The MITRE organization published the 2022 CWE Top 25 most dangerous software weaknesses.
The MITRE shared the list of the 2022 top 25 most common and dangerous weaknesses, it could help organizations to assess internal infrastructure and determine their surface of attack.
The presence of these vulnerabilities within the infrastructure of an organization could potentially expose it to a broad range of attacks.
“Welcome to the 2022 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses list (CWE™ Top 25). This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.” reads the announcement published by Mitre.
“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).”
Mitre created the 2022 CWE Top 25 list leveraging Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each vulnerability. The organization also used CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog and applied a formula to score each weakness based on prevalence and severity.
The dataset analyzed by Mitre researchers to calculate the 2022 Top 25 contained a total of 37,899 CVE Records from the previous two calendar years.
Below is a list of the weaknesses in the 2022 CWE Top 25:
| Rank | ID | Name | Score | KEV Count (CVEs) | Rank Change vs. 2021 |
|---|---|---|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write | 64.20 | 62 | 0 |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.97 | 2 | 0 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 22.11 | 7 | +3  |
| 4 | CWE-20 | Improper Input Validation | 20.63 | 20 | 0 |
| 5 | CWE-125 | Out-of-bounds Read | 17.67 | 1 | -2  |
| 6 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 17.53 | 32 | -1 |
| 7 | CWE-416 | Use After Free | 15.50 | 28 | 0 |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.08 | 19 | 0 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.53 | 1 | 0 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 9.56 | 6 | 0 |
| 11 | CWE-476 | NULL Pointer Dereference | 7.15 | 0 | +4 |
| 12 | CWE-502 | Deserialization of Untrusted Data | 6.68 | 7 | +1 |
| 13 | CWE-190 | Integer Overflow or Wraparound | 6.53 | 2 | -1 |
| 14 | CWE-287 | Improper Authentication | 6.35 | 4 | 0 |
| 15 | CWE-798 | Use of Hard-coded Credentials | 5.66 | 0 | +1 |
| 16 | CWE-862 | Missing Authorization | 5.53 | 1 | +2 |
| 17 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 5.42 | 5 | +8 |
| 18 | CWE-306 | Missing Authentication for Critical Function | 5.15 | 6 | -7 |
| 19 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.85 | 6 | -2 |
| 20 | CWE-276 | Incorrect Default Permissions | 4.84 | 0 | -1 |
| 21 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.27 | 8 | +3 |
| 22 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 3.57 | 6 | +11 |
| 23 | CWE-400 | Uncontrolled Resource Consumption | 3.56 | 2 | +4 |
| 24 | CWE-611 | Improper Restriction of XML External Entity Reference | 3.38 | 0 | -1 |
| 25 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 3.32 | 4 | +3 |
Mitre also shared trends Year-over-Year: 2019 to 2022 Lists; the first trend is a significant changes from the 2019 Top 25 to the 2022 Top 25. Drops in high-level classes such as CWE-119 and CWE-200 are steep, while the shift and increase to Base-level weaknesses is most apparent for weaknesses such as CWE-787 and CWE-502.
The second trend in year-over-year changes from 2019 to 2022 is a relative ve stability in the top 10 from 2021 to 2022, along with the steady rise of CWE-502: “Deserialization of Untrusted Data” over all four years.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, 2022 CWE Top 25)
[adrotate banner=”5″]
[adrotate banner=”13″]
Share On
