CWE - Differences between Version 4.8 and Version 4.9

Home > CWE List > Reports > Differences between Version 4.8 and Version 4.9

Differences between Version 4.8 and Version 4.9

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total weaknesses/chains/composites (Version 4.9)	933
Total weaknesses/chains/composites (Version 4.8)	927
Total new	6
Total deprecated	1
Total with major changes	231
Total with only minor changes	462
Total unchanged	695

Summary of Entry Types

Type	Version 4.8	Version 4.9
Weakness	927	933
Category	352	352
View	48	47
Deprecated	62	63
Total	1389	1395

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	5	0
Description	14	9
Relationships	71	0
Applicable_Platforms	16	539
Modes_of_Introduction	0	0
Detection_Factors	2	0
Potential_Mitigations	12	3
Demonstrative_Examples	59	13
Observed_Examples	57	382
Related_Attack_Patterns	16	0
Weakness_Ordinalities	0	0
Time_of_Introduction	0	0
Likelihood_of_Exploit	0	0
References	84	5
Common_Consequences	1	1
Terminology_Notes	2	0
Alternate_Terms	4	0
Relationship_Notes	3	0
Taxonomy_Mappings	14	0
Maintenance_Notes	11	0
Research_Gaps	1	0
Background_Details	3	0
Theoretical_Notes	1	0
Other_Notes	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	1	0
View_Audience	1	0
Type	1	0
Source_Taxonomy	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged		1388
View	Deprecated	1	999

Status Changes

From	To	Total
Unchanged		1388
Incomplete	Deprecated	1

Relationship Changes

The "Version 4.9 Total" lists the total number of relationships in Version 4.9. The "Shared" value is the total number of relationships in entries that were in both Version 4.9 and Version 4.8. The "New" value is the total number of relationships involving entries that did not exist in Version 4.8. Thus, the total number of relationships in Version 4.9 would combine stats from Shared entries and New entries.

Relationship	Version 4.9 Total	Version 4.8 Total	Version 4.9 Shared	Unchanged	Added to Version 4.9	Removed from Version 4.8	Version 4.9 New
ALL	10322	10310	10262	10226	36	84	60
ChildOf	4269	4262	4239	4223	16	39	30
ParentOf	4269	4262	4239	4223	16	39	30
MemberOf	643	642	643	642	1
HasMember	643	642	643	642	1
CanPrecede	136	135	136	135	1
CanFollow	136	135	136	135	1
StartsWith	3	3	3	3
Requires	13	13	13	13
RequiredBy	13	13	13	13
CanAlsoBe	27	27	27	27
PeerOf	170	176	170	170		6

Nodes Removed from Version 4.8

CWE-ID	CWE Name
None.

Nodes Added to Version 4.9

CWE-ID	CWE Name
1389	Incorrect Parsing of Numbers with Different Radices
1390	Weak Authentication
1391	Use of Weak Credentials
1392	Use of Default Credentials
1393	Use of Default Password
1394	Use of Default Cryptographic Key

Nodes Deprecated in Version 4.9

CWE-ID	CWE Name
999	DEPRECATED: Weaknesses without Software Fault Patterns

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	20	Improper Input Validation
		R	96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
		R	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
		R	123	Write-what-where Condition
		R	125	Out-of-bounds Read
		R	129	Improper Validation of Array Index
		R	185	Incorrect Regular Expression
		R	189	Numeric Errors
D			249	DEPRECATED: Often Misused: Path Manipulation
		R	261	Weak Encoding for Password
D		R	262	Not Using Password Aging
D		R	263	Password Aging with Long Expiration
		R	287	Improper Authentication
		R	288	Authentication Bypass Using an Alternate Path or Channel
		R	289	Authentication Bypass by Alternate Name
		R	290	Authentication Bypass by Spoofing
		R	294	Authentication Bypass by Capture-replay
		R	301	Reflection Attack in an Authentication Protocol
		R	302	Authentication Bypass by Assumed-Immutable Data
		R	303	Incorrect Implementation of Authentication Algorithm
		R	304	Missing Critical Step in Authentication
		R	305	Authentication Bypass by Primary Weakness
D		R	306	Missing Authentication for Critical Function
D		R	307	Improper Restriction of Excessive Authentication Attempts
		R	308	Use of Single-factor Authentication
		R	309	Use of Password System for Primary Authentication
D			312	Cleartext Storage of Sensitive Information
		R	330	Use of Insufficiently Random Values
		R	350	Reliance on Reverse DNS Resolution for a Security-Critical Action
		R	400	Uncontrolled Resource Consumption
		R	404	Improper Resource Shutdown or Release
		R	407	Inefficient Algorithmic Complexity
D		R	416	Use After Free
		R	425	Direct Request ('Forced Browsing')
		R	469	Use of Pointer Subtraction to Determine Size
D	N		478	Missing Default Case in Multiple Condition Expression
		R	521	Weak Password Requirements
		R	522	Insufficiently Protected Credentials
		R	593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
D		R	602	Client-Side Enforcement of Server-Side Security
		R	603	Use of Client-Side Authentication
		R	620	Unverified Password Change
		R	640	Weak Password Recovery Mechanism for Forgotten Password
		R	664	Improper Control of a Resource Through its Lifetime
		R	669	Incorrect Resource Transfer Between Spheres
		R	704	Incorrect Type Conversion or Cast
		R	771	Missing Reference to Active Allocated Resource
		R	772	Missing Release of Resource after Effective Lifetime
		R	773	Missing Reference to Active File Descriptor or Handle
		R	775	Missing Release of File Descriptor or Handle after Effective Lifetime
		R	798	Use of Hard-coded Credentials
D		R	804	Guessable CAPTCHA
		R	836	Use of Password Hash Instead of Password for Authentication
		R	923	Improper Restriction of Communication Channel to Intended Endpoints
		R	925	Improper Verification of Intent by Broadcast Receiver
		R	940	Improper Verification of Source of a Communication Channel
		R	970	SFP Secondary Cluster: Faulty Buffer Access
		R	971	SFP Secondary Cluster: Faulty Pointer Use
		R	982	SFP Secondary Cluster: Failure to Release Resource
		R	983	SFP Secondary Cluster: Faulty Resource Use
		R	990	SFP Secondary Cluster: Tainted Input to Command
		R	998	SFP Secondary Cluster: Glitch in Computation
D	N		999	DEPRECATED: Weaknesses without Software Fault Patterns
		R	1003	Weaknesses for Simplified Mapping of Published Vulnerabilities
D			1191	On-Chip Debug and Test Interface With Improper Access Control
		R	1195	Manufacturing and Life Cycle Management Concerns
		R	1203	Peripherals, On-chip Fabric, and Interface/IO Problems
	N		1206	Power, Clock, Thermal, and Reset Concerns
		R	1208	Cross-Cutting Problems
		R	1243	Sensitive Non-Volatile Information Not Protected During Debug
		R	1246	Improper Write Handling in Limited-write Non-Volatile Memories
		R	1263	Improper Physical Access Control
D			1273	Device Unlock Credential Sharing
		R	1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
		R	1284	Improper Validation of Specified Quantity in Input
		R	1300	Improper Protection of Physical Side Channels
D	N		1317	Improper Access Control in Fabric Bridge
		R	1319	Improper Protection against Electromagnetic Fault Injection (EM-FI)
	N		1320	Improper Protection for Outbound Error Messages and Alert Signals
		R	1333	Inefficient Regular Expression Complexity

