- min read
MITRE has published the 2022 CWE Top 25 Most Dangerous Software Weaknesses list (aka CWE™ Top 25), based on an analysis of 38000 CVEs published from the previous two years.
To create the list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record, including a focus on CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. A formula was applied to the data to score each weakness based on prevalence and severity.
Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).
# | ID | vs 2021 | Name |
---|---|---|---|
#1 | CWE-787 | = | Out-of-bounds Write |
#2 | CWE-79 | = | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
#3 | CWE-89 | ▲ +3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
#4 | CWE-20 | = | Improper Input Validation |
#5 | CWE-125 | ▼ -2 | Out-of-bounds Read |
#6 | CWE-78 | ▼ -1 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
#7 | CWE-416 | = | Use After Free |
#8 | CWE-22 | = | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
#9 | CWE-352 | = | Cross-Site Request Forgery (CSRF) |
#10 | CWE-434 | = | Unrestricted Upload of File with Dangerous Type |
#11 | CWE-476 | ▲ +4 | NULL Pointer Dereference |
#12 | CWE-502 | ▲ +1 | Deserialization of Untrusted Data |
#13 | CWE-190 | ▼ -1 | Integer Overflow or Wraparound |
#14 | CWE-287 | = | Improper Authentication |
#15 | CWE-798 | ▲ +1 | Use of Hard-coded Credentials |
#16 | CWE-862 | ▲ +2 | Missing Authorization |
#17 | CWE-77 | ▲ +8 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
#18 | CWE-306 | ▼ -7 | Missing Authentication for Critical Function |
#19 | CWE-119 | ▼ -2 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
#20 | CWE-276 | ▼ -1 | Incorrect Default Permissions |
#21 | CWE-918 | ▲ +3 | Server-Side Request Forgery (SSRF) |
#22 | CWE-362 | ▲ +11 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
#23 | CWE-400 | ▲ +4 | Uncontrolled Resource Consumption |
#24 | CWE-611 | ▼ -1 | Improper Restriction of XML External Entity Reference |
#25 | CWE-94 | ▲ +3 | Improper Control of Generation of Code ('Code Injection') |
(* For detailed information see the CWE-1387)
Notable changes
The biggest movers up the list are:
ID | Name | From | To |
---|---|---|---|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | #33 | #22 |
CWE-94 | Improper Control of Generation of Code ('Code Injection') | #28 | #25 |
CWE-400 | Uncontrolled Resource Consumption | #27 | #23 |
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | #25 | #17 |
CWE-476 | NULL Pointer Dereference | #15 | #11 |
The biggest downward movers are:
ID | Name | From | To |
---|---|---|---|
CWE-306 | Missing Authentication for Critical Function | #11 | #18 |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | #20 | #33 |
CWE-522 | Insufficiently Protected Credentials | #21 | #38 |
CWE-732 | Incorrect Permission Assignment for Critical Resource | #22 | #30 |
New entries in the Top 25 are:
ID | Name | From | To |
---|---|---|---|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | #33 | #22 |
CWE-94 | Improper Control of Generation of Code ('Code Injection') | #28 | #25 |
CWE-400 | Uncontrolled Resource Consumption | #27 | #23 |
Entries that fell off the Top 25 are:
ID | Name | From | To |
---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | #20 | #33 |
CWE-522 | Insufficiently Protected Credentials | #21 | #38 |
CWE-732 | Incorrect Permission Assignment for Critical Resource | #22 | #30 |
Previous CWE Top 25
Source
https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html - 2022 CWE Top 25