Cyber Security

CWE top 25 most dangerous software weaknesses

Published

on

The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list.

These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

The major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract class-level weaknesses.

Significant downward movement from high-level classes included CWE-200: Exposure of Sensitive Information to an Unauthorized ActorCWE-119: Improper Restriction of Operations within the Bounds of a Memory BufferCWE-94: Improper Control of Generation of Code (‘Code Injection’)CWE-269: Improper Privilege Management; and CWE-732: Incorrect Permission Assignment for Critical Resource.

With the relative decline of class-level weaknesses, more specific CWEs have moved higher up in the rankings, such as CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)CWE-434: Unrestricted Upload of File with Dangerous TypeCWE-306: Missing Authentication for Critical FunctionCWE-502: Deserialization of Untrusted DataCWE-862: Missing Authorization; and CWE-276: Incorrect Default Permissions.

Leveraging Real-World Data

To create the 2021 list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents.

The 2021 CWE Top 25 leverages NVD data from the years 2019 and 2020, which consists of approximately 32,500 CVEs that are associated with a weakness. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen.

For more detailed information including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page.

RankIDNameScore2020 Rank Change
[1]CWE-787Out-of-bounds Write65.93+1
[2]CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)46.84-1
[3]CWE-125Out-of-bounds Read24.9+1
[4]CWE-20Improper Input Validation20.47-1
[5]CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)19.55+5
[6]CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)19.540
[7]CWE-416Use After Free16.83+1
[8]CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.69+4
[9]CWE-352Cross-Site Request Forgery (CSRF)14.460
[10]CWE-434Unrestricted Upload of File with Dangerous Type8.45+5
[11]CWE-306Missing Authentication for Critical Function7.93+13
[12]CWE-190Integer Overflow or Wraparound7.12-1
[13]CWE-502Deserialization of Untrusted Data6.71+8
[14]CWE-287Improper Authentication6.580
[15]CWE-476NULL Pointer Dereference6.54-2
[16]CWE-798Use of Hard-coded Credentials6.27+4
[17]CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer5.84-12
[18]CWE-862Missing Authorization5.47+7
[19]CWE-276Incorrect Default Permissions5.09+22
[20]CWE-200Exposure of Sensitive Information to an Unauthorized Actor4.74-13
[21]CWE-522Insufficiently Protected Credentials4.21-3
[22]CWE-732Incorrect Permission Assignment for Critical Resource4.2-6
[23]CWE-611Improper Restriction of XML External Entity Reference4.02-4
[24]CWE-918Server-Side Request Forgery (SSRF)3.78+3
[25]CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)3.58+6

Source: https://www.securitymagazine.com/articles/95712-cwe-top-25-most-dangerous-software-weaknesses

Click to comment
Exit mobile version