CWE Top 25 - (2022)

The CWE Top 25 is an annual list of the most dangerous software security weaknesses compiled by the MITRE Corporation. It is updated each year to reflect the latest threats and attack patterns. The 2022 edition includes new entries alongside updates to existing weaknesses, making it an essential resource for security professionals. In this blog post, we explore the differences between the CWE Top 25 2021 and the CWE Top 25 2022, and discuss how these changes can help organizations better protect their systems and data.

CWE TOP 25 - 2022

1. Out-of-bounds Write: This vulnerability occurs when a program writes data beyond the intended boundary of a buffer or memory region. It can cause crashes or allow an attacker to execute arbitrary code.

2. Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting): When user-supplied input is not properly sanitized before being rendered in a web page, an attacker can inject malicious scripts that execute in other users' browsers.

3. Improper Neutralization of Special Elements Used in an SQL Command (SQL Injection): If user input is included in an SQL query without sufficient validation, an attacker can manipulate the query to execute malicious code against the database.

4. Improper Input Validation: When user-supplied input is not properly validated before processing, an attacker can supply crafted input to crash the program or execute arbitrary code.

5. Out-of-bounds Read: This weakness occurs when a program reads data beyond the intended boundary of a buffer or memory region. It can cause crashes or expose sensitive information to an attacker.

6. Improper Neutralization of Special Elements Used in an OS Command (OS Command Injection): If user input is not properly sanitized before being passed to an operating system command, an attacker can inject and execute arbitrary commands on the host system.

7. Use After Free: When a program accesses memory that has already been freed, it can lead to crashes or allow an attacker to execute arbitrary code.

8. Improper Limitation of a Pathname to a Restricted Directory (Path Traversal): If a program fails to properly restrict file or directory access, an attacker can traverse the file system to reach resources they should not have access to.

9. Cross-Site Request Forgery (CSRF): This weakness occurs when a malicious website sends requests to a vulnerable application on behalf of an authenticated user. The attacker can perform actions without the user's knowledge or consent.

10. Unrestricted Upload of File with Dangerous Type: When an application does not restrict which file types can be uploaded, an attacker can upload malicious files and trigger their execution.

11. NULL Pointer Dereference: This vulnerability occurs when a program attempts to access memory through a null pointer. It can cause crashes or, in certain cases, enable code execution.

12. Deserialization of Untrusted Data: When data from untrusted sources is deserialized without validation, an attacker can inject malicious code that the program then executes.

13. Integer Overflow or Wraparound: When a program performs an arithmetic operation that results in an integer overflow, it can lead to crashes or arbitrary code execution.

14. Improper Authentication: If a program does not properly authenticate its users, an attacker can gain access to the system without valid credentials.

15. Use of Hard-coded Credentials: When credentials are embedded directly in source code, an attacker can extract them and gain unauthorized access to the system.

16. Missing Authorization: Without proper authorization checks, users can access functions and data they are not entitled to, potentially leading to data breaches or privilege escalation.

17. Improper Neutralization of Special Elements Used in a Command (Command Injection): If user input is not properly sanitized before being incorporated into a command, an attacker can inject and execute malicious code on the system.

18. Missing Authentication for Critical Function: When a program does not authenticate users before granting access to a critical function, an attacker can execute that function without proper authorization.

19. Improper Restriction of Operations Within the Bounds of a Memory Buffer: When memory operations are not properly constrained to the intended buffer boundaries, it can result in crashes or arbitrary code execution.

20. Incorrect Default Permissions: If a program sets insecure default permissions on files or directories, attackers can access resources they should not have access to.

21. Server-Side Request Forgery (SSRF): This weakness allows an attacker to make the server send requests to internal or external systems, potentially exposing sensitive data or enabling further attacks.

22. Concurrent Execution Using Shared Resource with Improper Synchronization (Race Condition): When a program fails to properly synchronize access to shared resources, an attacker can exploit timing windows to gain unauthorized access.

23. Uncontrolled Resource Consumption: If a program does not adequately limit resource usage, an attacker can exhaust system resources, leading to a denial-of-service condition.

24. Improper Restriction of XML External Entity Reference: When a program does not properly restrict external entities in XML documents, an attacker can exploit this to access sensitive files or directories.

25. Improper Control of Generation of Code (Code Injection): If user input is not properly validated before being used to generate code, an attacker can inject malicious code that the program then executes.

Conclusion

The CWE Top 25 from 2022 is an updated edition of the 2021 list. New entries include Uncontrolled Resource Consumption, Race Conditions, and Code Injection. In addition, existing weaknesses such as Out-of-bounds Write, Cross-Site Scripting, and SQL Injection were re-evaluated and re-ranked. The CWE Top 25 provides a concise overview of the most common and dangerous software vulnerabilities. By understanding and addressing these weaknesses, organizations can significantly improve the protection of their systems and data against malicious actors.