Detailed Difference Report

16	Configuration
	Major	Maintenance_Notes, References
	Minor	None
20	Improper Input Validation
	Major	References, Relationships
	Minor	Applicable_Platforms, Observed_Examples
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Observed_Examples, References
	Minor	Applicable_Platforms, Demonstrative_Examples
23	Relative Path Traversal
	Major	Alternate_Terms, Observed_Examples, References
	Minor	Applicable_Platforms, Demonstrative_Examples
24	Path Traversal: '../filedir'
	Major	None
	Minor	Applicable_Platforms
25	Path Traversal: '/../filedir'
	Major	None
	Minor	Applicable_Platforms
26	Path Traversal: '/dir/../filename'
	Major	None
	Minor	Applicable_Platforms
27	Path Traversal: 'dir/../../filename'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
28	Path Traversal: '..\filedir'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
29	Path Traversal: '\..\filename'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
30	Path Traversal: '\dir\..\filename'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
31	Path Traversal: 'dir\..\..\filename'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
32	Path Traversal: '...' (Triple Dot)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
33	Path Traversal: '....' (Multiple Dot)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
34	Path Traversal: '....//'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
35	Path Traversal: '.../...//'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
36	Absolute Path Traversal
	Major	Observed_Examples
	Minor	Applicable_Platforms
37	Path Traversal: '/absolute/pathname/here'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
38	Path Traversal: '\absolute\pathname\here'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
39	Path Traversal: 'C:dirname'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
40	Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
41	Improper Resolution of Path Equivalence
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
42	Path Equivalence: 'filename.' (Trailing Dot)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
43	Path Equivalence: 'filename....' (Multiple Trailing Dot)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
44	Path Equivalence: 'file.name' (Internal Dot)
	Major	None
	Minor	Applicable_Platforms
45	Path Equivalence: 'file...name' (Multiple Internal Dot)
	Major	None
	Minor	Applicable_Platforms
46	Path Equivalence: 'filename ' (Trailing Space)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
47	Path Equivalence: ' filename' (Leading Space)
	Major	None
	Minor	Applicable_Platforms
48	Path Equivalence: 'file name' (Internal Whitespace)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
49	Path Equivalence: 'filename/' (Trailing Slash)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
50	Path Equivalence: '//multiple/leading/slash'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
51	Path Equivalence: '/multiple//internal/slash'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
52	Path Equivalence: '/multiple/trailing/slash//'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
53	Path Equivalence: '\multiple\\internal\backslash'
	Major	None
	Minor	Applicable_Platforms
54	Path Equivalence: 'filedir\' (Trailing Backslash)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
55	Path Equivalence: '/./' (Single Dot Directory)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
56	*Path Equivalence: 'filedir' (Wildcard)**
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
57	Path Equivalence: 'fakedir/../realdir/filename'
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
58	Path Equivalence: Windows 8.3 Filename
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
59	Improper Link Resolution Before File Access ('Link Following')
	Major	Alternate_Terms, Background_Details, Observed_Examples, References, Relationship_Notes, Theoretical_Notes
	Minor	Applicable_Platforms
61	UNIX Symbolic Link (Symlink) Following
	Major	Observed_Examples
	Minor	Applicable_Platforms
62	UNIX Hard Link
	Major	Observed_Examples
	Minor	Applicable_Platforms
64	Windows Shortcut Following (.LNK)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
65	Windows Hard Link
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
66	Improper Handling of File Names that Identify Virtual Resources
	Major	None
	Minor	Applicable_Platforms
67	Improper Handling of Windows Device Names
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
69	Improper Handling of Windows ::DATA Alternate Data Stream
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
72	Improper Handling of Apple HFS+ Alternate Data Stream Path
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
73	External Control of File Name or Path
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Observed_Examples
	Minor	Applicable_Platforms
75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
	Major	None
	Minor	Applicable_Platforms
76	Improper Neutralization of Equivalent Special Elements
	Major	None
	Minor	Applicable_Platforms
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Observed_Examples, References, Terminology_Notes
	Minor	Applicable_Platforms
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Background_Details, Observed_Examples
	Minor	Applicable_Platforms
80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
81	Improper Neutralization of Script in an Error Message Web Page
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
82	Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
83	Improper Neutralization of Script in Attributes in a Web Page
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
84	Improper Neutralization of Encoded URI Schemes in a Web Page
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
85	Doubled Character XSS Manipulations
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
86	Improper Neutralization of Invalid Characters in Identifiers in Web Pages
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
87	Improper Neutralization of Alternate XSS Syntax
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
	Major	Observed_Examples
	Minor	Applicable_Platforms
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Observed_Examples, References
	Minor	Applicable_Platforms
90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
	Major	Observed_Examples
	Minor	Applicable_Platforms
91	XML Injection (aka Blind XPath Injection)
	Major	None
	Minor	Applicable_Platforms
93	Improper Neutralization of CRLF Sequences ('CRLF Injection')
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
94	Improper Control of Generation of Code ('Code Injection')
	Major	Observed_Examples
	Minor	None
95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
	Major	Observed_Examples
	Minor	None
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
	Major	Relationships, Taxonomy_Mappings
	Minor	Observed_Examples
97	Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
	Major	None
	Minor	Applicable_Platforms
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
	Major	References
	Minor	Observed_Examples
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	None
	Minor	Applicable_Platforms
112	Missing XML Validation
	Major	None
	Minor	Applicable_Platforms
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	Applicable_Platforms, Description, Observed_Examples
114	Process Control
	Major	None
	Minor	Applicable_Platforms
115	Misinterpretation of Input
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
116	Improper Encoding or Escaping of Output
	Major	Observed_Examples
	Minor	Applicable_Platforms
117	Improper Output Neutralization for Logs
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
118	Incorrect Access of Indexable Resource ('Range Error')
	Major	None
	Minor	Applicable_Platforms
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Relationships, Taxonomy_Mappings
	Minor	Observed_Examples
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	References
	Minor	Observed_Examples
121	Stack-based Buffer Overflow
	Major	None
	Minor	Observed_Examples
122	Heap-based Buffer Overflow
	Major	None
	Minor	Observed_Examples
123	Write-what-where Condition
	Major	Relationships, Taxonomy_Mappings
	Minor	None
124	Buffer Underwrite ('Buffer Underflow')
	Major	None
	Minor	Observed_Examples
125	Out-of-bounds Read
	Major	Applicable_Platforms, Relationships, Taxonomy_Mappings
	Minor	Observed_Examples
126	Buffer Over-read
	Major	None
	Minor	Observed_Examples
129	Improper Validation of Array Index
	Major	References, Relationships, Taxonomy_Mappings
	Minor	Applicable_Platforms, Observed_Examples
130	Improper Handling of Length Parameter Inconsistency
	Major	Taxonomy_Mappings
	Minor	Applicable_Platforms, Observed_Examples
131	Incorrect Calculation of Buffer Size
	Major	References
	Minor	Observed_Examples
134	Use of Externally-Controlled Format String
	Major	None
	Minor	Observed_Examples
138	Improper Neutralization of Special Elements
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
141	Improper Neutralization of Parameter/Argument Delimiters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
142	Improper Neutralization of Value Delimiters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
143	Improper Neutralization of Record Delimiters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
144	Improper Neutralization of Line Delimiters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
145	Improper Neutralization of Section Delimiters
	Major	None
	Minor	Applicable_Platforms
146	Improper Neutralization of Expression/Command Delimiters
	Major	None
	Minor	Applicable_Platforms
147	Improper Neutralization of Input Terminators
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
149	Improper Neutralization of Quoting Syntax
	Major	None
	Minor	Observed_Examples
