CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 4.7 and Version 4.8  
ID

Differences between Version 4.7 and Version 4.8

Summary
Summary
Total weaknesses/chains/composites (Version 4.8) 927
Total weaknesses/chains/composites (Version 4.7) 926
Total new 3
Total deprecated 0
Total with major changes 82
Total with only minor changes 2
Total unchanged 1302

Summary of Entry Types

Type Version 4.7 Version 4.8
Weakness 926 927
Category 351 352
View 47 48
Deprecated 62 62
Total 1386 1389

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 3 0
Description 4 2
Relationships 44 0
Applicable_Platforms 27 0
Modes_of_Introduction 1 1
Detection_Factors 0 0
Potential_Mitigations 3 1
Demonstrative_Examples 2 2
Observed_Examples 32 0
Related_Attack_Patterns 0 0
Weakness_Ordinalities 0 0
Time_of_Introduction 0 0
Likelihood_of_Exploit 0 0
References 3 1
Common_Consequences 2 1
Terminology_Notes 0 0
Alternate_Terms 2 0
Relationship_Notes 0 0
Taxonomy_Mappings 1 0
Maintenance_Notes 2 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 1 0
Other_Notes 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Type 1 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1385
Weakness/Base Weakness/Class 1 1384

Status Changes

From To Total
Unchanged 1386

Relationship Changes

The "Version 4.8 Total" lists the total number of relationships in Version 4.8. The "Shared" value is the total number of relationships in entries that were in both Version 4.8 and Version 4.7. The "New" value is the total number of relationships involving entries that did not exist in Version 4.7. Thus, the total number of relationships in Version 4.8 would combine stats from Shared entries and New entries.

Relationship Version 4.8 Total Version 4.7 Total Version 4.8 Shared Unchanged Added to Version 4.8 Removed from Version 4.7 Version 4.8 New
ALL 10310 10232 10236 10230 6 2 74
ChildOf 4262 4250 4251 4249 2 1 11
ParentOf 4262 4250 4251 4249 2 1 11
MemberOf 642 616 616 616 26
HasMember 642 616 616 616 26
CanPrecede 135 135 135 135
CanFollow 135 135 135 135
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 27 27 27 27
PeerOf 176 174 176 174 2

Nodes Removed from Version 4.7

CWE-ID CWE Name
None.

Nodes Added to Version 4.8

CWE-ID CWE Name
1386 Insecure Operation on Windows Junction / Mount Point
1387 Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses
1388 Physical Access Issues and Concerns

Nodes Deprecated in Version 4.8

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 20 Improper Input Validation
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 59 Improper Link Resolution Before File Access ('Link Following')
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
DNR 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 125 Out-of-bounds Read
R 190 Integer Overflow or Wraparound
R 276 Incorrect Default Permissions
R 287 Improper Authentication
R 306 Missing Authentication for Critical Function
R 311 Missing Encryption of Sensitive Data
R 319 Cleartext Transmission of Sensitive Information
R 352 Cross-Site Request Forgery (CSRF)
R 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
R 400 Uncontrolled Resource Consumption
R 416 Use After Free
R 434 Unrestricted Upload of File with Dangerous Type
R 436 Interpretation Conflict
DN 444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
R 476 NULL Pointer Dereference
R 502 Deserialization of Untrusted Data
R 611 Improper Restriction of XML External Entity Reference
R 614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
R 787 Out-of-bounds Write
R 798 Use of Hard-coded Credentials
R 862 Missing Authorization
D R 917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
R 918 Server-Side Request Forgery (SSRF)
R 1194 Hardware Design
R 1247 Improper Protection Against Voltage and Clock Glitches
R 1248 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
R 1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
R 1261 Improper Handling of Single Event Upsets
R 1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
R 1300 Improper Protection of Physical Side Channels
R 1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
R 1332 Improper Handling of Faults that Lead to Instruction Skips
R 1336 Improper Neutralization of Special Elements Used in a Template Engine
R 1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments
DNR 1384 Improper Handling of Physical or Environmental Conditions
Detailed Difference Report
Detailed Difference Report
20 Improper Input Validation
Major Observed_Examples, Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Observed_Examples, Relationships
Minor None
23 Relative Path Traversal
Major Observed_Examples
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Relationships
Minor None
64 Windows Shortcut Following (.LNK)
Major Observed_Examples
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Observed_Examples
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Observed_Examples, Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Observed_Examples, Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Observed_Examples, Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Observed_Examples, Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Observed_Examples, Relationships
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Observed_Examples
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Major Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Theoretical_Notes
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Observed_Examples, Relationships
Minor None
121 Stack-based Buffer Overflow
Major Observed_Examples
Minor None
125 Out-of-bounds Read
Major Observed_Examples, Relationships
Minor None
131 Incorrect Calculation of Buffer Size
Major Observed_Examples
Minor None
190 Integer Overflow or Wraparound
Major Observed_Examples, Relationships
Minor None
197 Numeric Truncation Error
Major Observed_Examples
Minor None
276 Incorrect Default Permissions
Major Relationships
Minor None
284 Improper Access Control
Major Observed_Examples
Minor None
287 Improper Authentication
Major Observed_Examples, Relationships
Minor None
306 Missing Authentication for Critical Function
Major Observed_Examples, Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Relationships
Minor None
319 Cleartext Transmission of Sensitive Information
Major Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Relationships
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Observed_Examples, Relationships
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Observed_Examples
Minor None
400 Uncontrolled Resource Consumption
Major Observed_Examples, Relationships
Minor None
416 Use After Free
Major Observed_Examples, Relationships
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Relationships
Minor None
436 Interpretation Conflict
Major Relationships
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Major Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, References, Taxonomy_Mappings
Minor None
476 NULL Pointer Dereference
Major Relationships
Minor None
502 Deserialization of Untrusted Data
Major Relationships
Minor None
611 Improper Restriction of XML External Entity Reference
Major Relationships
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Relationships
Minor None
625 Permissive Regular Expression
Major Observed_Examples
Minor None
667 Improper Locking
Major Observed_Examples
Minor None
697 Incorrect Comparison
Major Observed_Examples
Minor None
787 Out-of-bounds Write
Major Observed_Examples, Relationships
Minor None
798 Use of Hard-coded Credentials
Major Relationships
Minor None
862 Missing Authorization
Major Relationships
Minor None
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Major Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships
Minor None
918 Server-Side Request Forgery (SSRF)
Major Observed_Examples, Relationships
Minor None
1059 Insufficient Technical Documentation
Major None
Minor References
1194 Hardware Design
Major Relationships
Minor None
1246 Improper Write Handling in Limited-write Non-Volatile Memories
Major Applicable_Platforms
Minor None
1247 Improper Protection Against Voltage and Clock Glitches
Major Applicable_Platforms, Relationships
Minor None
1248 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
Major Relationships
Minor None
1250 Improper Preservation of Consistency Between Independent Representations of Shared State
Major Applicable_Platforms
Minor None
1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
Major Applicable_Platforms
Minor None
1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
Major Relationships
Minor None
1256 Improper Restriction of Software Interfaces to Hardware Features
Major Applicable_Platforms
Minor None
1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
Major Applicable_Platforms
Minor None
1259 Improper Restriction of Security Token Assignment
Major Applicable_Platforms
Minor None
1260 Improper Handling of Overlap Between Protected Memory Ranges
Major Applicable_Platforms
Minor None
1261 Improper Handling of Single Event Upsets
Major Relationships
Minor None
1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
Major Relationships
Minor None
1279 Cryptographic Operations are run Before Supporting Units are Ready
Major Applicable_Platforms
Minor None
1280 Access Control Check Implemented After Asset is Accessed
Major None
Minor Demonstrative_Examples
1290 Incorrect Decoding of Security Identifiers
Major Applicable_Platforms
Minor None
1292 Incorrect Conversion of Security Identifiers
Major Applicable_Platforms
Minor None
1294 Insecure Security Identifier Mechanism
Major Applicable_Platforms
Minor None
1296 Incorrect Chaining or Granularity of Debug Components
Major Applicable_Platforms
Minor None
1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors
Major Applicable_Platforms
Minor None
1299 Missing Protection Mechanism for Alternate Hardware Interface
Major Applicable_Platforms
Minor None
1300 Improper Protection of Physical Side Channels
Major Relationships
Minor None
1314 Missing Write Protection for Parametric Data Values
Major Applicable_Platforms
Minor None
1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
Major Applicable_Platforms
Minor None
1317 Missing Security Checks in Fabric Bridge
Major Applicable_Platforms
Minor None
1318 Missing Support for Security Features in On-chip Fabrics or Buses
Major Applicable_Platforms
Minor None
1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
Major Applicable_Platforms, Relationships
Minor None
1320 Improper Protection for Out of Bounds Signal Level Alerts
Major Applicable_Platforms
Minor None
1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
Major Applicable_Platforms
Minor None
1326 Missing Immutable Root of Trust in Hardware
Major Applicable_Platforms, Modes_of_Introduction
Minor Demonstrative_Examples, Description
1328 Security Version Number Mutable to Older Versions
Major Applicable_Platforms
Minor None
1330 Remanent Data Readable after Memory Erase
Major Applicable_Platforms
Minor None
1331 Improper Isolation of Shared Resources in Network On Chip (NoC)
Major Applicable_Platforms
Minor Common_Consequences
1332 Improper Handling of Faults that Lead to Instruction Skips
Major Relationships
Minor Potential_Mitigations
1336 Improper Neutralization of Special Elements Used in a Template Engine
Major Maintenance_Notes, Relationships
Minor None
1338 Improper Protections Against Hardware Overheating
Major Applicable_Platforms
Minor Description
1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments
Major Relationships
Minor None
1384 Improper Handling of Physical or Environmental Conditions
Major Description, Name, Potential_Mitigations, Relationships, Type
Minor Modes_of_Introduction
Page Last Updated: June 28, 2022