Top 25 Most Dangerous Software Weaknesses – 2022 CWE

Top 25 Most Dangerous Software Weaknesses – 2022 CWE

June 29, 2022

On June 28th 2022, Mitre shared the 2022 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses list (CWE™ Top 25). “This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.” Said Mitre

Software architects, designers, developers, testers, users, project managers, security researchers, educators who deals with software with find is as a convenient resource to help mitigate risk.

The 2022 CWE Top 25

RankIDNameScore  KEV Count (CVEs)Rank Change vs. 2021
1CWE-787Out-of-bounds Write64.20620
2CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)45.9720
3CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)22.117+3
4CWE-20Improper Input Validation20.63200
5CWE-125Out-of-bounds Read17.671-2
6CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)17.5332-1
7CWE-416Use After Free15.50280
8CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.08190
9CWE-352Cross-Site Request Forgery (CSRF)11.5310
10CWE-434Unrestricted Upload of File with Dangerous Type9.5660
11CWE-476NULL Pointer Dereference7.150+4
12CWE-502Deserialization of Untrusted Data6.687+1
13CWE-190Integer Overflow or Wraparound6.532-1
14CWE-287Improper Authentication6.3540
15CWE-798Use of Hard-coded Credentials5.660+1
16CWE-862Missing Authorization5.531+2
17CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)5.425+8
18CWE-306Missing Authentication for Critical Function5.156-7
19CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer4.856-2
20CWE-276Incorrect Default Permissions4.840-1
21CWE-918Server-Side Request Forgery (SSRF)4.278+3
22CWE-362Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)3.576+11
23CWE-400Uncontrolled Resource Consumption3.562+4
24CWE-611Improper Restriction of XML External Entity Reference3.380-1
25CWE-94Improper Control of Generation of Code (‘Code Injection’)3.324+3

 

CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)), CWE -94 (Improper Control of Generation of Code (‘Code Injection’)) and CWE-400 (Uncontrolled Resource Consumption) are the new entries to the 2022 CWE top 22. While CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-522 (Insufficiently Protected Credentials) and CWE-732 (Incorrect Permission Assignment for Critical Resource) fell off the top 25.

 

Source

https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html