CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 3.3 and Version 3.4  
ID

Differences between Version 3.3 and Version 3.4

Summary
Summary
Total weaknesses/chains/composites (Version 3.4) 808
Total weaknesses/chains/composites (Version 3.3) 808
Total new 1
Total deprecated 0
Total with major changes 50
Total with only minor changes 0
Total unchanged 1138

Summary of Entry Types

Type Version 3.3 Version 3.4
Weakness 808 808
Category 295 295
View 37 38
Deprecated 48 48
Total 1188 1189

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 1 0
Description 4 0
Applicable_Platforms 1 0
Time_of_Introduction 1 0
Demonstrative_Examples 14 0
Detection_Factors 1 0
Likelihood_of_Exploit 1 0
Common_Consequences 3 0
Relationships 32 0
References 8 0
Potential_Mitigations 3 0
Observed_Examples 6 0
Terminology_Notes 0 0
Alternate_Terms 1 0
Related_Attack_Patterns 0 0
Relationship_Notes 0 0
Taxonomy_Mappings 0 0
Maintenance_Notes 4 0
Modes_of_Introduction 0 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
Other_Notes 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Type 2 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1186
Weakness/Base Weakness/Variant 1 194
Weakness/Class Weakness/Variant 1 192

Status Changes

From To Total
Unchanged 1163
Draft Obsolete 1
Draft Stable 7
Incomplete Draft 7
Incomplete Obsolete 5
Incomplete Stable 1
Usable Stable 4

Relationship Changes

The "Version 3.4 Total" lists the total number of relationships in Version 3.4. The "Shared" value is the total number of relationships in entries that were in both Version 3.4 and Version 3.3. The "New" value is the total number of relationships involving entries that did not exist in Version 3.3. Thus, the total number of relationships in Version 3.4 would combine stats from Shared entries and New entries.

Relationship Version 3.4 Total Version 3.3 Total Version 3.4 Shared Unchanged Added to Version 3.4 Removed from Version 3.3 Version 3.4 New
ALL 9363 9307 9313 9301 12 6 50
ChildOf 3990 3989 3990 3987 3 2
ParentOf 3990 3989 3990 3987 3 2
MemberOf 467 440 442 440 2 25
HasMember 467 440 442 440 2 25
CanPrecede 129 128 129 128 1
CanFollow 129 128 129 128 1
StartsWith 3 3 3 3
Requires 14 14 14 14
RequiredBy 14 14 14 14
CanAlsoBe 30 30 30 30
PeerOf 130 132 130 130 2

Nodes Removed from Version 3.3

CWE-ID CWE Name
None.

Nodes Added to Version 3.4

CWE-ID CWE Name
1200 Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors

Nodes Deprecated in Version 3.4

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 20 Improper Input Validation
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DNR 88 Improper Delimitation of Arguments in a Command ('Argument Injection')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 123 Write-what-where Condition
R 125 Out-of-bounds Read
R 134 Use of Externally-Controlled Format String
R 190 Integer Overflow or Wraparound
R 200 Information Exposure
R 269 Improper Privilege Management
R 287 Improper Authentication
R 295 Improper Certificate Validation
R 352 Cross-Site Request Forgery (CSRF)
D R 400 Uncontrolled Resource Consumption
R 416 Use After Free
R 426 Untrusted Search Path
R 434 Unrestricted Upload of File with Dangerous Type
R 476 NULL Pointer Dereference
R 502 Deserialization of Untrusted Data
R 611 Improper Restriction of XML External Entity Reference
R 667 Improper Locking
R 697 Incorrect Comparison
R 732 Incorrect Permission Assignment for Critical Resource
D R 772 Missing Release of Resource after Effective Lifetime
R 787 Out-of-bounds Write
R 798 Use of Hard-coded Credentials
D R 1003 Weaknesses for Simplified Mapping of Published Vulnerabilities
Detailed Difference Report
Detailed Difference Report
20 Improper Input Validation
Major Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Relationships
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Relationships
Minor None
88 Improper Delimitation of Arguments in a Command ('Argument Injection')
Major Description, Name, References, Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Relationships
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major References, Relationships
Minor None
121 Stack-based Buffer Overflow
Major References
Minor None
123 Write-what-where Condition
Major Relationships
Minor None
125 Out-of-bounds Read
Major Common_Consequences, Observed_Examples, Potential_Mitigations, References, Relationships
Minor None
126 Buffer Over-read
Major Common_Consequences, References
Minor None
127 Buffer Under-read
Major Common_Consequences, References
Minor None
129 Improper Validation of Array Index
Major Potential_Mitigations
Minor None
134 Use of Externally-Controlled Format String
Major Relationships
Minor None
190 Integer Overflow or Wraparound
Major Relationships
Minor None
192 Integer Coercion Error
Major Type
Minor None
194 Unexpected Sign Extension
Major Type
Minor None
200 Information Exposure
Major Demonstrative_Examples, Observed_Examples, Relationships
Minor None
209 Information Exposure Through an Error Message
Major Demonstrative_Examples, Observed_Examples
Minor None
250 Execution with Unnecessary Privileges
Major Demonstrative_Examples
Minor None
267 Privilege Defined With Unsafe Actions
Major Demonstrative_Examples
Minor None
268 Privilege Chaining
Major Demonstrative_Examples
Minor None
269 Improper Privilege Management
Major Demonstrative_Examples, Maintenance_Notes, Observed_Examples, Relationships
Minor None
282 Improper Ownership Management
Major Maintenance_Notes
Minor None
287 Improper Authentication
Major Relationships
Minor None
295 Improper Certificate Validation
Major Demonstrative_Examples, Relationships
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major Demonstrative_Examples
Minor None
297 Improper Validation of Certificate with Host Mismatch
Major Demonstrative_Examples
Minor None
298 Improper Validation of Certificate Expiration
Major Demonstrative_Examples
Minor None
299 Improper Check for Certificate Revocation
Major Demonstrative_Examples
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Relationships
Minor None
400 Uncontrolled Resource Consumption
Major Description, Relationships
Minor None
416 Use After Free
Major Relationships
Minor None
426 Untrusted Search Path
Major Relationships
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Relationships
Minor None
476 NULL Pointer Dereference
Major References, Relationships
Minor None
502 Deserialization of Untrusted Data
Major Relationships
Minor None
532 Inclusion of Sensitive Information in Log Files
Major Demonstrative_Examples, Observed_Examples
Minor None
599 Missing Validation of OpenSSL Certificate
Major Demonstrative_Examples
Minor None
611 Improper Restriction of XML External Entity Reference
Major Relationships
Minor None
617 Reachable Assertion
Major Alternate_Terms
Minor None
667 Improper Locking
Major Relationships
Minor None
697 Incorrect Comparison
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Maintenance_Notes, Relationships
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Description, Relationships
Minor None
787 Out-of-bounds Write
Major Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction
Minor None
798 Use of Hard-coded Credentials
Major Relationships
Minor None
1003 Weaknesses for Simplified Mapping of Published Vulnerabilities
Major Description, Maintenance_Notes, Relationships
Minor None
Page Last Updated: September 19, 2019