Dear CWE Community, We are thrilled to announce that CWE version 4.10 is now available on our website - https://cwe.mitre.org<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwe.mitre.org%2F&data=04%7C01%7Cyogeshwar%40tataelxsi.co.in%7Cd2682bdcec124a43446c08d89d6f4719%7Cad6a39dd96b6436882daf2ec4d92e26a%7C0%7C0%7C637432448566280699%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=TrNja2MqhMg%2FBhNU0I7xgvuWOt5CzcW5keyRjhuWW8w%3D&reserved=0>. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible, especially the significant contributions by the CWE Hardware SIG<https://cwe.mitre.org/community/working_groups.html#hw_sig> and CWE-CAPEC ICS/OT SIG<https://cwe.mitre.org/community/working_groups.html#ics_ot_sig>, as noted below.
A detailed report listing the specific changes between Version 4.9 and 4.10 can be found here (diff report<https://cwe.mitre.org/data/reports/diff_reports/v4.9_v4.10.html>), but below I have listed some of the key highlights: * Added 1 new CWE weakness for use of vulnerable third-party components, CWE-1395: Dependency on Vulnerable Third-Party Component<https://cwe.mitre.org/data/definitions/1395.html> * Revamped CWE-1357: Reliance on Insufficiently Trustworthy Component<https://cwe.mitre.org/data/definitions/1357.html> to emphasize dependency on "insufficiently trustworthy" components * Changed over 400 CWE descriptions to replace "software" with "product" to better allow the scope of those CWEs to include hardware, driven by experience with the ICS/OT SIG<https://cwe.mitre.org/community/working_groups.html#ics_ot_sig> and the CWE Hardware SIG<https://cwe.mitre.org/community/working_groups.html#hw_sig> * Changed categories and relationships in the Hardware View<https://cwe.mitre.org/data/definitions/1194.html> (CWE-1194) * Improved names, descriptions, and/or demonstrative examples of multiple hardware weaknesses * Updated the ICS/OT View<https://cwe.mitre.org/data/definitions/1358.html> (CWE-1358) including relationships, descriptions, and mappings to the ISA/IEC 62443<https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards> standard, based on contributions by the ICS/OT SIG * Added more Mapping Notes * Updated some relationships under CWE-284: Improper Access Control<https://cwe.mitre.org/data/definitions/284.html> * Provided cloud-related details for some CWEs (mitigations, applicable platforms, and demonstrative examples) * Added more observed examples for products written in Python or Go * Deprecated CWE-1324: Sensitive Information Accessible by Physical Probing of JTAG Interface<https://cwe.mitre.org/data/definitions/1324.html> We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for your continued support of the CWE/CAPEC Program. Cheers, Alec -- Alec J. Summers Cyber Solutions Innovation Center Group Leader, Software Assurance Cyber Security Engineer, Lead O: (781) 271-6970 C: (781) 496-8426 ------------------------------------ MITRE - Solving Problems for a Safer World