The Common Weakness Enumeration (CWE) is an "encyclopedia" of over 600 types of software weaknesses . Some of the classes are buffer overflow, directory traversal, OS injection, race condition, cross-site scripting, hard-coded password and insecure random numbers. CWE is a widely-used compilation, which has gone through many iterations. Many tools and projects are based on it. Each CWE has a variety of information, such as description summary, extended description, white box definition, consequences, examples, background details and other notes, recorded occurrences (Common Vulnerabilities and Exposures or CVE), mitigations, relations to other CWEs, and references.
CWEs are a rich source of material for software developers and superior to anything that existed before. However, for very formal, exacting work, CWE definitions are often inaccurate, imprecise or ambiguous, and the various definitions within one CWE can be inconsistent. Each CWE bundles many stages, such as likely attacks, resources affected and consequences. The coverage is uneven, with some combinations of attributes well represented and others not appearing at all.
An extreme example is path traversal. There are a dozen CWEs for path traversal under CWE-23: Relative Path Traversal, each one having a specific combination of relative or absolute paths, forward or backward slashes - singly or repeated, between one and three directory steps, and two or more dots, which indicate the parent directory.
Another example is buffer overflows. CWE-121 is write outside of a buffer on the stack, CWE-122 is write outside of a buffer in the heap, CWE-127 is read before the beginning of a buffer and CWE-126 is read after the end of a buffer. But there are no CWEs specifically for read outside a buffer on the stack vs. in the heap.
The description summary of CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer is "The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer." Note that "read from or write to a memory location" is not explicitly tied to the buffer! Most humans would, of course, assume that it means the software can access through a buffer a memory location that is not allocated to that buffer.