CAPEC Version 3.4 is released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CAPEC Version 3.4 is released


Hello All,


CAPEC Version 3.4 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.3 and Version 3.4.

Version 3.4 includes:

·         Adding four new attack patterns: CAPEC-656: Voice PhishingCAPEC-657: Malicious Automated Software Update via SpoofingCAPEC-660: Root/Jailbreak Detection Evasion via Hooking, and CAPEC-661: Root/Jailbreak Detection Evasion via Debugging.

·         Adding two new Views: OWASP Related Patterns and ATT&CK Related Patterns.

·         Merging "CAPEC-214: Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping" into CAPEC-215: Fuzzing for application mapping, and deprecating CAPEC-214.

·         Adding 41 Common Attack Pattern Enumeration and Classification (CAPEC™)-to-Common Weakness Enumeration (CWE™) mappings. Three mappings were also removed. This was due to CWE versions 4.2 and 4.3 adding 20 Hardware CWEs and 5 Software CWEs. These mappings help inform a tighter integration between CWE and CAPEC.

·         Streamlining descriptions and updating content for 22 CAPECs.

·         Improving the WASC Threat Classification 2.0 view for WASC-related CAPEC Entries by moving the WASC references to the taxonomy mapping.

·         Updating the entire CAPEC website to make the demarcation between parent/child relationships and other relationships clearer in all CAPECs, and replacing common text sections with hover tooltips to increase the visible area.

The CAPEC Schema was updated from v3.3 to v3.4 to replace “WASCv2” with “WASC” in TaxonomyNameEnumeration, and add "OWASP Attacks" to TaxonomyNameEnumeration.


There are now 527 total attack patterns listed.

Changes for the new version release include the following:

·         New Attack Patterns Added:


·         Existing Attack Patterns Updated:


·         Attack Patterns Deprecated:


·         Existing Categories Updated:


·         Existing Categories Deprecated:


·         New Views Added:


·         Existing Views Updated:


·         CAPEC-to-CWE Mappings Added:


·         CAPEC-to-CWE Mappings Removed:


·         CAPEC-to-CAPEC Mappings Added:


·         CAPEC-to-CAPEC Mappings Removed:


See the complete list of changes at

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please [hidden email] with any comments or concerns.


Thank you again for all of your help and your interest and support of CAPEC.





Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation