Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 3.4 Total" lists the total number of relationships
in Version 3.4. The "Shared" value is the total number of
relationships in entries that were in both Version 3.4 and Version 3.3. The
"New" value is the total number of relationships involving
entries that did not exist in Version 3.3. Thus, the total number of
relationships in Version 3.4 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
| | R |
20 |
Improper Input Validation |
| | R |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| | R |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| | R |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| | R |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
D | N | R |
88 |
Improper Delimitation of Arguments in a Command ('Argument Injection') |
| | R |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| | R |
94 |
Improper Control of Generation of Code ('Code Injection') |
| | R |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| | R |
123 |
Write-what-where Condition |
| | R |
125 |
Out-of-bounds Read |
| | R |
134 |
Use of Externally-Controlled Format String |
| | R |
190 |
Integer Overflow or Wraparound |
| | R |
200 |
Information Exposure |
| | R |
269 |
Improper Privilege Management |
| | R |
287 |
Improper Authentication |
| | R |
295 |
Improper Certificate Validation |
| | R |
352 |
Cross-Site Request Forgery (CSRF) |
D | | R |
400 |
Uncontrolled Resource Consumption |
| | R |
416 |
Use After Free |
| | R |
426 |
Untrusted Search Path |
| | R |
434 |
Unrestricted Upload of File with Dangerous Type |
| | R |
476 |
NULL Pointer Dereference |
| | R |
502 |
Deserialization of Untrusted Data |
| | R |
611 |
Improper Restriction of XML External Entity Reference |
| | R |
667 |
Improper Locking |
| | R |
697 |
Incorrect Comparison |
| | R |
732 |
Incorrect Permission Assignment for Critical Resource |
D | | R |
772 |
Missing Release of Resource after Effective Lifetime |
| | R |
787 |
Out-of-bounds Write |
| | R |
798 |
Use of Hard-coded Credentials |
D | | R |
1003 |
Weaknesses for Simplified Mapping of Published Vulnerabilities |
20 |
Improper Input Validation |
|
Major |
Relationships |
|
Minor |
None |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
Relationships |
|
Minor |
None |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Relationships |
|
Minor |
None |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Relationships |
|
Minor |
None |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
Relationships |
|
Minor |
None |
88 |
Improper Delimitation of Arguments in a Command ('Argument Injection') |
|
Major |
Description, Name, References, Relationships |
|
Minor |
None |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
Relationships |
|
Minor |
None |
94 |
Improper Control of Generation of Code ('Code Injection') |
|
Major |
Relationships |
|
Minor |
None |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
References, Relationships |
|
Minor |
None |
121 |
Stack-based Buffer Overflow |
|
Major |
References |
|
Minor |
None |
123 |
Write-what-where Condition |
|
Major |
Relationships |
|
Minor |
None |
125 |
Out-of-bounds Read |
|
Major |
Common_Consequences, Observed_Examples, Potential_Mitigations, References, Relationships |
|
Minor |
None |
126 |
Buffer Over-read |
|
Major |
Common_Consequences, References |
|
Minor |
None |
127 |
Buffer Under-read |
|
Major |
Common_Consequences, References |
|
Minor |
None |
129 |
Improper Validation of Array Index |
|
Major |
Potential_Mitigations |
|
Minor |
None |
134 |
Use of Externally-Controlled Format String |
|
Major |
Relationships |
|
Minor |
None |
190 |
Integer Overflow or Wraparound |
|
Major |
Relationships |
|
Minor |
None |
192 |
Integer Coercion Error |
|
Major |
Type |
|
Minor |
None |
194 |
Unexpected Sign Extension |
|
Major |
Type |
|
Minor |
None |
200 |
Information Exposure |
|
Major |
Demonstrative_Examples, Observed_Examples, Relationships |
|
Minor |
None |
209 |
Information Exposure Through an Error Message |
|
Major |
Demonstrative_Examples, Observed_Examples |
|
Minor |
None |
250 |
Execution with Unnecessary Privileges |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
267 |
Privilege Defined With Unsafe Actions |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
268 |
Privilege Chaining |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
269 |
Improper Privilege Management |
|
Major |
Demonstrative_Examples, Maintenance_Notes, Observed_Examples, Relationships |
|
Minor |
None |
282 |
Improper Ownership Management |
|
Major |
Maintenance_Notes |
|
Minor |
None |
287 |
Improper Authentication |
|
Major |
Relationships |
|
Minor |
None |
295 |
Improper Certificate Validation |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
296 |
Improper Following of a Certificate's Chain of Trust |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
297 |
Improper Validation of Certificate with Host Mismatch |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
298 |
Improper Validation of Certificate Expiration |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
299 |
Improper Check for Certificate Revocation |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
352 |
Cross-Site Request Forgery (CSRF) |
|
Major |
Relationships |
|
Minor |
None |
400 |
Uncontrolled Resource Consumption |
|
Major |
Description, Relationships |
|
Minor |
None |
416 |
Use After Free |
|
Major |
Relationships |
|
Minor |
None |
426 |
Untrusted Search Path |
|
Major |
Relationships |
|
Minor |
None |
434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
Relationships |
|
Minor |
None |
476 |
NULL Pointer Dereference |
|
Major |
References, Relationships |
|
Minor |
None |
502 |
Deserialization of Untrusted Data |
|
Major |
Relationships |
|
Minor |
None |
532 |
Inclusion of Sensitive Information in Log Files |
|
Major |
Demonstrative_Examples, Observed_Examples |
|
Minor |
None |
599 |
Missing Validation of OpenSSL Certificate |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
611 |
Improper Restriction of XML External Entity Reference |
|
Major |
Relationships |
|
Minor |
None |
617 |
Reachable Assertion |
|
Major |
Alternate_Terms |
|
Minor |
None |
667 |
Improper Locking |
|
Major |
Relationships |
|
Minor |
None |
697 |
Incorrect Comparison |
|
Major |
Relationships |
|
Minor |
None |
732 |
Incorrect Permission Assignment for Critical Resource |
|
Major |
Maintenance_Notes, Relationships |
|
Minor |
None |
772 |
Missing Release of Resource after Effective Lifetime |
|
Major |
Description, Relationships |
|
Minor |
None |
787 |
Out-of-bounds Write |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction |
|
Minor |
None |
798 |
Use of Hard-coded Credentials |
|
Major |
Relationships |
|
Minor |
None |
1003 |
Weaknesses for Simplified Mapping of Published Vulnerabilities |
|
Major |
Description, Maintenance_Notes, Relationships |
|
Minor |
None |