CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 4.12 and Version 4.13  
ID

Differences between Version 4.12 and Version 4.13

Summary
Summary
Total weaknesses/chains/composites (Version 4.13) 934
Total weaknesses/chains/composites (Version 4.12) 933
Total new 1
Total deprecated 0
Total with major changes 188
Total with only minor changes 1
Total unchanged 1231

Summary of Entry Types

Type Version 4.12 Version 4.13
Weakness 933 934
Category 374 374
View 49 49
Deprecated 64 64
Total 1420 1421

Back to top
Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 1 0
Description 2 0
Relationships 9 0
Common_Consequences 3 0
Applicable_Platforms 0 0
Modes_of_Introduction 0 0
Detection_Factors 0 0
Potential_Mitigations 0 0
Demonstrative_Examples 56 0
Observed_Examples 148 0
Related_Attack_Patterns 0 0
Weakness_Ordinalities 0 0
Time_of_Introduction 0 0
Likelihood_of_Exploit 0 0
References 12 1
Mapping_Notes 1 0
Terminology_Notes 0 0
Alternate_Terms 0 0
Relationship_Notes 0 0
Taxonomy_Mappings 0 0
Maintenance_Notes 0 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 0 0
Other_Notes 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Type 2 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1418
Weakness/Base Weakness/Class 1 909
Weakness/Base Weakness/Variant 1 605

Status Changes

From To Total
Unchanged 1420

Relationship Changes

The "Version 4.13 Total" lists the total number of relationships in Version 4.13. The "Shared" value is the total number of relationships in entries that were in both Version 4.13 and Version 4.12. The "New" value is the total number of relationships involving entries that did not exist in Version 4.12. Thus, the total number of relationships in Version 4.13 would combine stats from Shared entries and New entries.

Relationship Version 4.13 Total Version 4.12 Total Version 4.13 Shared Unchanged Added to Version 4.13 Removed from Version 4.12 Version 4.13 New
ALL 12424 12418 12410 12408 2 10 14
ChildOf 5271 5268 5264 5263 1 5 7
ParentOf 5271 5268 5264 5263 1 5 7
MemberOf 690 690 690 690
HasMember 690 690 690 690
CanPrecede 137 137 137 137
CanFollow 137 137 137 137
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 27 27 27 27
PeerOf 172 172 172 172

Nodes Removed from Version 4.12

CWE-ID CWE Name
None.

