v1.13 - 2024-04-02

Added

• Physical Security Issues - Bypass of physical access control - VARIES
• Physical Security Issues - Weakness in physical access control - Clonable Key - VARIES
• Physical Security Issues - Weakness in physical access control - Master Key Identification - VARIES
• Physical Security Issues - Weakness in physical access control - Commonly Keyed System - P2
• Insecure OS/Firmware - Weakness in Firmware Updates - Firmware cannot be updated - VARIES
• Insecure OS/Firmware - Weakness in Firmware Updates - Firmware does not validate update integrity- P3
• Insecure OS/Firmware - Weakness in Firmware Updates - Firmware is not encrypted- P5
• Insecure OS/Firmware - Kiosk Escape or Breakout - VARIES
• Insecure OS/Firmware - Poorly Configured Disk Encryption - VARIES
• Insecure OS/Firmware - Shared Credentials on Storage - P3
• Insecure OS/Firmware - Over-Permissioned Credentials on Storage - P2
• Insecure OS/Firmware - Local Administrator on default environment - P2
• Insecure OS/Firmware - Poorly Configured Operating System Security - VARIES
• Insecure OS/Firmware - Recovery of Disk Contains Sensitive Material - VARIES
• Insecure OS/Firmware - Failure to Remove Sensitive Artifacts from Disk - VARIES
• Insecure OS/Firmware - Data not encrypted at rest - Sensitive - VARIES
• Insecure OS/Firmware - Data not encrypted at rest - Non sensitive - P5

v1.12 - 2023-12-18

Added

• Application Level DoS - Excessive Resource Consumption - Injection (Prompt) - VARIES
• AI Application Security - Large Language Model (LLM) Security - Prompt Injection - P1
• AI Application Security - Large Language Model (LLM) Security - LLM Output Handling - P1
• AI Application Security - Large Language Model (LLM) Security - Training Data Poisoning - P1
• AI Application Security - Large Language Model (LLM) Security - Excessive Agency/Permission Manipulation - P2

v1.11 - 2023-11-20

Added

• Sensitive Data Exposure - Disclosure of Secrets - PII Leakage/Exposure: VARIES
• Server-Side Injection - Content Spoofing - HTML Content Injection: P5
• Broken Authentication and Session Management - Failure to invalidate session - Permission change: VARIES
• Server Security Misconfiguration - Request Smuggling: VARIES
• Server-Side Injection - LDAP Injection: VARIES
• Cryptographic Weakness - Insufficient Entropy - Limited Random Number Generator (RNG) Entropy Source: P4
• Cryptographic Weakness - Insufficient_Entropy - Use of True Random Number Generator (TRNG) for Non-Security Purpose: P5
• Cryptographic Weakness - Insufficient_Entropy - Pseudo-Random Number Generator (PRNG) Seed Reuse: P5
• Cryptographic Weakness - Insufficient_Entropy - Predictable Pseudo-Random Number Generator (PRNG) Seed: P4
• Cryptographic Weakness - Insufficient_Entropy - Small Seed Space in Pseudo-Random Number Generator (PRNG): P4
• Cryptographic Weakness - Insufficient_Entropy - Initialization Vector (IV) Reuse: P5
• Cryptographic Weakness - Insufficient_Entropy - Predictable Initialization Vector (IV): P4
• Cryptographic Weakness - Insecure Implementation - Missing Cryptographic Step: VARIES
• Cryptographic Weakness - Insecure Implementation - Improper Following of Specification (Other): VARIES
• Cryptographic Weakness - Weak Hash - Lack of Salt: VARIES
• Cryptographic Weakness - Weak Hash - Use of Predictable Salt: P5
• Cryptographic Weakness - Weak Hash - Predictable Hash Collision: VARIES
• Cryptographic Weakness - Insufficient Verification of Data Authenticity - Integrity Check Value (ICV): P4
• Cryptographic Weakness - Insufficient Verification of Data Authenticity - Cryptographic Signature: VARIES
• Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Prime Selection: VARIES
• Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Exponent Selection: VARIES
• Cryptographic Weakness - Insecure Key Generation - Insufficient Key Stretching: VARIES
• Cryptographic Weakness - Insecure Key Generation - Insufficient Key Space: P3
• Cryptographic Weakness - Insecure Key Generation - Key Exchage Without Entity Authentication: P3
• Cryptographic Weakness - Key Reuse - Lack of Perfect Forward Secrecy: P4
• Cryptographic Weakness - Key Reuse - Intra-Environment: P5
• Cryptographic Weakness - Key Reuse - Inter-Environment: P2
• Cryptographic Weakness - Side-Channel Attack - Padding Oracle Attack: P4
• Cryptographic Weakness - Side-Channel Attack - Timing Attack: P4
• Cryptographic Weakness - Side-Channel Attack - Power Analysis Attack: P5
• Cryptographic Weakness - Side-Channel Attack - Emanations Attack: P5
• Cryptographic Weakness - Side-Channel Attack - Differential Fault Analysis: VARIES
• Cryptographic Weakness - Use of Expired Cryptographic Key (or Certificate): P4
• Cryptographic Weakness - Incomplete Cleanup of Keying Material: P5
• Cryptographic Weakness - Broken Cryptography - Use of Broken Cryptographic Primitive: P3
• Cryptographic Weakness - Broken Cryptography - Use of Vulnerable Cryptographic Library: P4
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Non-Sensitive Information: P5
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/GUID/Complex Object Identifiers: P4
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information/Iterable Object Identifiers: P3
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Edit/Delete Sensitive Information/Iterable Object Identifiers: P2
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information (PII)/Iterable Object Identifier: P1

