171 |
Cleansing, Canonicalization, and Comparison Errors |
|
Major |
Relationships |
|
Minor |
None |
| 172 |
Encoding Error |
|
Major |
Relationships |
|
Minor |
None |
| 184 |
Incomplete Blacklist |
|
Major |
Relationships |
|
Minor |
None |
| 185 |
Incorrect Regular Expression |
|
Major |
Relationships |
|
Minor |
None |
| 189 |
Numeric Errors |
|
Major |
Relationships |
|
Minor |
None |
| 190 |
Integer Overflow or Wraparound |
|
Major |
Relationships |
|
Minor |
None |
| 191 |
Integer Underflow (Wrap or Wraparound) |
|
Major |
Relationships |
|
Minor |
None |
| 200 |
Information Exposure |
|
Major |
Relationships |
|
Minor |
None |
| 220 |
Sensitive Data Under FTP Root |
|
Major |
Relationships |
|
Minor |
None |
| 254 |
Security Features |
|
Major |
Relationships |
|
Minor |
None |
| 255 |
Credentials Management |
|
Major |
Relationships |
|
Minor |
None |
| 259 |
Use of Hard-coded Password |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
| 261 |
Weak Cryptography for Passwords |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
| 264 |
Permissions, Privileges, and Access Controls |
|
Major |
Relationships |
|
Minor |
None |
| 284 |
Improper Access Control |
|
Major |
Relationships |
|
Minor |
None |
| 285 |
Improper Authorization |
|
Major |
Relationships |
|
Minor |
None |
| 287 |
Improper Authentication |
|
Major |
Relationships |
|
Minor |
None |
| 295 |
Improper Certificate Validation |
|
Major |
Relationships |
|
Minor |
None |
| 297 |
Improper Validation of Certificate with Host Mismatch |
|
Major |
Relationships |
|
Minor |
None |
| 306 |
Missing Authentication for Critical Function |
|
Major |
Relationships |
|
Minor |
None |
| 310 |
Cryptographic Issues |
|
Major |
Relationships |
|
Minor |
None |
| 311 |
Missing Encryption of Sensitive Data |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 320 |
Key Management Errors |
|
Major |
Relationships |
|
Minor |
None |
| 326 |
Inadequate Encryption Strength |
|
Major |
Relationships |
|
Minor |
None |
| 327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
Relationships |
|
Minor |
None |
| 330 |
Use of Insufficiently Random Values |
|
Major |
Relationships |
|
Minor |
None |
| 331 |
Insufficient Entropy |
|
Major |
Relationships |
|
Minor |
None |
| 332 |
Insufficient Entropy in PRNG |
|
Major |
Relationships |
|
Minor |
None |
| 338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
Major |
Relationships |
|
Minor |
None |
| 345 |
Insufficient Verification of Data Authenticity |
|
Major |
Relationships |
|
Minor |
None |
| 347 |
Improper Verification of Cryptographic Signature |
|
Major |
Relationships |
|
Minor |
None |
| 352 |
Cross-Site Request Forgery (CSRF) |
|
Major |
Relationships |
|
Minor |
None |
| 358 |
Improperly Implemented Security Check for Standard |
|
Major |
Relationships |
|
Minor |
None |
| 361 |
Time and State |
|
Major |
Relationships |
|
Minor |
None |
| 362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
Major |
Relationships |
|
Minor |
None |
| 369 |
Divide By Zero |
|
Major |
Relationships |
|
Minor |
None |
| 371 |
State Issues |
|
Major |
Relationships |
|
Minor |
None |
| 384 |
Session Fixation |
|
Major |
Relationships |
|
Minor |
None |
| 388 |
Error Handling |
|
Major |
Relationships |
|
Minor |
None |
| 398 |
Indicator of Poor Code Quality |
|
Major |
Relationships |
|
Minor |
None |
| 399 |
Resource Management Errors |
|
Major |
Relationships |
|
Minor |
None |
| 400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
| 404 |
Improper Resource Shutdown or Release |
|
Major |
Relationships |
|
Minor |
None |
| 405 |
Asymmetric Resource Consumption (Amplification) |
|
Major |
Relationships |
|
Minor |
None |
| 407 |
Algorithmic Complexity |
|
Major |
Relationships |
|
Minor |
None |
| 415 |
Double Free |
|
Major |
Relationships |
|
Minor |
None |
| 416 |
Use After Free |
|
Major |
Relationships |
|
Minor |
None |
| 417 |