150	Improper Neutralization of Escape, Meta, or Control Sequences
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
151	Improper Neutralization of Comment Delimiters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
152	Improper Neutralization of Macro Symbols
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
153	Improper Neutralization of Substitution Characters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
154	Improper Neutralization of Variable Name Delimiters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
155	Improper Neutralization of Wildcards or Matching Symbols
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
156	Improper Neutralization of Whitespace
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
157	Failure to Sanitize Paired Delimiters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
158	Improper Neutralization of Null Byte or NUL Character
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
159	Improper Handling of Invalid Use of Special Elements
	Major	None
	Minor	Applicable_Platforms
160	Improper Neutralization of Leading Special Elements
	Major	None
	Minor	Applicable_Platforms
161	Improper Neutralization of Multiple Leading Special Elements
	Major	None
	Minor	Applicable_Platforms
162	Improper Neutralization of Trailing Special Elements
	Major	None
	Minor	Applicable_Platforms
163	Improper Neutralization of Multiple Trailing Special Elements
	Major	None
	Minor	Applicable_Platforms
164	Improper Neutralization of Internal Special Elements
	Major	None
	Minor	Applicable_Platforms
165	Improper Neutralization of Multiple Internal Special Elements
	Major	None
	Minor	Applicable_Platforms
166	Improper Handling of Missing Special Element
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
167	Improper Handling of Additional Special Element
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
168	Improper Handling of Inconsistent Special Elements
	Major	None
	Minor	Applicable_Platforms
170	Improper Null Termination
	Major	None
	Minor	Observed_Examples
172	Encoding Error
	Major	None
	Minor	Applicable_Platforms
173	Improper Handling of Alternate Encoding
	Major	None
	Minor	Applicable_Platforms
174	Double Decoding of the Same Data
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
175	Improper Handling of Mixed Encoding
	Major	None
	Minor	Applicable_Platforms
176	Improper Handling of Unicode Encoding
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
177	Improper Handling of URL Encoding (Hex Encoding)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
178	Improper Handling of Case Sensitivity
	Major	Observed_Examples
	Minor	Applicable_Platforms
179	Incorrect Behavior Order: Early Validation
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
180	Incorrect Behavior Order: Validate Before Canonicalize
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
181	Incorrect Behavior Order: Validate Before Filter
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
182	Collapse of Data into Unsafe Value
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
183	Permissive List of Allowed Inputs
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
184	Incomplete List of Disallowed Inputs
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
185	Incorrect Regular Expression
	Major	Demonstrative_Examples, Relationships
	Minor	Applicable_Platforms, Observed_Examples
186	Overly Restrictive Regular Expression
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
187	Partial String Comparison
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
189	Numeric Errors
	Major	References, Relationships
	Minor	None
190	Integer Overflow or Wraparound
	Major	Observed_Examples
	Minor	Applicable_Platforms
191	Integer Underflow (Wrap or Wraparound)
	Major	None
	Minor	Observed_Examples
193	Off-by-one Error
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
194	Unexpected Sign Extension
	Major	None
	Minor	Observed_Examples
195	Signed to Unsigned Conversion Error
	Major	None
	Minor	Observed_Examples
197	Numeric Truncation Error
	Major	None
	Minor	Observed_Examples
198	Use of Incorrect Byte Ordering
	Major	None
	Minor	Applicable_Platforms
200	Exposure of Sensitive Information to an Unauthorized Actor
	Major	Demonstrative_Examples, Maintenance_Notes, Observed_Examples, References
	Minor	Applicable_Platforms
201	Insertion of Sensitive Information Into Sent Data
	Major	Observed_Examples
	Minor	Applicable_Platforms
202	Exposure of Sensitive Information Through Data Queries
	Major	None
	Minor	Applicable_Platforms
203	Observable Discrepancy
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
204	Observable Response Discrepancy
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
205	Observable Behavioral Discrepancy
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
206	Observable Internal Behavioral Discrepancy
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
207	Observable Behavioral Discrepancy With Equivalent Products
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
208	Observable Timing Discrepancy
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
209	Generation of Error Message Containing Sensitive Information
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms, Observed_Examples
210	Self-generated Error Message Containing Sensitive Information
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
211	Externally-Generated Error Message Containing Sensitive Information
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
212	Improper Removal of Sensitive Information Before Storage or Transfer
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
213	Exposure of Sensitive Information Due to Incompatible Policies
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
214	Invocation of Process Using Visible Sensitive Information
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
215	Insertion of Sensitive Information Into Debugging Code
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
219	Storage of File with Sensitive Data Under Web Root
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
220	Storage of File With Sensitive Data Under FTP Root
	Major	None
	Minor	Applicable_Platforms
221	Information Loss or Omission
	Major	None
	Minor	Applicable_Platforms
222	Truncation of Security-relevant Information
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
223	Omission of Security-relevant Information
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
224	Obscured Security-relevant Information by Alternate Name
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
226	Sensitive Information in Resource Not Removed Before Reuse
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
230	Improper Handling of Missing Values
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
231	Improper Handling of Extra Values
	Major	None
	Minor	Applicable_Platforms
232	Improper Handling of Undefined Values
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
234	Failure to Handle Missing Parameter
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
235	Improper Handling of Extra Parameters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
236	Improper Handling of Undefined Parameters
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
238	Improper Handling of Incomplete Structural Elements
	Major	None
	Minor	Applicable_Platforms
239	Failure to Handle Incomplete Element
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
240	Improper Handling of Inconsistent Structural Elements
	Major	None
	Minor	Applicable_Platforms
241	Improper Handling of Unexpected Data Type
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
249	DEPRECATED: Often Misused: Path Manipulation
	Major	Description
	Minor	None
250	Execution with Unnecessary Privileges
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
252	Unchecked Return Value
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
253	Incorrect Check of Function Return Value
	Major	None
	Minor	Applicable_Platforms
255	Credentials Management Errors
	Major	References
	Minor	None
256	Plaintext Storage of a Password
	Major	Demonstrative_Examples, Observed_Examples, References
	Minor	Applicable_Platforms
257	Storing Passwords in a Recoverable Format
	Major	None
	Minor	Applicable_Platforms
258	Empty Password in Configuration File
	Major	None
	Minor	Applicable_Platforms
259	Use of Hard-coded Password
	Major	Demonstrative_Examples, Observed_Examples, References
	Minor	Applicable_Platforms
260	Password in Configuration File
	Major	None
	Minor	Applicable_Platforms
261	Weak Encoding for Password
	Major	Relationships
	Minor	Applicable_Platforms
262	Not Using Password Aging
	Major	Description, Potential_Mitigations, References, Relationships
	Minor	Applicable_Platforms
263	Password Aging with Long Expiration
	Major	Description, Potential_Mitigations, References, Relationships
	Minor	Applicable_Platforms
264	Permissions, Privileges, and Access Controls
	Major	Maintenance_Notes, References
	Minor	None
266	Incorrect Privilege Assignment
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
267	Privilege Defined With Unsafe Actions
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
268	Privilege Chaining
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
269	Improper Privilege Management
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
270	Privilege Context Switching Error
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
271	Privilege Dropping / Lowering Errors
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
272	Least Privilege Violation
	Major	None
	Minor	Applicable_Platforms
273	Improper Check for Dropped Privileges
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
274	Improper Handling of Insufficient Privileges
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
276	Incorrect Default Permissions