Changed

FROM:

• Cross-Site Scripting (XSS) - IE-Only - Older Version (< IE11): P5

TO:

• Cross-Site Scripting (XSS) - IE-Only: P5

FROM:

• Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
• Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
• Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External: P4
• Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only : P5

TO:

• Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
• Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
• Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - Low impact: P5
• Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only: P5

FROM:

• Automotive Security Misconfiguration - Infotainment, Radio Head Unit - PII Leakage: P1

TO:

• Automotive Security Misconfiguration - Infotainment, Radio Head Unit - Sensitive data Leakage/Exposure: P1

Removed

• Cross-Site Scripting (XSS) - IE-Only - IE11: P4
• Cross-Site Scripting (XSS) - XSS Filter Disabled: P5
• Broken Cryptography - Cryptographic Flaw - Incorrect Usage: P1

v1.10.1

v1.10.1 - 2021-03-29

Changed

• renamed secure code warriors mapping to secure code warrior

v1.10

v1.10 - 2021-03-18

Added

• insufficient_security_configurability.verification_of_contact_method_not_required
• insufficient_security_configurability.weak_two_fa_implementation.two_fa_code_is_not_updated_after_new_code_is_requested
• insufficient_security_configurability.weak_two_fa_implementation.old_two_fa_code_is_not_invalidated_after_new_code_is_generated
• broken_authentication_and_session_management.weak_login_function.over_http
• server_security_misconfiguration.oauth_misconfiguration.account_squatting
• Third-party mapping to Secure Code Warrior trainings
• automotive_security_misconfiguration.can.injection_battery_management_system
• automotive_security_misconfiguration.can.injection_steering_control
• automotive_security_misconfiguration.can.injection_pyrotechnical_device_deployment_tool
• automotive_security_misconfiguration.can.injection_headlights
• automotive_security_misconfiguration.can.injection_sensors
• automotive_security_misconfiguration.can.injection_vehicle_anti_theft_systems
• automotive_security_misconfiguration.can.injection_powertrain
• automotive_security_misconfiguration.can.injection_basic_safety_message
• automotive_security_misconfiguration.battery_management_system
• automotive_security_misconfiguration.battery_management_system.firmware_dump
• automotive_security_misconfiguration.battery_management_system.fraudulent_interface
• automotive_security_misconfiguration.gnss_gps
• automotive_security_misconfiguration.gnss_gps.spoofing
• automotive_security_misconfiguration.immobilizer
• automotive_security_misconfiguration.immobilizer.engine_start
• automotive_security_misconfiguration.abs
• automotive_security_misconfiguration.abs.unintended_acceleration_brake
• automotive_security_misconfiguration.rsu
• automotive_security_misconfiguration.rsu.sybil_attack
• automotive_security_misconfiguration.infotainment_radio_head_unit
• automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage
• automotive_security_misconfiguration.infotainment_radio_head_unit.ota_firmware_manipulation
• automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_can_bus_pivot
• automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_no_can_bus_pivot
• automotive_security_misconfiguration.infotainment_radio_head_unit.unauthorized_access_to_services
• automotive_security_misconfiguration.infotainment_radio_head_unit.source_code_dump
• automotive_security_misconfiguration.infotainment_radio_head_unit.dos_brick
• automotive_security_misconfiguration.infotainment_radio_head_unit.default_credentials

