CWE Releases Top 25 Most Dangerous Software Weaknesses for Security Community

The Common Weakness Enumeration (CEV) organization has released their 2022 Top 25 Most Dangerous Software Weaknesses list. This list demonstrates the most common and impactful software weaknesses occurring during the year of 2022.
CWE Releases Top 25 Most Dangerous Software Weaknesses for Security Community

Summary

The Common Weakness Enumeration (CEV) organization has released their 2022 Top 25 Most Dangerous Software Weaknesses list. This list demonstrates the most common and impactful software weaknesses occurring during the year of 2022. To create the list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record, including a focus on CVE Records from the United States Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

Software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs) are encouraged to utilize this list to mitigate risk within their organization, according to CWE.

CEV Top 25 List

RankIDNameScoreKEV CountRank Change vs. 2021
1CWE-787Out-of-bounds Write64.2620
2CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)45.9720
3CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)22.117+3
4CWE-20Improper Input Validation20.63200
5CWE-125Out-of-bounds Read17.671-2
6CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)17.5332-1
7CWE-416Use After Free15.5280
8CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.08190
9CWE-352Cross-Site Request Forgery (CSRF)11.5310
10CWE-434Unrestricted Upload of File with Dangerous Type9.5660
11CWE-476NULL Pointer Dereference7.150+4
12CWE-502Deserialization of Untrusted Data6.687+1
13CWE-190Integer Overflow or Wraparound6.532-1
14CWE-287Improper Authentication6.3540
15CWE-798Use of Hard-coded Credentials5.660+1
16CWE-862Missing Authorization5.531+2
17CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)5.425+8
18CWE-306Missing Authentication for Critical Function5.156-7
19CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer4.856-2
20CWE-276Incorrect Default Permissions4.840-1
21CWE-918Server-Side Request Forgery (SSRF)4.278+3
22CWE-362Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)3.576+11
23CWE-400Uncontrolled Resource Consumption3.562+4
24CWE-611Improper Restriction of XML External Entity Reference3.380-1
25CWE-94Improper Control of Generation of Code (‘Code Injection’)3.324+3


Key Findings

According to the CWE, there are several notable shifts in ranked positions of weakness types from 2021’s list when compared to 2022, including several weaknesses dropping away or making their first appearance in the Top 25 CWEs.

The biggest movers up the list are:

  • CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)): from #33 to #22
  • CWE-94 (Improper Control of Generation of Code (‘Code Injection’)): from #28 to #25
  • CWE-400 (Uncontrolled Resource Consumption): from #27 to #23
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #25 to #17
  • CWE-476 (NULL Pointer Dereference): from #15 to #11

The biggest downward movers are:

  • CWE-306 (Missing Authentication for Critical Function): from #11 to #18
  • CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): from #20 to #33
  • CWE-522 (Insufficiently Protected Credentials): from #21 to #38
  • CWE-732 (Incorrect Permission Assignment for Critical Resource): from #22 to #30

New entries in the Top 25 are:

  • CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)): from #33 to #22
  • CWE-94 (Improper Control of Generation of Code (‘Code Injection’)): from #28 to #25
  • CWE-400 (Uncontrolled Resource Consumption): from #27 to #23

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.