2022 CWE Top 25 Most Dangerous Software Weaknesses
- min read
MITRE has published the 2022 CWE Top 25 Most Dangerous Software Weaknesses list (aka CWE™ Top 25), based on an analysis of 38000 CVEs published from the previous two years.
To create the list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record, including a focus on CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. A formula was applied to the data to score each weakness based on prevalence and severity.
Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).
| # | ID | vs 2021 | Name |
|---|---|---|---|
| #1 | CWE-787 | = | Out-of-bounds Write |
| #2 | CWE-79 | = | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| #3 | CWE-89 | ▲ +3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| #4 | CWE-20 | = | Improper Input Validation |
| #5 | CWE-125 | ▼ -2 | Out-of-bounds Read |
| #6 | CWE-78 | ▼ -1 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| #7 | CWE-416 | = | Use After Free |
| #8 | CWE-22 | = | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| #9 | CWE-352 | = | Cross-Site Request Forgery (CSRF) |
| #10 | CWE-434 | = | Unrestricted Upload of File with Dangerous Type |
| #11 | CWE-476 | ▲ +4 | NULL Pointer Dereference |
| #12 | CWE-502 | ▲ +1 | Deserialization of Untrusted Data |
| #13 | CWE-190 | ▼ -1 | Integer Overflow or Wraparound |
| #14 | CWE-287 | = | Improper Authentication |
| #15 | CWE-798 | ▲ +1 | Use of Hard-coded Credentials |
| #16 | CWE-862 | ▲ +2 | Missing Authorization |
| #17 | CWE-77 | ▲ +8 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| #18 | CWE-306 | ▼ -7 | Missing Authentication for Critical Function |
| #19 | CWE-119 | ▼ -2 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
| #20 | CWE-276 | ▼ -1 | Incorrect Default Permissions |
| #21 | CWE-918 | ▲ +3 | Server-Side Request Forgery (SSRF) |
| #22 | CWE-362 | ▲ +11 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| #23 | CWE-400 | ▲ +4 | Uncontrolled Resource Consumption |
| #24 | CWE-611 | ▼ -1 | Improper Restriction of XML External Entity Reference |
| #25 | CWE-94 | ▲ +3 | Improper Control of Generation of Code ('Code Injection') |
(* For detailed information see the CWE-1387)
Notable changes
The biggest movers up the list are:
| ID | Name | From | To |
|---|---|---|---|
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | #33 | #22 |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | #28 | #25 |
| CWE-400 | Uncontrolled Resource Consumption | #27 | #23 |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | #25 | #17 |
| CWE-476 | NULL Pointer Dereference | #15 | #11 |
The biggest downward movers are:
| ID | Name | From | To |
|---|---|---|---|
| CWE-306 | Missing Authentication for Critical Function | #11 | #18 |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | #20 | #33 |
| CWE-522 | Insufficiently Protected Credentials | #21 | #38 |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | #22 | #30 |
New entries in the Top 25 are:
| ID | Name | From | To |
|---|---|---|---|
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | #33 | #22 |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | #28 | #25 |
| CWE-400 | Uncontrolled Resource Consumption | #27 | #23 |
Entries that fell off the Top 25 are:
| ID | Name | From | To |
|---|---|---|---|
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | #20 | #33 |
| CWE-522 | Insufficiently Protected Credentials | #21 | #38 |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | #22 | #30 |
Previous CWE Top 25
Source
https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html - 2022 CWE Top 25