“An opening invites the thief,” says an ancient proverb. As cyberattacks become more frequent and sophisticated, proactive preventive measures are required more than ever. These measures often include training employees to handle security issues and mapping/remediating software and hardware weaknesses and have become some of the most important tasks of CISOs, InfoSec, security managers, and cyber security professionals.
To help fight this battle, tools like the CWE (Common Weakness Enumeration) were created – a community-developed list of software and hardware security weaknesses constantly evolving and updated, following the evolution of threats and attacks. The CWE is sponsored by governments and non-profit organizations such as the Mitre Corporation and CISA (the US government Cybersecurity and Infrastructure Security Agency). The CWE Top 25 (CWE Top 25 Most Dangerous Software Weaknesses list) contains the current 25 most prevalent and significant software weaknesses.
Understanding the CWE Top 25 is crucial since these weaknesses appear in all stages of systems life, from the early stages of planning and design to managing the enterprise’s daily cyber security, and are constantly exploited to breach sensitive data.
In this post, we will discuss the changes in CWE Top 25 between 2021 to 2022 and detail the weakness in the 2022 list.
What has changed in 2022’s Top 25 vs. 2021?
The significant difference between the 2021 and 2022 CWE Top 25 lists are:
- Three new weakness types (CWE-362, CWE-400, and CWE-94),
- Three weakness types that fell entirely off the list (CWE-200, CWE-522, and CWE-732)
- Several notable shifts in ranked positions for weakness types (see table)
It is worth remembering that the most common weakness is the human factor, as the employees ensure technical weaknesses such as those in the CWE Top 25 list are dealt with appropriately.
CWE Top 25 Most Dangerous Software Weaknesses for 2022:
1. Out-of-bounds write
CWE-78: Out-of-bounds write takes first place for the second time in a row.
Description:
The software writes data past the end, or before the beginning, of the intended buffer, which can result in data corruption, a crash, or code execution.
Impact/Consequences:
Modify Memory; DoS (Denial-of-Service): Crash, Exit, or Restart; Execute unauthorized code or commands.
2. Cross-site scripting
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) remained in second place.
Description:
The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
Impact/Consequences:
Bypass protection mechanism; Read application data; Execute unauthorized code or commands.
3. SQL injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) rose four steps in 2022.
Description:
The software constructs all or part of an SQL command using externally-influenced input from an upstream component. Still, it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when sent to a downstream component.
Impact/Consequences:
Read/Modify application data; Bypass protection mechanism.
4. Improper input validation
CWE-20: Improper input validation remained in 4th place.
Description:
The software receives input or data but does not validate or incorrectly validate that the input has the required properties to process the data safely and correctly.
Impact/Consequences:
DoS (Denial-of-Service): Crash, Exit, Restart; Resource consumption (CPU/Memory); Read memory, Files, or Directories; Modify memory; Execute unauthorized code or commands
5. Out-of-bounds read
CWE-125: Out-of-bounds Read dropped two places in comparison to 2021.
Description:
The software reads data past the end, or before the beginning, of the intended buffer.
Impact/Consequences:
Read memory; Bypass protection mechanism.
6. OS command injection
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) dropped from 5th to 6th place in 2022.
Description:
The software constructs OS commands (all or partial) using externally-influenced input from an upstream component without neutralizing or incorrectly neutralizing elements that could modify the intended OS command when sent.
Impact/Consequences:
Execute unauthorized code or commands; DoS: Crash, Exit, or Restart; Read/Modify files or directories; Read/Modify application data; Hide activities.
7. Use after free
CWE-416: Use After Free remained in the same place.
Description:
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
Impact/Consequences:
Modify memory, DoS: Crash, Exit, or Restart; Execute unauthorized code or commands.
8. Path traversal
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) remained in 8th place.
Description:
The software uses external input to construct a pathname intended to identify a file or directory located underneath a restricted parent directory but does not properly neutralize special elements within the pathname that can cause it to resolve to a location outside of the restricted directory.
Impact/Consequences:
Execute unauthorized code or commands; Read/Modify files or directories; DoS: Crash, Exit, or Restart.
9. Cross-site request forgery (CSRF)
CWE-352: Cross-Site Request Forgery (CSRF) remained in 9th place.
Description:
The web application does not have a mechanism that can sufficiently verify whether a well-formed, valid, consistent request was intentionally sent by the user who submitted the request.
Impact/Consequences:
Gain privileges or assume identity; Bypass protection mechanism; Read/Modify application data; DoS: Crash, Exit, or Restart.
10.Unrestricted upload of files with dangerous type
CWE-434: Unrestricted Upload of File with Dangerous Type stayed in the 10th place.
Description:
Allowing the attacker to upload/transfer harmful files that can be automatically processed within the product’s environment.
Impact/Consequences:
Execute unauthorized code or commands
11. NULL pointer dereference
CWE-476: NULL pointer dereference rose four places in the 2022’s list.
Description:
This occurs when the application dereferences a pointer that it expects to be valid but is NULL, thus causing a crash or exit.
Impact/Consequences:
DoS: Crash, Exit, or Restart; Execute unauthorized code or commands; Read/Modify Memory.
12. Deserialization of untrusted data
CWE-502: Deserialization of untrusted data rose one place compared to 2021.
Description:
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Impact/Consequences:
Modify application data; Unexpected state; DoS: Resource Consumption (CPU).
13. Integer overflow or wraparound
CWE-190: Integer overflow or wraparound went down one place.
Description:
The software performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
Impact/Consequences:
DoS: Crash, Exit, or Restart, Resource Consumption (CPU/Memory); Instability; Modify memory; Execute unauthorized code or commands; Bypass protection mechanism.
14. Improper authentication
CWE-287: Improper Authentication, kept its position.
Description:
When an actor claims to have a given identity (i.e., an authentication), the software does not prove or insufficiently proves that the claim is correct.
Impact/Consequences:
Read application data; Gain privileges or assume Identity; Execute unauthorized code or commands.
15. Use of hard-coded credentials
CWE-798: Use of Hard-coded Credentials went up one place.
Description:
The software contains hard-coded credentials, (for example, a password or cryptographic key), which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Impact/Consequences:
Bypass protection mechanism; Read application data; Gain privileges or assume identity; Execute unauthorized code or commands; Other.
16. Missing authorization
CWE-862: Missing Authorization rose two places.
Description:
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
Impact/Consequences:
Read/Modify application data; Read/Modify files or directories; Gain privileges or assume identity; Bypass protection mechanism
17. Command injection
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) rose eight places.
Description:
The software constructs a command (fully or partially) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize elements that could modify the intended command when sent to a downstream component.
Impact/Consequences:
Execute unauthorized code or commands.
18. Missing authentication for critical function
CWE-306: Missing Authentication for Critical Function went down seven places.
Description:
Not performing any authentication for functionality that requires a provable user identity or consumes significant resources.
Impact/Consequences:
Gain privileges or assume identity; Other.
19. Improper restriction of operations within the bounds of a memory buffer
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer went down by two places.
Description:
The software performs operations on a memory buffer, but it can read from or write to a memory location outside the buffer’s intended boundary.
Impact/Consequences:
Execute unauthorized code or commands; Modify/Read memory; DoS: Crash, Exit, or Restart, Resource consumption (CPU/memory); Memory
20. Incorrect Default Permissions
CWE-276: Incorrect Default Permissions went down one place.
Description:
During installation, installed file permissions are set to allow anyone to modify those files.
Impact/Consequences:
Read/Modify application data.
21. Server-Side Request Forgery (SSRF)
CWE-918: Server-Side Request Forgery (SSRF) went up three places.
Description:
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Impact/Consequences:
Read application data; Execute unauthorized code or commands.
22. Race Condition
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) was added to the list this year.
Description:
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
Impact/Consequences:
DoS: Resource consumption (CPU/memory/other), Crash, Exit, or Restart or Instability; Read files or directories; Read application data.
23. Uncontrolled resource consumption
CWE-400: Uncontrolled Resource Consumption was added to the list this year.
Description:
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the number of resources consumed, eventually leading to the exhaustion of available resources.
Impact/Consequences:
DoS: Crash, Exit, or Restart; DoS: Resource consumption (CPU/memory/other); Bypass protection mechanism.
24. Improper restriction of XML external entity reference
CWE-611: Improper Restriction of XML External Entity Reference went down one place.
Description:
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Impact/Consequences:
Read application data; Read files or directories; Bypass protection mechanism; DoS: Resource consumption (CPU/memory).
25. Code injection
CWE-94: Improper Control of Generation of Code (‘Code Injection’) was added to the list this year.
Description:
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize special elements that could modify the syntax or behavior of the intended code segment.
Impact/Consequences:
Bypass protection mechanism; Gain privileges or assume identity; Execute unauthorized code or commands; Hide activities.
Build cyber resilience across your workforce with CybeReady
As the number of cyber attacks and their damage continues to grow, CISOs, InfoSec, and security managers search to increase their arsenal of tools. In this post, we’ve discussed the CWE Top 25 of 2022 compared to 2021. However, attacks that exploit these weaknesses can still succeed if your employees lack the knowledge and practice to recognize and adequately respond.
If you understand the importance of comprehensive educating and training your teams on how to recognize and combat attacks exploiting the CWE Top 25 and beyond, Contact CybeReady today.