Removed

• insufficient_security_configurability.lack_of_verification_email
• broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default
• broken_authentication_and_session_management.weak_login_function.http_and_https_available
• broken_authentication_and_session_management.weak_login_function.lan_only
• cross_site_request_forgery_csrf.flash_based.high_impact
• cross_site_request_forgery_csrf.flash_based.low_impact
• automotive_security_misconfiguration.infotainment
• automotive_security_misconfiguration.infotainment.pii_leakage
• automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot
• automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot
• automotive_security_misconfiguration.infotainment.unauthorized_access_to_services
• automotive_security_misconfiguration.infotainment.source_code_dump
• automotive_security_misconfiguration.infotainment.dos_brick
• automotive_security_misconfiguration.infotainment.default_credentials

Changed

• server_security_misconfiguration.lack_of_security_headers.cache_control_for_a_non_sensitive_page updated remediation advice
• server_security_misconfiguration.lack_of_security_headers.cache_control_for_a_sensitive_page updated remediation advice
• cross_site_scripting_xss.flash_based priority changed from P4 to P5
• cross_site_request_forgery_csrf.flash_based priority changed from null to P5 (due to children removal)
• using_components_with_known_vulnerabilities.rosetta_flash priority changed from P4 to P5

Cut v1.9 (#291)

v1.9 - 2020-05-22

Added

• sensitive_data_exposure.disclosure_of_secrets.for_publicly_accessible_asset
• sensitive_data_exposure.disclosure_of_secrets.for_internal_asset
• sensitive_data_exposure.disclosure_of_secrets.pay_per_use_abuse
• sensitive_data_exposure.disclosure_of_secrets.intentionally_public_sample_or_invalid
• sensitive_data_exposure.disclosure_of_secrets.data_traffic_spam
• sensitive_data_exposure.disclosure_of_secrets.non_corporate_user
• server_side_injection.ssti.basic
• server_side_injection.ssti.custom
• sensitive_data_exposure.via_localstorage_sessionstorage.sensitive_token
• sensitive_data_exposure.via_localstorage_sessionstorage.non_sensitive_token
• mobile_security_misconfiguration.auto_backup_allowed_by_default
• server_security_misconfiguration.no_rate_limiting_on_form.change_password
• server_side_injection.content_spoofing.impersonation_via_broken_link_hijacking
• cross_site_request_forgery_csrf.flash_based.high_impact
• cross_site_request_forgery_csrf.flash_based.low_impact
• insufficient_security_configurability.password_policy_bypass

Removed

• sensitive_data_exposure.critically_sensitive_data.password_disclosure
• sensitive_data_exposure.critically_sensitive_data.private_api_keys
• sensitive_data_exposure.critically_sensitive_data