Channel and Path Errors |
|
Major |
Relationships |
|
Minor |
None |
| 426 |
Untrusted Search Path |
|
Major |
Relationships |
|
Minor |
None |
| 427 |
Uncontrolled Search Path Element |
|
Major |
Relationships |
|
Minor |
None |
| 428 |
Unquoted Search Path or Element |
|
Major |
Relationships |
|
Minor |
None |
| 434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
Relationships |
|
Minor |
None |
| 435 |
Interaction Error |
|
Major |
Relationships |
|
Minor |
None |
| 436 |
Interpretation Conflict |
|
Major |
Relationships |
|
Minor |
None |
| 441 |
Unintended Proxy or Intermediary ('Confused Deputy') |
|
Major |
Relationships |
|
Minor |
None |
| 444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
|
Major |
Relationships |
|
Minor |
None |
| 472 |
External Control of Assumed-Immutable Web Parameter |
|
Major |
Relationships |
|
Minor |
None |
| 476 |
NULL Pointer Dereference |
|
Major |
Relationships |
|
Minor |
None |
| 485 |
Insufficient Encapsulation |
|
Major |
Relationships |
|
Minor |
None |
| 502 |
Deserialization of Untrusted Data |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
| 532 |
Information Exposure Through Log Files |
|
Major |
Relationships |
|
Minor |
None |
| 534 |
Information Exposure Through Debug Log Files |
|
Major |
Relationships |
|
Minor |
None |
| 538 |
File and Directory Information Exposure |
|
Major |
Relationships |
|
Minor |
None |
| 552 |
Files or Directories Accessible to External Parties |
|
Major |
Relationships |
|
Minor |
None |
| 601 |
URL Redirection to Untrusted Site ('Open Redirect') |
|
Major |
Relationships |
|
Minor |
None |
| 610 |
Externally Controlled Reference to a Resource in Another Sphere |
|
Major |
Relationships |
|
Minor |
None |
| 611 |
Improper Restriction of XML External Entity Reference ('XXE') |
|
Major |
Relationships |
|
Minor |
None |
| 640 |
Weak Password Recovery Mechanism for Forgotten Password |
|
Major |
Relationships |
|
Minor |
None |
| 664 |
Improper Control of a Resource Through its Lifetime |
|
Major |
Relationships |
|
Minor |
None |
| 665 |
Improper Initialization |
|
Major |
Relationships |
|
Minor |
None |
| 668 |
Exposure of Resource to Wrong Sphere |
|
Major |
Relationships |
|
Minor |
None |
| 669 |
Incorrect Resource Transfer Between Spheres |
|
Major |
Relationships |
|
Minor |
None |
| 682 |
Incorrect Calculation |
|
Major |
Relationships |
|
Minor |
None |
| 693 |
Protection Mechanism Failure |
|
Major |
Relationships |
|
Minor |
None |
| 694 |
Use of Multiple Resources with Duplicate Identifier |
|
Major |
Relationships |
|
Minor |
None |
| 704 |
Incorrect Type Conversion or Cast |
|
Major |
Relationships |
|
Minor |
None |
| 707 |
Improper Enforcement of Message or Data Structure |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
| 749 |
Exposed Dangerous Method or Function |
|
Major |
Relationships |
|
Minor |
None |
| 754 |
Improper Check for Unusual or Exceptional Conditions |
|
Major |
Relationships |
|
Minor |
None |
| 769 |
File Descriptor Exhaustion |
|
Major |
Relationships |
|
Minor |
None |
| 770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
|
Major |
Relationships |
|
Minor |
None |
| 775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
|
Major |
Relationships |
|
Minor |
None |
| 787 |
Out-of-bounds Write |
|
Major |
Relationships |
|
Minor |
None |
| 788 |
Access of Memory Location After End of Buffer |
|
Major |
Description |
|
Minor |
None |
| 798 |
Use of Hard-coded Credentials |
|
Major |
Relationships |
|
Minor |
None |
| 824 |
Access of Uninitialized Pointer |
|
Major |
Relationships |
|
Minor |
None |
| 913 |
Improper Control of Dynamically-Managed Code Resources |
|
Major |
Relationships |
|
Minor |
None |
| 918 |
Server-Side Request Forgery (SSRF) |
|
Major |
Relationships |
|
Minor |
None |
| 943 |
Improper Neutralization of Special Elements in Data Query Logic |
|
Major |
Relationships |
|
Minor |
None |
