27:) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by
67:
Common
Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible
122:
for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software
479:
443:
361:
386:
436:
132:
for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site
469:
155:
474:
161:
515:
429:
138:
There are 56 organizations as of
September 2019 that develop and maintain products and services that achieved CWE Compatible status.
36:
520:
230:
167:
379:
45:
CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions,
112:
capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used
510:
505:
276:
414:
71:
In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:
397:
356:
46:
294:
380:
Certifying
Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort
92:
security elements presented to users include, or allow users to obtain, associated CWE identifiers
421:
246:
452:
408:
280:
28:
258:
499:
298:
341:
299:"Bugs Framework (BF): Formalizing Software Security Weaknesses and Vulnerabilities"
201:
316:
262:
247:"On the capability of static code analysis to detect security vulnerabilities"
484:
146:
Some researchers think that ambiguities in CWE can be avoided or reduced.
187:
396:. comparison of different vulnerability Classifications. Archived from
225:
32:
102:
security elements accurately link to the appropriate CWE identifiers
485:
Adversarial
Tactics, Techniques, and Common Knowledge (ATT&CK)
425:
355:
Paul E. Black; Irena V. Bojanova; Yaacov Yesha; Yan Wu (2015).
394:
Wiley
Handbook of Science and Technology for Homeland Security
480:
Common Attack
Pattern Enumeration and Classification (CAPEC)
42:
Version 4.10 of the CWE standard was released in July 2021.
245:
Goseva-Popstojanova, Katerina; Perhinschi, Andrei (2015).
82:
users may search security elements using CWE identifiers
58:
CWE category 121 is for stack-based buffer overflows.
49:, hard-coded passwords, and insecure random numbers.
317:"CWE - CWE-121: Stack-based Buffer Overflow (4.15)"
16:Catalog of software weaknesses and vulnerabilities
362:National Institute of Standards and Technology
437:
39:of the U.S. Department of Homeland Security.
8:
342:"CWE - CWE-Compatible Products and Services"
475:Common Vulnerability Scoring System (CVSS)
470:Common Vulnerabilities and Exposures (CVE)
444:
430:
422:
142:Research, critiques, and new developments
387:"Classes of Vulnerabilities and Attacks"
202:"CWE - Frequently Asked Questions (FAQ)"
73:
179:
406:
7:
357:"Towards a "Periodic Table" of Bugs"
156:Common Vulnerabilities and Exposures
251:Information and Software Technology
162:Common Vulnerability Scoring System
14:
465:Common Weakness Enumeration (CWE)
226:"Vulnerabilities | NVD CWE Slice"
277:"CWE Version 4.10 Now Available"
37:National Cyber Security Division
231:National Vulnerability Database
168:National Vulnerability Database
1:
455:computer security ontologies
263:10.1016/j.infsof.2015.08.002
21:Common Weakness Enumeration
537:
516:Computer network security
460:
281:Mitre Corporationaccess
521:Classification systems
413:: CS1 maint: others (
29:The MITRE Corporation
47:cross-site scripting
31:, with support from
283:-date=9 March 2022.
511:Computer standards
506:Software anomalies
493:
492:
453:Mitre Corporation
188:"CWE - About CWE"
136:
135:
108:CWE Documentation
63:CWE compatibility
528:
446:
439:
432:
423:
418:
412:
404:
402:
391:
367:
366:
352:
346:
345:
338:
332:
331:
329:
327:
313:
307:
306:
291:
285:
284:
273:
267:
266:
242:
236:
235:
222:
216:
215:
213:
212:
198:
192:
191:
184:
128:CWE Test Results
98:Mapping Accuracy
74:
536:
535:
531:
530:
529:
527:
526:
525:
496:
495:
494:
489:
456:
450:
405:
400:
389:
385:
382:// 6 March 2007
376:
371:
370:
354:
353:
349:
344:. at mitre.org.
340:
339:
335:
325:
323:
315:
314:
310:
303:samate.nist.gov
295:Bojanova, Irena
293:
292:
288:
275:
274:
270:
244:
243:
239:
224:
223:
219:
210:
208:
200:
199:
195:
190:. at mitre.org.
186:
185:
181:
176:
152:
144:
65:
55:
17:
12:
11:
5:
534:
532:
524:
523:
518:
513:
508:
498:
497:
491:
490:
488:
487:
482:
477:
472:
467:
461:
458:
457:
451:
449:
448:
441:
434:
426:
420:
419:
403:on 2016-03-22.
383:
375:
374:External links
372:
369:
368:
347:
333:
308:
286:
268:
237:
217:
193:
178:
177:
175:
172:
171:
170:
165:
159:
151:
148:
143:
140:
134:
133:
130:
124:
123:
120:
114:
113:
110:
104:
103:
100:
94:
93:
90:
84:
83:
80:
78:CWE Searchable
64:
61:
60:
59:
54:
51:
15:
13:
10:
9:
6:
4:
3:
2:
533:
522:
519:
517:
514:
512:
509:
507:
504:
503:
501:
486:
483:
481:
478:
476:
473:
471:
468:
466:
463:
462:
459:
454:
447:
442:
440:
435:
433:
428:
427:
424:
416:
410:
399:
395:
388:
384:
381:
378:
377:
373:
364:
363:
358:
351:
348:
343:
337:
334:
322:
321:cwe.mitre.org
318:
312:
309:
304:
300:
296:
290:
287:
282:
278:
272:
269:
264:
260:
256:
252:
248:
241:
238:
233:
232:
227:
221:
218:
207:
206:cwe.mitre.org
203:
197:
194:
189:
183:
180:
173:
169:
166:
163:
160:
157:
154:
153:
149:
147:
141:
139:
131:
129:
126:
125:
121:
119:
116:
115:
111:
109:
106:
105:
101:
99:
96:
95:
91:
89:
86:
85:
81:
79:
76:
75:
72:
69:
62:
57:
56:
52:
50:
48:
43:
40:
38:
34:
30:
26:
22:
464:
398:the original
393:
360:
350:
336:
324:. Retrieved
320:
311:
302:
289:
271:
254:
250:
240:
229:
220:
209:. Retrieved
205:
196:
182:
145:
137:
127:
118:CWE Coverage
117:
107:
97:
87:
77:
70:
66:
44:
41:
24:
20:
18:
500:Categories
211:2023-09-21
174:References
88:CWE Output
326:August 5,
257:: 18–33.
409:cite web
297:(2014).
150:See also
68:impact.
53:Examples
35:and the
33:US-CERT
164:(CVSS)
401:(PDF)
390:(PDF)
158:(CVE)
415:link
328:2024
19:The
259:doi
25:CWE
502::
411:}}
407:{{
392:.
359:.
319:.
301:.
279:.
255:68
253:.
249:.
228:.
204:.
445:e
438:t
431:v
417:)
365:.
330:.
305:.
265:.
261::
234:.
214:.
23:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.