Nodes Added to Version 4.13

CWE-ID CWE Name
1419 Incorrect Initialization of Resource

Nodes Deprecated in Version 4.13

CWE-ID CWE Name
None.
Back to top
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 454 External Initialization of Trusted Variables or Data Stores
R 665 Improper Initialization
R 691 Insufficient Control Flow Management
R 1051 Initialization with Hard-Coded Network Resource Configuration Data
R 1052 Excessive Use of Hard-Coded Literals in Initialization
NR 1188 Initialization of a Resource with an Insecure Default
D R 1221 Incorrect Register Defaults or Module Parameters
D 1241 Use of Predictable Algorithm in Random Number Generator
R 1279 Cryptographic Operations are run Before Supporting Units are Ready
R 1416 Comprehensive Categorization: Resource Lifecycle Management
Back to top
Detailed Difference Report
Detailed Difference Report
20 Improper Input Validation
Major Observed_Examples
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Observed_Examples
Minor None
23 Relative Path Traversal
Major Observed_Examples
Minor None
24 Path Traversal: '../filedir'
Major Observed_Examples
Minor None
25 Path Traversal: '/../filedir'
Major Observed_Examples
Minor None
41 Improper Resolution of Path Equivalence
Major Observed_Examples
Minor None
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Observed_Examples
Minor None
46 Path Equivalence: 'filename ' (Trailing Space)
Major Observed_Examples
Minor None
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Observed_Examples
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Observed_Examples
Minor None
62 UNIX Hard Link
Major Observed_Examples
Minor None
66 Improper Handling of File Names that Identify Virtual Resources
Major Observed_Examples
Minor None
73 External Control of File Name or Path
Major Observed_Examples
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Observed_Examples
Minor None
122 Heap-based Buffer Overflow
Major Observed_Examples
Minor None
123 Write-what-where Condition
Major Observed_Examples
Minor None
125 Out-of-bounds Read
Major Observed_Examples
Minor None
126 Buffer Over-read
Major Observed_Examples
Minor None
127 Buffer Under-read
Major Observed_Examples
Minor None
140 Improper Neutralization of Delimiters
Major Observed_Examples
Minor None
159 Improper Handling of Invalid Use of Special Elements
Major Observed_Examples
Minor None
160 Improper Neutralization of Leading Special Elements
Major Observed_Examples
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Observed_Examples
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Observed_Examples
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Observed_Examples
Minor None
167 Improper Handling of Additional Special Element
Major Observed_Examples
Minor None
172 Encoding Error
Major Observed_Examples
Minor None
190 Integer Overflow or Wraparound
Major Observed_Examples
Minor None
192 Integer Coercion Error
Major Observed_Examples
Minor None
200 Exposure of Sensitive Information to an Unauthorized Actor
Major Observed_Examples
Minor None
202 Exposure of Sensitive Information Through Data Queries
Major Observed_Examples
Minor None
203 Observable Discrepancy
Major Observed_Examples
Minor None
208 Observable Timing Discrepancy
Major Demonstrative_Examples, Observed_Examples
Minor None
221 Information Loss or Omission
Major Demonstrative_Examples, Observed_Examples
Minor None
222 Truncation of Security-relevant Information
Major Observed_Examples
Minor None
223 Omission of Security-relevant Information
Major Demonstrative_Examples, Observed_Examples
Minor None
224 Obscured Security-relevant Information by Alternate Name
Major Demonstrative_Examples
Minor None
250 Execution with Unnecessary Privileges
Major Observed_Examples
Minor None
252 Unchecked Return Value
Major Observed_Examples
Minor None
257 Storing Passwords in a Recoverable Format
Major Observed_Examples
Minor None
258 Empty Password in Configuration File
Major Observed_Examples
Minor None
260 Password in Configuration File
Major Observed_Examples
Minor None
282 Improper Ownership Management
Major Demonstrative_Examples
Minor None
284 Improper Access Control
Major Observed_Examples
Minor None
286 Incorrect User Management
Major Observed_Examples
Minor None
287 Improper Authentication
Major Observed_Examples
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Demonstrative_Examples
Minor None
290 Authentication Bypass by Spoofing
Major Observed_Examples
Minor None
291 Reliance on IP Address for Authentication
Major Observed_Examples, References
Minor None
304 Missing Critical Step in Authentication
Major Observed_Examples
Minor None
306 Missing Authentication for Critical Function
Major Observed_Examples
Minor None
308 Use of Single-factor Authentication
Major Observed_Examples
Minor None
324 Use of a Key Past its Expiration Date
Major Observed_Examples
Minor None
325 Missing Cryptographic Step
Major Demonstrative_Examples, References
Minor None
330 Use of Insufficiently Random Values
Major Observed_Examples
Minor None
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Major Demonstrative_Examples
Minor None
336 Same Seed in Pseudo-Random Number Generator (PRNG)
Major Demonstrative_Examples, Observed_Examples
Minor None
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major Observed_Examples
Minor None
339 Small Seed Space in PRNG
Major Demonstrative_Examples
Minor None
340 Generation of Predictable Numbers or Identifiers
Major Observed_Examples
Minor None
356 Product UI does not Warn User of Unsafe Actions
Major Observed_Examples
Minor None
360 Trust of System Event Data
Major Observed_Examples
Minor None
366 Race Condition within a Thread
Major Observed_Examples
Minor None
377 Insecure Temporary File
Major Observed_Examples
Minor None
378 Creation of Temporary File With Insecure Permissions
Major Observed_Examples
Minor None
379 Creation of Temporary File in Directory with Insecure Permissions
Major Observed_Examples
Minor None
384 Session Fixation
Major Observed_Examples
Minor None
390 Detection of Error Condition Without Action
Major Observed_Examples
Minor None
392 Missing Report of Error Condition
Major Demonstrative_Examples
Minor None
393 Return of Wrong Status Code
Major Demonstrative_Examples, Observed_Examples
Minor None
402 Transmission of Private Resources into a New Sphere ('Resource Leak')
Major Observed_Examples
Minor None
404 Improper Resource Shutdown or Release
Major Observed_Examples
Minor None
413 Improper Resource Locking
Major Observed_Examples
Minor None
416 Use After Free
Major Observed_Examples
Minor None
420 Unprotected Alternate Channel
Major Observed_Examples
Minor None
426 Untrusted Search Path
Major None
Minor References
427 Uncontrolled Search Path Element
Major Observed_Examples
Minor None
431 Missing Handler
Major Observed_Examples
Minor None
435 Improper Interaction Between Multiple Correctly-Behaving Entities
Major Observed_Examples
Minor None
440 Expected Behavior Violation
Major Observed_Examples
Minor None
453 Insecure Default Variable Initialization
Major Demonstrative_Examples, Observed_Examples
Minor None
454 External Initialization of Trusted Variables or Data Stores
Major Observed_Examples, Relationships
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Observed_Examples
Minor None
476 NULL Pointer Dereference
Major Observed_Examples
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major Demonstrative_Examples
Minor None
480 Use of Incorrect Operator
Major Observed_Examples
Minor None
483 Incorrect Block Delimitation
Major Demonstrative_Examples
Minor None
484 Omitted Break Statement in Switch
Major Demonstrative_Examples
Minor None
497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
Major Observed_Examples
Minor None
506 Embedded Malicious Code
Major Observed_Examples
Minor None
522 Insufficiently Protected Credentials
Major Observed_Examples
Minor None
532 Insertion of Sensitive Information into Log File
Major Demonstrative_Examples, Observed_Examples
Minor None
538 Insertion of Sensitive Information into Externally-Accessible File or Directory
Major Demonstrative_Examples, Observed_Examples
Minor None
540 Inclusion of Sensitive Information in Source Code
Major Demonstrative_Examples, Observed_Examples
Minor None
552 Files or Directories Accessible to External Parties
Major Observed_Examples
Minor None
558 Use of getlogin() in Multithreaded Application
Major Demonstrative_Examples
Minor None
565 Reliance on Cookies without Validation and Integrity Checking
Major Observed_Examples
Minor None
588 Attempt to Access Child of a Non-structure Pointer
Major Observed_Examples
Minor None
598 Use of GET Request Method With Sensitive Query Strings
Major Observed_Examples
Minor None
605 Multiple Binds to the Same Port
Major Demonstrative_Examples, Type
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Observed_Examples
Minor None
611 Improper Restriction of XML External Entity Reference
Major Observed_Examples
Minor None
612 Improper Authorization of Index Containing Sensitive Information
Major Observed_Examples
Minor None
617 Reachable Assertion
Major Demonstrative_Examples
Minor None
621 Variable Extraction Error
Major Observed_Examples
Minor None
636 Not Failing Securely ('Failing Open')
Major Demonstrative_Examples
Minor None
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major Demonstrative_Examples
Minor None
638 Not Using Complete Mediation
Major Demonstrative_Examples
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Observed_Examples
Minor None
653 Improper Isolation or Compartmentalization
Major Demonstrative_Examples, Observed_Examples
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Observed_Examples
Minor None
656 Reliance on Security Through Obscurity
Major Demonstrative_Examples
Minor None
657 Violation of Secure Design Principles
Major Demonstrative_Examples, Observed_Examples, References
Minor None
662 Improper Synchronization
Major Demonstrative_Examples, Observed_Examples
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Demonstrative_Examples
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Observed_Examples
Minor None
665 Improper Initialization
Major Relationships
Minor None
666 Operation on Resource in Wrong Phase of Lifetime
Major Demonstrative_Examples, Observed_Examples
Minor None
670 Always-Incorrect Control Flow Implementation
Major Demonstrative_Examples
Minor None
671 Lack of Administrator Control over Security
Major Observed_Examples
Minor None
672 Operation on a Resource after Expiration or Release
Major Observed_Examples
Minor None
673 External Influence of Sphere Definition
Major Observed_Examples
Minor None
675 Multiple Operations on Resource in Single-Operation Context
Major Demonstrative_Examples, Observed_Examples
Minor None
681 Incorrect Conversion between Numeric Types
Major Observed_Examples
Minor None
684 Incorrect Provision of Specified Functionality
Major Demonstrative_Examples, Observed_Examples
Minor None
691 Insufficient Control Flow Management
Major Observed_Examples, Relationships
Minor None
696 Incorrect Behavior Order
Major Demonstrative_Examples, Observed_Examples
Minor None
698 Execution After Redirect (EAR)
Major Demonstrative_Examples
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Observed_Examples
Minor None
704 Incorrect Type Conversion or Cast
Major Demonstrative_Examples, Observed_Examples
Minor None
763 Release of Invalid Pointer or Reference
Major Observed_Examples
Minor None
766 Critical Data Element Declared Public
Major Observed_Examples
Minor None
768 Incorrect Short Circuit Evaluation
Major Common_Consequences
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Observed_Examples
Minor None
782 Exposed IOCTL with Insufficient Access Control
Major Common_Consequences
Minor None
804 Guessable CAPTCHA
Major Observed_Examples
Minor None
820 Missing Synchronization
Major Demonstrative_Examples
Minor None
826 Premature Release of Resource During Expected Lifetime
Major Observed_Examples
Minor None
834 Excessive Iteration
Major Observed_Examples
Minor None
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major Observed_Examples
Minor None
837 Improper Enforcement of a Single, Unique Action
Major Common_Consequences
Minor None
839 Numeric Range Comparison Without Minimum Check
Major Observed_Examples
Minor None
843 Access of Resource Using Incompatible Type ('Type Confusion')
Major Demonstrative_Examples
Minor None
909 Missing Initialization of Resource
Major Mapping_Notes, Type
Minor None
912 Hidden Functionality
Major Observed_Examples
Minor None
913 Improper Control of Dynamically-Managed Code Resources
Major Observed_Examples
Minor None
914 Improper Control of Dynamically-Identified Variables
Major Observed_Examples
Minor None
922 Insecure Storage of Sensitive Information
Major Observed_Examples
Minor None
923 Improper Restriction of Communication Channel to Intended Endpoints
Major Observed_Examples
Minor None
927 Use of Implicit Intent for Sensitive Communication
Major Observed_Examples
Minor None
1004 Sensitive Cookie Without 'HttpOnly' Flag
Major Observed_Examples
Minor None
1022 Use of Web Link to Untrusted Target with window.opener Access
Major Observed_Examples
Minor None
1023 Incomplete Comparison with Missing Factors
Major Observed_Examples
Minor None
1038 Insecure Automated Optimizations
Major Observed_Examples
Minor None
1051 Initialization with Hard-Coded Network Resource Configuration Data
Major Relationships
Minor None
1052 Excessive Use of Hard-Coded Literals in Initialization
Major Relationships
Minor None
1059 Insufficient Technical Documentation
Major Observed_Examples
Minor None
1061 Insufficient Encapsulation
Major Observed_Examples
Minor None
1164 Irrelevant Code
Major Observed_Examples
Minor None
1176 Inefficient CPU Computation
Major Observed_Examples
Minor None
1188 Initialization of a Resource with an Insecure Default
Major Demonstrative_Examples, Name, Observed_Examples, Relationships
Minor None
1191 On-Chip Debug and Test Interface With Improper Access Control
Major Demonstrative_Examples, References
Minor None
1220 Insufficient Granularity of Access Control
Major Demonstrative_Examples, Observed_Examples, References
Minor None
1221 Incorrect Register Defaults or Module Parameters
Major Demonstrative_Examples, Description, References, Relationships
Minor None
1231 Improper Prevention of Lock Bit Modification
Major Demonstrative_Examples, References
Minor None
1241 Use of Predictable Algorithm in Random Number Generator
Major Demonstrative_Examples, Description, Observed_Examples, References
Minor None
1243 Sensitive Non-Volatile Information Not Protected During Debug
Major Demonstrative_Examples, References
Minor None
1247 Improper Protection Against Voltage and Clock Glitches
Major Observed_Examples
Minor None
1254 Incorrect Comparison Logic Granularity
Major Demonstrative_Examples, Observed_Examples
Minor None
1258 Exposure of Sensitive System Information Due to Uncleared Debug Information
Major Observed_Examples
Minor None
1262 Improper Access Control for Register Interface
Major Demonstrative_Examples
Minor None
1275 Sensitive Cookie with Improper SameSite Attribute
Major Demonstrative_Examples, Observed_Examples
Minor None
1276 Hardware Child Block Incorrectly Connected to Parent System
Major Demonstrative_Examples, References
Minor None
1279 Cryptographic Operations are run Before Supporting Units are Ready
Major Relationships
Minor None
1280 Access Control Check Implemented After Asset is Accessed
Major Demonstrative_Examples
Minor None
1281 Sequence of Processor Instructions Leads to Unexpected Behavior
Major Demonstrative_Examples, Observed_Examples
Minor None
1295 Debug Messages Revealing Unnecessary Information
Major Observed_Examples
Minor None
1299 Missing Protection Mechanism for Alternate Hardware Interface
Major Demonstrative_Examples, Observed_Examples
Minor None
1300 Improper Protection of Physical Side Channels
Major Demonstrative_Examples, Observed_Examples, References
Minor None
1301 Insufficient or Incomplete Data Removal within Hardware Component
Major Observed_Examples
Minor None
1313 Hardware Allows Activation of Test or Debug Logic at Runtime
Major Observed_Examples
Minor None
1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
Major Observed_Examples
Minor None
1326 Missing Immutable Root of Trust in Hardware
Major Demonstrative_Examples, References
Minor None
1327 Binding to an Unrestricted IP Address
Major Observed_Examples
Minor None
1331 Improper Isolation of Shared Resources in Network On Chip (NoC)
Major Observed_Examples
Minor None
1384 Improper Handling of Physical or Environmental Conditions
Major Observed_Examples
Minor None
1390 Weak Authentication
Major Observed_Examples
Minor None
1395 Dependency on Vulnerable Third-Party Component
Major Demonstrative_Examples
Minor None
1416 Comprehensive Categorization: Resource Lifecycle Management
Major Relationships
Minor None
Back to top
Page Last Updated: October 26, 2023
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.