Changed

v1.8

v1.8 - 2019-09-25

Added

• server_security_misconfiguration.race_condition
• server_security_misconfiguration.cache_poisoning
• indicators_of_compromise
• broken_authentication_and_session_management.failure_to_invalidate_session.on_two_fa_activation_change

Removed

• mobile_security_misconfiguration.clipboard_enabled.on_sensitive_content
• mobile_security_misconfiguration.clipboard_enabled.on_non_sensitive_content

Changed

• server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_non_email_domain name changed from "Email Spoofing on non-email domain" to "Email Spoofing on Non-Email Domain"
• mobile_security_misconfiguration.clipboard_enabled priority changed from null to P5 (due to children removal)

v1.7.1

Added

• Remediation Advice and CVSS mappings for automotive_security_misconfiguration

v1.7

Added

• sensitive_data_exposure.weak_password_reset_implementation.token_leakage_via_host_header_poisoning
• server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_non_email_domain
• broken_access_control.username_enumeration.non_brute_force
• insufficient_security_configurability.weak_two_fa_implementation.two_fa_secret_cannot_be_rotated
• insufficient_security_configurability.weak_two_fa_implementation.two_fa_secret_remains_obtainable_after_two_fa_is_enabled
• insufficient_security_configurability.weak_two_fa_implementation
• sensitive_data_exposure.token_leakage_via_referer.trusted_third_party
• sensitive_data_exposure.token_leakage_via_referer.untrusted_third_party
• cross_site_scripting_xss.ie_only.ie_eleven
• cross_site_scripting_xss.ie_only.older_version_ie_eleven
• automotive_security_misconfiguration
• automotive_security_misconfiguration.infotainment
• automotive_security_misconfiguration.infotainment.pii_leakage
• automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot
• automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot
• automotive_security_misconfiguration.infotainment.unauthorized_access_to_services
• automotive_security_misconfiguration.infotainment.source_code_dump
• automotive_security_misconfiguration.infotainment.dos_brick
• automotive_security_misconfiguration.infotainment.default_credentials
• automotive_security_misconfiguration.rf_hub
• automotive_security_misconfiguration.rf_hub.key_fob_cloning
• automotive_security_misconfiguration.rf_hub.can_injection_interaction
• automotive_security_misconfiguration.rf_hub.data_leakage_pull_encryption_mechanism
• automotive_security_misconfiguration.rf_hub.unauthorized_access_turn_on
• automotive_security_misconfiguration.rf_hub.roll_jam
• automotive_security_misconfiguration.rf_hub.replay
• automotive_security_misconfiguration.rf_hub.relay
• automotive_security_misconfiguration.can
• automotive_security_misconfiguration.can.injection_disallowed_messages
• automotive_security_misconfiguration.can.injection_dos
• server_side_injection.content_spoofing.email_hyperlink_injection_based_on_email_provider

Removed

• broken_access_control.username_enumeration.data_leak
• insufficient_security_configurability.weak_2fa_implementation
• sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party
• sensitive_data_exposure.token_leakage_via_referer.untrusted_3rd_party
• cross_site_scripting_xss.ie_only.ie11
• cross_site_scripting_xss.ie_only.older_version_ie11

Changed

• server_security_misconfiguration.username_enumeration name changed from "Username Enumeration" to "Username/Email Enumeration"
• broken_access_control.username_enumeration name changed from "Username Enumeration" to "Username/Email Enumeration"
• updated Remediation Advice reference URLs for OWASP

v1.6

Added

• broken_access_control.server_side_request_forgery_ssrf.internal_high_impact
• broken_access_control.server_side_request_forgery_ssrf.internal_scan_and_or_medium_impact
• server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain
• server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain
• server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_spam_folder
• server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim

Removed

• broken_access_control.server_side_request_forgery_ssrf.internal
• server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain
• server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_non_email_domain
• server_security_misconfiguration.mail_server_misconfiguration.spf_uses_a_soft_fail
• server_security_misconfiguration.mail_server_misconfiguration.spf_includes_10_lookups
• server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc