Penetration TestJan Kahmen8 min read

CWE Top 25 - (2021)

The CWE Top 25 Most Dangerous Software Weaknesses of 2021 is a list of the 25 most dangerous software vulnerabilities.

Table of content

The CWE Top 25 Most Dangerous Software Weaknesses from 2021 is a list of the 25 most dangerous software vulnerabilities. These vulnerabilities pose a serious security risk and can lead to sensitive data being stolen or systems being controlled without authorization. This blog post details all 25 vulnerabilities and how to protect against them.

CWE TOP 25 - 2021

  1. Out-of-bounds Write: This vulnerability occurs when a program writes data outside of the intended boundary of a buffer, array, or other memory structure. This can lead to a crash or allow an attacker to execute arbitrary code.

  2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): This vulnerability occurs when user-supplied input is not properly sanitized or validated before being included in a web page. This can allow an attacker to inject malicious code into the page, which can be used to steal user data or execute arbitrary code.

  3. Out-of-bounds Read: This vulnerability occurs when a program reads data outside of the intended boundary of a buffer, array, or other memory structure. This can lead to a crash or allow an attacker to access sensitive data.

  4. Improper Input Validation: This vulnerability occurs when user-supplied input is not properly validated before being used. This can allow an attacker to supply malicious input, which can be used to crash the program or execute arbitrary code.

  5. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): This vulnerability occurs when user-supplied input is not properly sanitized or validated before being used in an operating system command. This can allow an attacker to inject malicious code into the command, which can be used to execute arbitrary code.

  6. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): This vulnerability occurs when user-supplied input is not properly sanitized or validated before being used in an SQL query. This can allow an attacker to inject malicious code into the query, which can be used to access sensitive data or execute arbitrary code.

  7. Use After Free: This vulnerability occurs when a program attempts to access memory that has been freed. This can lead to a crash or allow an attacker to execute arbitrary code.

  8. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): This vulnerability occurs when a program does not properly restrict access to a file or directory. This can allow an attacker to access sensitive data or execute arbitrary code.

  9. Cross-Site Request Forgery (CSRF): This vulnerability occurs when a web application does not properly validate requests from untrusted sources. This can allow an attacker to perform actions on behalf of a legitimate user.

  10. Unrestricted Upload of File with Dangerous Type: This vulnerability occurs when a web application allows unrestricted upload of files with dangerous types. This can allow an attacker to upload malicious code, which can be used to execute arbitrary code.

  11. Missing Authentication for Critical Function: This vulnerability occurs when a web application does not properly authenticate users before allowing them to access sensitive functions. This can allow an attacker to access sensitive data or execute arbitrary code.

  12. Integer Overflow or Wraparound: This vulnerability occurs when a program does not properly handle integer values. This can lead to a crash or allow an attacker to execute arbitrary code.

  13. Deserialization of Untrusted Data: This vulnerability occurs when a program deserializes untrusted data. This can allow an attacker to execute arbitrary code.

  14. Improper Authentication: This vulnerability occurs when a program does not properly authenticate users before allowing them to access sensitive functions. This can allow an attacker to access sensitive data or execute arbitrary code.

  15. NULL Pointer Dereference: This vulnerability occurs when a program attempts to access memory that has not been allocated. This can lead to a crash or allow an attacker to execute arbitrary code.

  16. Use of Hard-coded Credentials: This vulnerability occurs when a program uses hard-coded credentials to access sensitive functions. This can allow an attacker to access sensitive data or execute arbitrary code.

  17. Improper Restriction of Operations within the Bounds of a Memory Buffer: This vulnerability occurs when a program does not properly restrict operations within the bounds of a memory buffer. This can lead to a crash or allow an attacker to execute arbitrary code.

  18. Missing Authorization: This vulnerability occurs when a program does not properly authorize users before allowing them to access sensitive functions. This can allow an attacker to access sensitive data or execute arbitrary code.

  19. Incorrect Default Permissions: This vulnerability occurs when a program does not properly set default permissions for files and directories. This can allow an attacker to access sensitive data or execute arbitrary code.

  20. Exposure of Sensitive Information to an Unauthorized Actor: This vulnerability occurs when a program does not properly protect sensitive data from unauthorized access. This can allow an attacker to access sensitive data or execute arbitrary code.

  21. Insufficiently Protected Credentials: This vulnerability occurs when a program does not properly protect user credentials from unauthorized access. This can allow an attacker to access sensitive data or execute arbitrary code.

  22. Incorrect Permission Assignment for Critical Resource: This vulnerability occurs when a program does not properly assign permissions to critical resources. This can allow an attacker to access sensitive data or execute arbitrary code.

  23. Improper Restriction of XML External Entity Reference: This vulnerability occurs when a program does not properly restrict XML external entity references. This can allow an attacker to access sensitive data or execute arbitrary code.

  24. Server-Side Request Forgery (SSRF): This vulnerability occurs when a web application does not properly validate requests from untrusted sources. This can allow an attacker to access sensitive data or execute arbitrary code.

  25. Improper Neutralization of Special Elements used in a Command ('Command Injection'): This vulnerability occurs when user-supplied input is not properly sanitized or validated before being used in a command. This can allow an attacker to inject malicious code into the command, which can be used to execute arbitrary code.

Conclusion

The CWE Top 25 from 2021 is an important list of the most common and dangerous software vulnerabilities. Compared to the CWE Top 25 from 2020, the 2021 list includes new vulnerabilities such as mproper Neutralization of Special Elements used in a Command ('Command Injection'), Server-Side Request Forgery (SSRF) and Incorrect Default Permissions. Additionally, some of the existing vulnerabilities have been re-ordered in the list, such as Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The CWE Top 25 from 2021 is an important resource for software developers and security professionals, as it provides a comprehensive list of the most common and dangerous software vulnerabilities.

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment:

Arrange appointment