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
277	Insecure Inherited Permissions
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
278	Insecure Preserved Inherited Permissions
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
279	Incorrect Execution-Assigned Permissions
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
280	Improper Handling of Insufficient Permissions or Privileges
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
281	Improper Preservation of Permissions
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
282	Improper Ownership Management
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
283	Unverified Ownership
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
284	Improper Access Control
	Major	References
	Minor	Observed_Examples
285	Improper Authorization
	Major	Observed_Examples
	Minor	Applicable_Platforms
286	Incorrect User Management
	Major	None
	Minor	Applicable_Platforms
287	Improper Authentication
	Major	Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships
	Minor	None
288	Authentication Bypass Using an Alternate Path or Channel
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
289	Authentication Bypass by Alternate Name
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
290	Authentication Bypass by Spoofing
	Major	Relationships
	Minor	Observed_Examples
291	Reliance on IP Address for Authentication
	Major	None
	Minor	Applicable_Platforms
293	Using Referer Field for Authentication
	Major	None
	Minor	Applicable_Platforms
294	Authentication Bypass by Capture-replay
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
295	Improper Certificate Validation
	Major	Observed_Examples, References
	Minor	Applicable_Platforms
296	Improper Following of a Certificate's Chain of Trust
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
297	Improper Validation of Certificate with Host Mismatch
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
298	Improper Validation of Certificate Expiration
	Major	None
	Minor	Applicable_Platforms
299	Improper Check for Certificate Revocation
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
300	Channel Accessible by Non-Endpoint
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
301	Reflection Attack in an Authentication Protocol
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
302	Authentication Bypass by Assumed-Immutable Data
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
303	Incorrect Implementation of Authentication Algorithm
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
304	Missing Critical Step in Authentication
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
305	Authentication Bypass by Primary Weakness
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
306	Missing Authentication for Critical Function
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships
	Minor	None
307	Improper Restriction of Excessive Authentication Attempts
	Major	Demonstrative_Examples, Description, Observed_Examples, References, Relationships
	Minor	Applicable_Platforms
308	Use of Single-factor Authentication
	Major	Relationships
	Minor	Applicable_Platforms
309	Use of Password System for Primary Authentication
	Major	Relationships
	Minor	Applicable_Platforms
310	Cryptographic Issues
	Major	Maintenance_Notes, References
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
312	Cleartext Storage of Sensitive Information
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References
	Minor	None
313	Cleartext Storage in a File or on Disk
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
314	Cleartext Storage in the Registry
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
315	Cleartext Storage of Sensitive Information in a Cookie
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
316	Cleartext Storage of Sensitive Information in Memory
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
317	Cleartext Storage of Sensitive Information in GUI
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
318	Cleartext Storage of Sensitive Information in Executable
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
319	Cleartext Transmission of Sensitive Information
	Major	Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References
	Minor	None
321	Use of Hard-coded Cryptographic Key
	Major	Demonstrative_Examples, Observed_Examples, References
	Minor	Applicable_Platforms
322	Key Exchange without Entity Authentication
	Major	None
	Minor	Applicable_Platforms
323	Reusing a Nonce, Key Pair in Encryption
	Major	None
	Minor	Applicable_Platforms
324	Use of a Key Past its Expiration Date
	Major	None
	Minor	Applicable_Platforms
325	Missing Cryptographic Step
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
326	Inadequate Encryption Strength
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Demonstrative_Examples, Observed_Examples, References
	Minor	Applicable_Platforms
328	Use of Weak Hash
	Major	Demonstrative_Examples, Observed_Examples, References
	Minor	Applicable_Platforms
329	Generation of Predictable IV with CBC Mode
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
330	Use of Insufficiently Random Values
	Major	Observed_Examples, Relationships
	Minor	Applicable_Platforms
331	Insufficient Entropy
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
332	Insufficient Entropy in PRNG
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
333	Improper Handling of Insufficient Entropy in TRNG
	Major	None
	Minor	Applicable_Platforms
334	Small Space of Random Values
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
335	Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
	Major	Observed_Examples
	Minor	Applicable_Platforms
336	Same Seed in Pseudo-Random Number Generator (PRNG)
	Major	None
	Minor	Applicable_Platforms
337	Predictable Seed in Pseudo-Random Number Generator (PRNG)
	Major	Observed_Examples
	Minor	Applicable_Platforms
338	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
339	Small Seed Space in PRNG
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
341	Predictable from Observable State
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
342	Predictable Exact Value from Previous Values
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
343	Predictable Value Range from Previous Values
	Major	None
	Minor	Applicable_Platforms
344	Use of Invariant Value in Dynamically Changing Context
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
345	Insufficient Verification of Data Authenticity
	Major	None
	Minor	Applicable_Platforms
346	Origin Validation Error
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
347	Improper Verification of Cryptographic Signature
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
348	Use of Less Trusted Source
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
349	Acceptance of Extraneous Untrusted Data With Trusted Data
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
350	Reliance on Reverse DNS Resolution for a Security-Critical Action
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
351	Insufficient Type Distinction
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
352	Cross-Site Request Forgery (CSRF)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
353	Missing Support for Integrity Check
	Major	None
	Minor	Applicable_Platforms
354	Improper Validation of Integrity Check Value
	Major	None
	Minor	Applicable_Platforms
356	Product UI does not Warn User of Unsafe Actions
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
357	Insufficient UI Warning of Dangerous Operations
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
358	Improperly Implemented Security Check for Standard
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
359	Exposure of Private Personal Information to an Unauthorized Actor
	Major	None
	Minor	Applicable_Platforms
360	Trust of System Event Data
	Major	None
	Minor	Applicable_Platforms
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
	Major	Observed_Examples, References
	Minor	None
363	Race Condition Enabling Link Following
	Major	None
	Minor	Applicable_Platforms
364	Signal Handler Race Condition
	Major	None
	Minor	Observed_Examples
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
368	Context Switching Race Condition
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
369	Divide By Zero
	Major	References
	Minor	Observed_Examples
370	Missing Check for Certificate Revocation after Initial Check
	Major	None
	Minor	Applicable_Platforms
372	Incomplete Internal State Distinction
	Major	None
	Minor	Applicable_Platforms
377	Insecure Temporary File
	Major	None
	Minor	Applicable_Platforms
378	Creation of Temporary File With Insecure Permissions
	Major	None
	Minor	Applicable_Platforms
379	Creation of Temporary File in Directory with Insecure Permissions
	Major	None
	Minor	Applicable_Platforms
384	Session Fixation
	Major	None
	Minor	Applicable_Platforms
385	Covert Timing Channel
	Major	Maintenance_Notes
	Minor	Applicable_Platforms
386	Symbolic Name not Mapping to Correct Object
	Major	None
	Minor	Applicable_Platforms
390	Detection of Error Condition Without Action
	Major	None
	Minor	Applicable_Platforms
391	Unchecked Error Condition
	Major	None
	Minor	Applicable_Platforms
392	Missing Report of Error Condition
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
393	Return of Wrong Status Code
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
394	Unexpected Status Code or Return Value
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
399	Resource Management Errors
	Major	References
	Minor	None
400	Uncontrolled Resource Consumption
	Major	Observed_Examples, Relationships
	Minor	Applicable_Platforms
401	Missing Release of Memory after Effective Lifetime
	Major	Taxonomy_Mappings
	Minor	Observed_Examples
403	Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
404	Improper Resource Shutdown or Release
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
405	Asymmetric Resource Consumption (Amplification)
	Major	None
	Minor	Applicable_Platforms
406	Insufficient Control of Network Message Volume (Network Amplification)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
407	Inefficient Algorithmic Complexity
	Major	Alternate_Terms, Observed_Examples, Relationships
	Minor	Applicable_Platforms
408	Incorrect Behavior Order: Early Amplification
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
409	Improper Handling of Highly Compressed Data (Data Amplification)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
410	Insufficient Resource Pool
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
412	Unrestricted Externally Accessible Lock
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
413	Improper Resource Locking
	Major	None
	Minor	Applicable_Platforms
414	Missing Lock Check
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
415	Double Free
	Major	None
	Minor	Observed_Examples
416	Use After Free
	Major	Description, Relationships, Taxonomy_Mappings
	Minor	Observed_Examples
419	Unprotected Primary Channel
	Major	None
	Minor	Applicable_Platforms
420	Unprotected Alternate Channel
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
421	Race Condition During Access to Alternate Channel
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
422	Unprotected Windows Messaging Channel ('Shatter')
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
424	Improper Protection of Alternate Path
	Major	None
	Minor	Applicable_Platforms
425	Direct Request ('Forced Browsing')
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
426	Untrusted Search Path
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
427	Uncontrolled Search Path Element
	Major	Observed_Examples
	Minor	Applicable_Platforms
428	Unquoted Search Path or Element
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
430	Deployment of Wrong Handler
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
431	Missing Handler
	Major	None
	Minor	Applicable_Platforms
432	Dangerous Signal Handler not Disabled During Sensitive Operations
	Major	None
	Minor	Applicable_Platforms
433	Unparsed Raw Web Content Delivery
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
434	Unrestricted Upload of File with Dangerous Type
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
435	Improper Interaction Between Multiple Correctly-Behaving Entities
	Major	None
	Minor	Applicable_Platforms
436	Interpretation Conflict
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
437	Incomplete Model of Endpoint Features
	Major	None
	Minor	Applicable_Platforms
439	Behavioral Change in New Version or Environment
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
440	Expected Behavior Violation
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
441	Unintended Proxy or Intermediary ('Confused Deputy')
	Major	Related_Attack_Patterns
	Minor	Applicable_Platforms, Observed_Examples
444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
	Major	Related_Attack_Patterns
	Minor	Applicable_Platforms, Common_Consequences, Observed_Examples, References
446	UI Discrepancy for Security Feature
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
447	Unimplemented or Unsupported Feature in UI
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
448	Obsolete Feature in UI
	Major	None
	Minor	Applicable_Platforms
449	The UI Performs the Wrong Action
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
450	Multiple Interpretations of UI Input
	Major	None
	Minor	Applicable_Platforms
451	User Interface (UI) Misrepresentation of Critical Information
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
453	Insecure Default Variable Initialization
	Major	None
	Minor	Applicable_Platforms
454	External Initialization of Trusted Variables or Data Stores
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
455	Non-exit on Failed Initialization
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
456	Missing Initialization of a Variable
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
457	Use of Uninitialized Variable
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
459	Incomplete Cleanup
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
469	Use of Pointer Subtraction to Determine Size
	Major	Relationships, Taxonomy_Mappings
	Minor	None
470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
	Major	None
	Minor	Observed_Examples
471	Modification of Assumed-Immutable Data (MAID)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
472	External Control of Assumed-Immutable Web Parameter
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
473	PHP External Variable Modification
	Major	None
	Minor	Observed_Examples
474	Use of Function with Inconsistent Implementations
	Major	None
	Minor	Applicable_Platforms
475	Undefined Behavior for Input to API
	Major	None
	Minor	Applicable_Platforms
476	NULL Pointer Dereference
	Major	Alternate_Terms, Applicable_Platforms, Observed_Examples
	Minor	None
477	Use of Obsolete Function
	Major	None
	Minor	Applicable_Platforms
478	Missing Default Case in Multiple Condition Expression
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations
	Minor	None
479	Signal Handler Use of a Non-reentrant Function
	Major	None
	Minor	Observed_Examples
480	Use of Incorrect Operator
	Major	None
	Minor	Applicable_Platforms
483	Incorrect Block Delimitation
	Major	None
	Minor	Observed_Examples
488	Exposure of Data Element to Wrong Session
	Major	None
	Minor	Applicable_Platforms
489	Active Debug Code
	Major	None
	Minor	Applicable_Platforms
492	Use of Inner Class Containing Sensitive Data
	Major	Demonstrative_Examples
	Minor	None
494	Download of Code Without Integrity Check
	Major	References, Related_Attack_Patterns
	Minor	Applicable_Platforms, Observed_Examples
497	Exposure of Sensitive System Information to an Unauthorized Control Sphere
	Major	Related_Attack_Patterns
	Minor	Applicable_Platforms
501	Trust Boundary Violation
	Major	None
	Minor	Applicable_Platforms
502	Deserialization of Untrusted Data
	Major	Applicable_Platforms
	Minor	Observed_Examples
507	Trojan Horse
	Major	Related_Attack_Patterns
	Minor	None
511	Logic/Time Bomb
	Major	None
	Minor	Applicable_Platforms
514	Covert Channel
	Major	Maintenance_Notes
	Minor	None
515	Covert Storage Channel
	Major	Maintenance_Notes
	Minor	None
521	Weak Password Requirements
	Major	Observed_Examples, Potential_Mitigations, Relationships
	Minor	Applicable_Platforms
522	Insufficiently Protected Credentials
	Major	Demonstrative_Examples, Observed_Examples, References, Relationships
	Minor	None
532	Insertion of Sensitive Information into Log File
	Major	None
	Minor	Observed_Examples
538	Insertion of Sensitive Information into Externally-Accessible File or Directory
	Major	None
	Minor	Applicable_Platforms
546	Suspicious Comment
	Major	None
	Minor	Applicable_Platforms
561	Dead Code
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
570	Expression is Always False
	Major	None
	Minor	Applicable_Platforms
571	Expression is Always True
	Major	None
	Minor	Applicable_Platforms
573	Improper Following of Specification by Caller
	Major	None
	Minor	Observed_Examples
582	Array Declared Public, Final, and Static
	Major	Taxonomy_Mappings
	Minor	None
593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
	Major	Relationships
	Minor	None
595	Comparison of Object References Instead of Object Contents
	Major	None
	Minor	Applicable_Platforms
601	URL Redirection to Untrusted Site ('Open Redirect')
	Major	Observed_Examples
	Minor	Applicable_Platforms
602	Client-Side Enforcement of Server-Side Security
	Major	Demonstrative_Examples, Description, Observed_Examples, References, Relationships
	Minor	Applicable_Platforms
603	Use of Client-Side Authentication
	Major	Demonstrative_Examples, Observed_Examples, References, Relationships
	Minor	None
605	Multiple Binds to the Same Port
	Major	None
	Minor	Applicable_Platforms
611	Improper Restriction of XML External Entity Reference
	Major	None
	Minor	Observed_Examples
612	Improper Authorization of Index Containing Sensitive Information
	Major	None
	Minor	Applicable_Platforms
614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
	Major	None
	Minor	Observed_Examples
615	Inclusion of Sensitive Information in Source Code Comments
	Major	None
	Minor	Observed_Examples
616	Incomplete Identification of Uploaded File Variables (PHP)
	Major	None
	Minor	Observed_Examples
617	Reachable Assertion
	Major	None
	Minor	Observed_Examples
618	Exposed Unsafe ActiveX Method
	Major	None
	Minor	Observed_Examples
620	Unverified Password Change
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
621	Variable Extraction Error
	Major	None
	Minor	Observed_Examples
622	Improper Validation of Function Hook Arguments
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
623	Unsafe ActiveX Control Marked Safe For Scripting
	Major	None
	Minor	Observed_Examples
624	Executable Regular Expression Error
	Major	None
	Minor	Observed_Examples
625	Permissive Regular Expression
	Major	Demonstrative_Examples
	Minor	Observed_Examples
626	Null Byte Interaction Error (Poison Null Byte)
	Major	None
	Minor	Observed_Examples
627	Dynamic Variable Evaluation
	Major	None
	Minor	Observed_Examples
628	Function Call with Incorrectly Specified Arguments
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
636	Not Failing Securely ('Failing Open')
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
637	Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
638	Not Using Complete Mediation
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
639	Authorization Bypass Through User-Controlled Key
	Major	None
	Minor	Applicable_Platforms
640	Weak Password Recovery Mechanism for Forgotten Password
	Major	Relationships
	Minor	Applicable_Platforms
641	Improper Restriction of Names for Files and Other Resources
	Major	None
	Minor	Applicable_Platforms
642	External Control of Critical State Data
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')
	Major	None
	Minor	Applicable_Platforms
644	Improper Neutralization of HTTP Headers for Scripting Syntax
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
645	Overly Restrictive Account Lockout Mechanism
	Major	None
	Minor	Applicable_Platforms
646	Reliance on File Name or Extension of Externally-Supplied File
	Major	None
	Minor	Applicable_Platforms
647	Use of Non-Canonical URL Paths for Authorization Decisions
	Major	None
	Minor	Applicable_Platforms
648	Incorrect Use of Privileged APIs
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
649	Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
650	Trusting HTTP Permission Methods on the Server Side
	Major	None
	Minor	Applicable_Platforms
651	Exposure of WSDL File Containing Sensitive Information
	Major	None
	Minor	Applicable_Platforms
652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
	Major	None
	Minor	Applicable_Platforms
653	Improper Isolation or Compartmentalization
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
654	Reliance on a Single Factor in a Security Decision
	Major	References
	Minor	Applicable_Platforms
655	Insufficient Psychological Acceptability
	Major	References
	Minor	Applicable_Platforms
656	Reliance on Security Through Obscurity
	Major	Demonstrative_Examples, References
	Minor	Applicable_Platforms, Observed_Examples
657	Violation of Secure Design Principles
	Major	References
	Minor	None
663	Use of a Non-reentrant Function in a Concurrent Context
	Major	None
	Minor	Observed_Examples
664	Improper Control of a Resource Through its Lifetime
	Major	Relationships
	Minor	Applicable_Platforms
665	Improper Initialization
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
667	Improper Locking
	Major	None
	Minor	Observed_Examples
668	Exposure of Resource to Wrong Sphere
	Major	References
	Minor	None
669	Incorrect Resource Transfer Between Spheres
	Major	Relationships
	Minor	None
670	Always-Incorrect Control Flow Implementation
	Major	None
	Minor	Observed_Examples
672	Operation on a Resource after Expiration or Release
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
674	Uncontrolled Recursion
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms, Observed_Examples
675	Multiple Operations on Resource in Single-Operation Context
	Major	None
	Minor	Applicable_Platforms
676	Use of Potentially Dangerous Function
	Major	None
	Minor	Observed_Examples
680	Integer Overflow to Buffer Overflow
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
681	Incorrect Conversion between Numeric Types
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
682	Incorrect Calculation
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
683	Function Call With Incorrect Order of Arguments
	Major	None
	Minor	Observed_Examples
688	Function Call With Incorrect Variable or Reference as Argument
	Major	None
	Minor	Observed_Examples
689	Permission Race Condition During Resource Copy
	Major	None
	Minor	Observed_Examples
690	Unchecked Return Value to NULL Pointer Dereference
	Major	None
	Minor	Observed_Examples
691	Insufficient Control Flow Management
	Major	None
	Minor	Applicable_Platforms
692	Incomplete Denylist to Cross-Site Scripting
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
693	Protection Mechanism Failure
	Major	None
	Minor	Applicable_Platforms
694	Use of Multiple Resources with Duplicate Identifier
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
696	Incorrect Behavior Order
	Major	None
	Minor	Observed_Examples
697	Incorrect Comparison
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
698	Execution After Redirect (EAR)
	Major	References
	Minor	Observed_Examples
703	Improper Check or Handling of Exceptional Conditions
	Major	None
	Minor	Applicable_Platforms
704	Incorrect Type Conversion or Cast
	Major	Relationships
	Minor	Applicable_Platforms
705	Incorrect Control Flow Scoping
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
706	Use of Incorrectly-Resolved Name or Reference
	Major	None
	Minor	Applicable_Platforms
707	Improper Neutralization
	Major	None
	Minor	Applicable_Platforms
708	Incorrect Ownership Assignment
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
710	Improper Adherence to Coding Standards
	Major	None
	Minor	Applicable_Platforms
732	Incorrect Permission Assignment for Critical Resource
	Major	Demonstrative_Examples, Observed_Examples, References
	Minor	Applicable_Platforms
733	Compiler Optimization Removal or Modification of Security-critical Code
	Major	None
	Minor	Observed_Examples
749	Exposed Dangerous Method or Function
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
754	Improper Check for Unusual or Exceptional Conditions
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
755	Improper Handling of Exceptional Conditions
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
	Major	None
	Minor	Observed_Examples
758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
	Major	None
	Minor	Observed_Examples
759	Use of a One-Way Hash without a Salt
	Major	None
	Minor	Observed_Examples
760	Use of a One-Way Hash with a Predictable Salt
	Major	None
	Minor	Observed_Examples
761	Free of Pointer not at Start of Buffer
	Major	None
	Minor	Observed_Examples
765	Multiple Unlocks of a Critical Resource
	Major	None
	Minor	Observed_Examples
766	Critical Data Element Declared Public
	Major	None
	Minor	Observed_Examples
770	Allocation of Resources Without Limits or Throttling
	Major	Observed_Examples, References
	Minor	Applicable_Platforms
771	Missing Reference to Active Allocated Resource
	Major	Relationships, Taxonomy_Mappings
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Relationships, Taxonomy_Mappings
	Minor	Observed_Examples
773	Missing Reference to Active File Descriptor or Handle
	Major	Relationships, Taxonomy_Mappings
	Minor	None
775	Missing Release of File Descriptor or Handle after Effective Lifetime
	Major	Relationships, Taxonomy_Mappings
	Minor	Observed_Examples
776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
	Major	None
	Minor	Observed_Examples
777	Regular Expression without Anchors
	Major	Demonstrative_Examples, Observed_Examples
	Minor	None
778	Insufficient Logging
	Major	Demonstrative_Examples, Potential_Mitigations
	Minor	Applicable_Platforms, Observed_Examples
779	Logging of Excessive Data
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
781	Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
	Major	None
	Minor	Observed_Examples
782	Exposed IOCTL with Insufficient Access Control
	Major	None
	Minor	Observed_Examples
783	Operator Precedence Logic Error
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
784	Reliance on Cookies without Validation and Integrity Checking in a Security Decision
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
786	Access of Memory Location Before Start of Buffer
	Major	None
	Minor	Observed_Examples
787	Out-of-bounds Write
	Major	Applicable_Platforms
	Minor	Observed_Examples
788	Access of Memory Location After End of Buffer
	Major	None
	Minor	Observed_Examples
789	Memory Allocation with Excessive Size Value
	Major	Observed_Examples
	Minor	Applicable_Platforms
798	Use of Hard-coded Credentials
	Major	Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships
	Minor	None
799	Improper Control of Interaction Frequency
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
804	Guessable CAPTCHA
	Major	Description, Relationships
	Minor	Applicable_Platforms
805	Buffer Access with Incorrect Length Value
	Major	References
	Minor	Observed_Examples
807	Reliance on Untrusted Inputs in a Security Decision
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
822	Untrusted Pointer Dereference
	Major	None
	Minor	Observed_Examples
823	Use of Out-of-range Pointer Offset
	Major	None
	Minor	Observed_Examples
824	Access of Uninitialized Pointer
	Major	None
	Minor	Observed_Examples
825	Expired Pointer Dereference
	Major	None
	Minor	Observed_Examples
826	Premature Release of Resource During Expected Lifetime
	Major	None
	Minor	Observed_Examples
827	Improper Control of Document Type Definition
	Major	None
	Minor	Observed_Examples
828	Signal Handler with Functionality that is not Asynchronous-Safe
	Major	None
	Minor	Observed_Examples
829	Inclusion of Functionality from Untrusted Control Sphere
	Major	References, Related_Attack_Patterns
	Minor	Observed_Examples
832	Unlock of a Resource that is not Locked
	Major	None
	Minor	Observed_Examples
833	Deadlock
	Major	None
	Minor	Observed_Examples
834	Excessive Iteration
	Major	None
	Minor	Observed_Examples
835	Loop with Unreachable Exit Condition ('Infinite Loop')
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
836	Use of Password Hash Instead of Password for Authentication
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
837	Improper Enforcement of a Single, Unique Action
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
838	Inappropriate Encoding for Output Context
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
839	Numeric Range Comparison Without Minimum Check
	Major	None
	Minor	Observed_Examples
840	Business Logic Errors
	Major	Terminology_Notes
	Minor	None
841	Improper Enforcement of Behavioral Workflow
	Major	None
	Minor	Observed_Examples
842	Placement of User into Incorrect Group
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
843	Access of Resource Using Incompatible Type ('Type Confusion')
	Major	None
	Minor	Observed_Examples
862	Missing Authorization
	Major	Observed_Examples
	Minor	Applicable_Platforms
863	Incorrect Authorization
	Major	Observed_Examples
	Minor	Applicable_Platforms
908	Use of Uninitialized Resource
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
909	Missing Initialization of Resource
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
910	Use of Expired File Descriptor
	Major	None
	Minor	Applicable_Platforms
911	Improper Update of Reference Count
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
914	Improper Control of Dynamically-Identified Variables
	Major	None
	Minor	Observed_Examples
915	Improperly Controlled Modification of Dynamically-Determined Object Attributes
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
916	Use of Password Hash With Insufficient Computational Effort
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
	Major	None
	Minor	Observed_Examples
918	Server-Side Request Forgery (SSRF)
	Major	Observed_Examples
	Minor	Applicable_Platforms
920	Improper Restriction of Power Consumption
	Major	None
	Minor	Applicable_Platforms
921	Storage of Sensitive Data in a Mechanism without Access Control
	Major	None
	Minor	Applicable_Platforms
922	Insecure Storage of Sensitive Information
	Major	Common_Consequences, Relationship_Notes
	Minor	Applicable_Platforms
923	Improper Restriction of Communication Channel to Intended Endpoints
	Major	Related_Attack_Patterns, Relationships
	Minor	Applicable_Platforms
924	Improper Enforcement of Message Integrity During Transmission in a Communication Channel
	Major	None
	Minor	Applicable_Platforms
925	Improper Verification of Intent by Broadcast Receiver
	Major	Relationships
	Minor	Applicable_Platforms
926	Improper Export of Android Application Components
	Major	Background_Details
	Minor	Applicable_Platforms
927	Use of Implicit Intent for Sensitive Communication
	Major	None
	Minor	Applicable_Platforms
939	Improper Authorization in Handler for Custom URL Scheme
	Major	None
	Minor	Observed_Examples
940	Improper Verification of Source of a Communication Channel
	Major	Relationships
	Minor	Applicable_Platforms, Observed_Examples
941	Incorrectly Specified Destination in a Communication Channel
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
942	Permissive Cross-domain Policy with Untrusted Domains
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
943	Improper Neutralization of Special Elements in Data Query Logic
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
970	SFP Secondary Cluster: Faulty Buffer Access
	Major	Relationships
	Minor	None
971	SFP Secondary Cluster: Faulty Pointer Use
	Major	Relationships
	Minor	None
982	SFP Secondary Cluster: Failure to Release Resource
	Major	Relationships
	Minor	None
983	SFP Secondary Cluster: Faulty Resource Use
	Major	Relationships
	Minor	None
990	SFP Secondary Cluster: Tainted Input to Command
	Major	Relationships
	Minor	None
998	SFP Secondary Cluster: Glitch in Computation
	Major	Relationships
	Minor	None
999	DEPRECATED: Weaknesses without Software Fault Patterns
	Major	Description, Name, Type, View_Audience, View_Filter
	Minor	None
1003	Weaknesses for Simplified Mapping of Published Vulnerabilities
	Major	Relationships
	Minor	None
1004	Sensitive Cookie Without 'HttpOnly' Flag
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1007	Insufficient Visual Distinction of Homoglyphs Presented to User
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms, Description, Observed_Examples
1021	Improper Restriction of Rendered UI Layers or Frames
	Major	None
	Minor	Observed_Examples
1023	Incomplete Comparison with Missing Factors
	Major	None
	Minor	Applicable_Platforms
1024	Comparison of Incompatible Types
	Major	None
	Minor	Applicable_Platforms
1025	Comparison Using Wrong Factors
	Major	None
	Minor	Applicable_Platforms
1037	Processor Optimization Removal or Modification of Security-critical Code
	Major	Applicable_Platforms, Maintenance_Notes
	Minor	Observed_Examples
1038	Insecure Automated Optimizations
	Major	None
	Minor	Applicable_Platforms
1039	Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
	Major	None
	Minor	Applicable_Platforms
1041	Use of Redundant Code
	Major	Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
	Minor	None
1059	Insufficient Technical Documentation
	Major	None
	Minor	Applicable_Platforms
1069	Empty Exception Block
	Major	Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
	Minor	None
1104	Use of Unmaintained Third Party Components
	Major	References
	Minor	None
1116	Inaccurate Comments
	Major	Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
	Minor	None
1173	Improper Use of Validation Framework
	Major	None
	Minor	Applicable_Platforms
1189	Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
	Major	Detection_Factors
	Minor	Applicable_Platforms, Observed_Examples
1190	DMA Device Enabled Too Early in Boot Phase
	Major	None
	Minor	Applicable_Platforms
1191	On-Chip Debug and Test Interface With Improper Access Control
	Major	Description, Related_Attack_Patterns
	Minor	Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References
1192	System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
	Major	None
	Minor	Applicable_Platforms
1195	Manufacturing and Life Cycle Management Concerns
	Major	Relationships
	Minor	None
1203	Peripherals, On-chip Fabric, and Interface/IO Problems
	Major	Relationships
	Minor	None
1204	Generation of Weak Initialization Vector (IV)
	Major	None
	Minor	Applicable_Platforms, Observed_Examples, References
1206	Power, Clock, Thermal, and Reset Concerns
	Major	Name
	Minor	None
1208	Cross-Cutting Problems
	Major	Relationships
	Minor	None
1209	Failure to Disable Reserved Bits
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1220	Insufficient Granularity of Access Control
	Major	None
	Minor	Applicable_Platforms
1221	Incorrect Register Defaults or Module Parameters
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1222	Insufficient Granularity of Address Regions Protected by Register Locks
	Major	None
	Minor	Applicable_Platforms
1223	Race Condition for Write-Once Attributes
	Major	Demonstrative_Examples
	Minor	None
1224	Improper Restriction of Write-Once Bit Fields
	Major	Demonstrative_Examples
	Minor	None
1229	Creation of Emergent Resource
	Major	None
	Minor	Applicable_Platforms
1230	Exposure of Sensitive Information Through Metadata
	Major	None
	Minor	Applicable_Platforms
1231	Improper Prevention of Lock Bit Modification
	Major	None
	Minor	Applicable_Platforms, Demonstrative_Examples, Observed_Examples
1232	Improper Lock Behavior After Power State Transition
	Major	None
	Minor	Applicable_Platforms
1233	Security-Sensitive Hardware Controls with Missing Lock Bit Protection
	Major	None
	Minor	Applicable_Platforms, Demonstrative_Examples, Observed_Examples
1234	Hardware Internal or Debug Modes Allow Override of Locks
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1235	Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
	Major	None
	Minor	Applicable_Platforms
1236	Improper Neutralization of Formula Elements in a CSV File
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1239	Improper Zeroization of Hardware Register
	Major	None
	Minor	Applicable_Platforms
1240	Use of a Cryptographic Primitive with a Risky Implementation
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1242	Inclusion of Undocumented Features or Chicken Bits
	Major	None
	Minor	Applicable_Platforms
1243	Sensitive Non-Volatile Information Not Protected During Debug
	Major	Relationships
	Minor	Applicable_Platforms
1244	Internal Asset Exposed to Unsafe Debug Access Level or State
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1245	Improper Finite State Machines (FSMs) in Hardware Logic
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1246	Improper Write Handling in Limited-write Non-Volatile Memories
	Major	Demonstrative_Examples, Relationships, Research_Gaps
	Minor	Applicable_Platforms
1247	Improper Protection Against Voltage and Clock Glitches
	Major	Demonstrative_Examples, References
	Minor	Applicable_Platforms, Observed_Examples
1248	Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
	Major	None
	Minor	Applicable_Platforms
1249	Application-Level Admin Tool with Inconsistent View of Underlying Operating System
	Major	None
	Minor	Applicable_Platforms
1250	Improper Preservation of Consistency Between Independent Representations of Shared State
	Major	None
	Minor	Applicable_Platforms
1251	Mirrored Regions with Different Values
	Major	None
	Minor	Applicable_Platforms
1252	CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
	Major	None
	Minor	Applicable_Platforms
1253	Incorrect Selection of Fuse Values
	Major	None
	Minor	Applicable_Platforms
1254	Incorrect Comparison Logic Granularity
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms, Observed_Examples
1255	Comparison Logic is Vulnerable to Power Side-Channel Attacks
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms, Observed_Examples
1256	Improper Restriction of Software Interfaces to Hardware Features
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1257	Improper Access Control Applied to Mirrored or Aliased Memory Regions
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1258	Exposure of Sensitive System Information Due to Uncleared Debug Information
	Major	None
	Minor	Applicable_Platforms
1259	Improper Restriction of Security Token Assignment
	Major	None
	Minor	Applicable_Platforms, Demonstrative_Examples
1260	Improper Handling of Overlap Between Protected Memory Ranges
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1261	Improper Handling of Single Event Upsets
	Major	None
	Minor	Applicable_Platforms
1262	Improper Access Control for Register Interface
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1263	Improper Physical Access Control
	Major	Relationships
	Minor	Applicable_Platforms
1264	Hardware Logic with Insecure De-Synchronization between Control and Data Channels
	Major	Maintenance_Notes
	Minor	Applicable_Platforms, Observed_Examples
1265	Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
	Major	References
	Minor	Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Potential_Mitigations
1266	Improper Scrubbing of Sensitive Data from Decommissioned Device
	Major	None
	Minor	Applicable_Platforms
1267	Policy Uses Obsolete Encoding
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1268	Policy Privileges are not Assigned Consistently Between Control and Data Agents
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1269	Product Released in Non-Release Configuration
	Major	None
	Minor	Applicable_Platforms, Description, Observed_Examples
1270	Generation of Incorrect Security Tokens
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1271	Uninitialized Value on Reset for Registers Holding Security Settings
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1272	Sensitive Information Uncleared Before Debug/Power State Transition
	Major	Applicable_Platforms
	Minor	Observed_Examples
1273	Device Unlock Credential Sharing
	Major	Description
	Minor	Applicable_Platforms, Demonstrative_Examples
1274	Improper Access Control for Volatile Memory Containing Boot Code
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1275	Sensitive Cookie with Improper SameSite Attribute
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1276	Hardware Child Block Incorrectly Connected to Parent System
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1277	Firmware Not Updateable
	Major	Related_Attack_Patterns
	Minor	Applicable_Platforms, Observed_Examples
1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
	Major	Relationships
	Minor	Applicable_Platforms
1279	Cryptographic Operations are run Before Supporting Units are Ready
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1280	Access Control Check Implemented After Asset is Accessed
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1281	Sequence of Processor Instructions Leads to Unexpected Behavior
	Major	Applicable_Platforms, Demonstrative_Examples
	Minor	Description, Observed_Examples
1282	Assumed-Immutable Data is Stored in Writable Memory
	Major	None
	Minor	Applicable_Platforms
1283	Mutable Attestation or Measurement Reporting Data
	Major	None
	Minor	Applicable_Platforms
1284	Improper Validation of Specified Quantity in Input
	Major	Observed_Examples, Relationships
	Minor	Applicable_Platforms
1285	Improper Validation of Specified Index, Position, or Offset in Input
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1286	Improper Validation of Syntactic Correctness of Input
	Major	Observed_Examples
	Minor	Applicable_Platforms
1287	Improper Validation of Specified Type of Input
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1288	Improper Validation of Consistency within Input
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1289	Improper Validation of Unsafe Equivalence in Input
	Major	Observed_Examples
	Minor	Applicable_Platforms
1290	Incorrect Decoding of Security Identifiers
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	Applicable_Platforms, Description
1291	Public Key Re-Use for Signing both Debug and Production Code
	Major	None
	Minor	Applicable_Platforms, Description
1292	Incorrect Conversion of Security Identifiers
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	Applicable_Platforms
1293	Missing Source Correlation of Multiple Independent Data
	Major	None
	Minor	Applicable_Platforms
1294	Insecure Security Identifier Mechanism
	Major	None
	Minor	Applicable_Platforms
1295	Debug Messages Revealing Unnecessary Information
	Major	References
	Minor	Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples
1296	Incorrect Chaining or Granularity of Debug Components
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1297	Unprotected Confidential Information on Device is Accessible by OSAT Vendors
	Major	None
	Minor	Applicable_Platforms, Potential_Mitigations
1299	Missing Protection Mechanism for Alternate Hardware Interface
	Major	None
	Minor	Applicable_Platforms, Demonstrative_Examples, Observed_Examples
1300	Improper Protection of Physical Side Channels
	Major	References, Relationships
	Minor	Applicable_Platforms, Observed_Examples
1301	Insufficient or Incomplete Data Removal within Hardware Component
	Major	None
	Minor	Applicable_Platforms, References
1302	Missing Security Identifier
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1303	Non-Transparent Sharing of Microarchitectural Resources
	Major	Demonstrative_Examples, Maintenance_Notes
	Minor	Applicable_Platforms, Description
1304	Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
	Major	None
	Minor	Applicable_Platforms, Potential_Mitigations
1310	Missing Ability to Patch ROM Code
	Major	References, Related_Attack_Patterns
	Minor	Applicable_Platforms
1311	Improper Translation of Security Attributes by Fabric Bridge
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms
1312	Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
	Major	None
	Minor	Applicable_Platforms, Demonstrative_Examples
1313	Hardware Allows Activation of Test or Debug Logic at Runtime
	Major	None
	Minor	Applicable_Platforms
1314	Missing Write Protection for Parametric Data Values
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1315	Improper Setting of Bus Controlling Capability in Fabric End-point
	Major	None
	Minor	Applicable_Platforms, Demonstrative_Examples
1316	Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
	Major	References
	Minor	Applicable_Platforms, Demonstrative_Examples, Observed_Examples
1317	Improper Access Control in Fabric Bridge
	Major	Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations
	Minor	Applicable_Platforms, Observed_Examples
1318	Missing Support for Security Features in On-chip Fabrics or Buses
	Major	None
	Minor	Applicable_Platforms
1319	Improper Protection against Electromagnetic Fault Injection (EM-FI)
	Major	Potential_Mitigations, References, Relationships
	Minor	Applicable_Platforms
1320	Improper Protection for Outbound Error Messages and Alert Signals
	Major	Name
	Minor	Applicable_Platforms
1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
	Major	None
	Minor	Observed_Examples
1323	Improper Management of Sensitive Trace Data
	Major	None
	Minor	Applicable_Platforms
1324	Sensitive Information Accessible by Physical Probing of JTAG Interface
	Major	None
	Minor	Applicable_Platforms
1325	Improperly Controlled Sequential Memory Allocation
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1326	Missing Immutable Root of Trust in Hardware
	Major	None
	Minor	Applicable_Platforms
1327	Binding to an Unrestricted IP Address
	Major	None
	Minor	Applicable_Platforms
1328	Security Version Number Mutable to Older Versions
	Major	None
	Minor	Applicable_Platforms
1329	Reliance on Component That is Not Updateable
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1330	Remanent Data Readable after Memory Erase
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1331	Improper Isolation of Shared Resources in Network On Chip (NoC)
	Major	None
	Minor	Applicable_Platforms
1332	Improper Handling of Faults that Lead to Instruction Skips
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
1333	Inefficient Regular Expression Complexity
	Major	Observed_Examples, Relationships
	Minor	Applicable_Platforms
1334	Unauthorized Error Injection Can Degrade Hardware Redundancy
	Major	None
	Minor	Applicable_Platforms
1335	Incorrect Bitwise Shift of Integer
	Major	Demonstrative_Examples, Observed_Examples
	Minor	Applicable_Platforms
1336	Improper Neutralization of Special Elements Used in a Template Engine
	Major	None
	Minor	Applicable_Platforms, Observed_Examples
1338	Improper Protections Against Hardware Overheating
	Major	Related_Attack_Patterns
	Minor	Applicable_Platforms
1339	Insufficient Precision or Accuracy of a Real Number
	Major	Demonstrative_Examples
	Minor	Applicable_Platforms, Description, Observed_Examples
1341	Multiple Releases of Same Resource or Handle
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
1342	Information Exposure through Microarchitectural State after Transient Execution
	Major	Demonstrative_Examples, Maintenance_Notes, Related_Attack_Patterns
	Minor	Applicable_Platforms, Observed_Examples
1345	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
	Major	References
	Minor	None
1346	OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
	Major	References
	Minor	None
1347	OWASP Top Ten 2021 Category A03:2021 - Injection
	Major	References
	Minor	None
1348	OWASP Top Ten 2021 Category A04:2021 - Insecure Design
	Major	References
	Minor	None
1349	OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
	Major	References
	Minor	None
1351	Improper Handling of Hardware Behavior in Exceptionally Cold Environments
	Major	References, Related_Attack_Patterns
	Minor	Applicable_Platforms
1352	OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components
	Major	References
	Minor	None
1353	OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
	Major	References
	Minor	None
1354	OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
	Major	References
	Minor	None
1355	OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
	Major	References
	Minor	None
1356	OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
	Major	References
	Minor	None
1357	Reliance on Uncontrolled Component
	Major	References
	Minor	Applicable_Platforms, Observed_Examples
1384	Improper Handling of Physical or Environmental Conditions
	Major	References
	Minor	None
1385	Missing Origin Validation in WebSockets
	Major	None
	Minor	Applicable_Platforms, Observed_Examples, References
1386	Insecure Operation on Windows Junction / Mount Point
	Major	None
	Minor	Applicable_Platforms, Observed_Examples

Page Last Updated: October 13, 2022


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration