Top 25 Most Dangerous Software Weaknesses – 2022 CWE

Top 25 Most Dangerous Software Weaknesses – 2022 CWE

On June 28th 2022, Mitre shared the 2022 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses list (CWE™ Top 25). “This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.” Said Mitre

Software architects, designers, developers, testers, users, project managers, security researchers, educators who deals with software with find is as a convenient resource to help mitigate risk.

The 2022 CWE Top 25

Rank ID Name Score   KEV Count (CVEs) Rank Change vs. 2021
1 CWE-787 Out-of-bounds Write 64.20 62 0
2 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45.97 2 0
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 22.11 7 +3
4 CWE-20 Improper Input Validation 20.63 20 0
5 CWE-125 Out-of-bounds Read 17.67 1 -2
6 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 17.53 32 -1
7 CWE-416 Use After Free 15.50 28 0
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.08 19 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.53 1 0
10 CWE-434 Unrestricted Upload of File with Dangerous Type 9.56 6 0
11 CWE-476 NULL Pointer Dereference 7.15 0 +4
12 CWE-502 Deserialization of Untrusted Data 6.68 7 +1
13 CWE-190 Integer Overflow or Wraparound 6.53 2 -1
14 CWE-287 Improper Authentication 6.35 4 0
15 CWE-798 Use of Hard-coded Credentials 5.66 0 +1
16 CWE-862 Missing Authorization 5.53 1 +2
17 CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) 5.42 5 +8
18 CWE-306 Missing Authentication for Critical Function 5.15 6 -7
19 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.85 6 -2
20 CWE-276 Incorrect Default Permissions 4.84 0 -1
21 CWE-918 Server-Side Request Forgery (SSRF) 4.27 8 +3
22 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 3.57 6 +11
23 CWE-400 Uncontrolled Resource Consumption 3.56 2 +4
24 CWE-611 Improper Restriction of XML External Entity Reference 3.38 0 -1
25 CWE-94 Improper Control of Generation of Code (‘Code Injection’) 3.32 4 +3

 

CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)), CWE -94 (Improper Control of Generation of Code (‘Code Injection’)) and CWE-400 (Uncontrolled Resource Consumption) are the new entries to the 2022 CWE top 22. While CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-522 (Insufficiently Protected Credentials) and CWE-732 (Incorrect Permission Assignment for Critical Resource) fell off the top 25.

 

Source

https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html