CWE Top 25 - (2023)

The CWE Top 25 Most Dangerous Software Weaknesses 2023 is a list of the most dangerous software weaknesses created by the Common Weakness Enumeration (CWE). The list was created to help developers and security researchers identify and understand the most common and dangerous software weaknesses. The list is updated annually to reflect the latest trends in software security.

The list includes weaknesses such as Injection Attacks, Cross-Site Scripting, Insecure Authentication, Insecure Data Storage, Insecure Configuration, and Insecure Communication. Each weakness is listed with a detailed description and a list of examples to help understand and prevent the weakness.

The CWE Top 25 Most Dangerous Software Weaknesses is an important tool for developers and security researchers to identify and prevent the most common and dangerous software weaknesses. It is a valuable resource to ensure that software products are secure and robust. The list is compiled each year by MITRE Corporation and is based on the CWE Top 25 of 2022.

CWE TOP 25 - 2023

1. CWE-787 Out-of-Bounds Write: This vulnerability occurs when a program attempts to write data outside of the memory area allocated for it. This can cause program errors or malicious actions such as a buffer overflow.

2. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): This vulnerability occurs when insecure user data is converted to HTML code without stripping or encoding all special characters. This can lead to an attacker using the data for malicious actions such as cross-site scripting (XSS).

3. CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): This vulnerability occurs when applications do not properly sanitize an SQL query and special characters are not removed or encoded. This allows attackers to exploit queries to manipulate databases or gain superuser privileges.

4. CWE-416 Use After Free: This vulnerability occurs when a program accesses a memory area (previously allocated in dynamic memory) that no longer exists. This can lead to program crashes or processing errors.

5. CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): This vulnerability occurs when an application uses unfiltered user data in a command that is run on the operating system before execution. This allows attackers to modify system resources, fork data, and perform malicious actions.

6. CWE-20 Improper Input Validation: This vulnerability occurs when an application does not validate what data can be received. Therefore, user input can be processed causing unexpected behavior.

7. CWE-125 Out-of-Bounds Read: This vulnerability occurs when a program attempts to read data outside of the memory area allocated for it. This can lead to processing errors or other program crashes.

8. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): This vulnerability occurs when an application allows access to files outside of a restricted directory. This could lead to disclosure of sensitive data.

9. CWE-352 Cross-Site Request Forgery (CSRF): This vulnerability occurs when a user performs malicious actions while visiting a web page without their intent being known. This allows attackers to trick users into performing unwanted actions on a web page.

10. CWE-434 Unrestricted Upload of File with Dangerous Type: This vulnerability occurs when a user can upload a malicious file without restrictive filtering in place. This allows attackers to save or execute malicious files on the system.

11. CWE-862 Missing Authorization: This vulnerability occurs when an application does not verify which users have access to certain data or functionality. This allows attackers to use false credentials or other means to gain access.

12. CWE-476 NULL Pointer Dereference: This vulnerability occurs when a program attempts to dereference to an object that does not exist (i.e., a NULL pointer). This flaw can cause program crashes or an operating system crash.

13. CWE-287 Improper Authentication: This vulnerability occurs when a user's authentication does not work correctly. This could result in users being authenticated into the wrong environment or even as a different user.

14. CWE-190 Integer Overflow or Wraparound: This vulnerability occurs when a program attempts to increase or decrease an integer beyond the allowed range. Thus, the arithmetic can be incorrect, which in turn can lead to other program errors or malicious actions.

15. CWE-502 Deserialization of Untrusted Data: This vulnerability occurs when an application does not validate what data is deserialized. This allows an attacker to deserialize malicious objects that were not previously present and perform malicious actions.

16. CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection'): This vulnerability allows an attacker to inject commands into a program that is not designed to process commands. This could lead to the attacker taking control of the program and misusing it for their own purposes.

17. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: This vulnerability allows an attacker to access memory areas that are not intended to be accessed. This could allow the attacker to read sensitive data or execute malicious code.

18. CWE-798 Use of Hard-coded Credentials: This vulnerability allows an attacker to access a system by using the hard-coded credentials stored in a program or application.

19. CWE-918 Server-Side Request Forgery (SSRF): This vulnerability allows an attacker to send a request to a server that does not originate from a legitimate user. This could result in the attacker being able to read sensitive data or execute malicious code.

20. CWE-306 Missing Authentication for Critical Function: This vulnerability allows an attacker to access a function that has not been properly authenticated. This could result in the attacker being able to read sensitive data or execute malicious code.

21. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'): This vulnerability allows an attacker to execute a function that is not properly synchronized. This could allow the attacker to take control of the program and misuse it for their own purposes.

22. CWE-269 Improper Privilege Management: This vulnerability allows an attacker to access a function that has not been properly privileged. This could result in the attacker being able to read sensitive data or execute malicious code.

23. CWE-94 Improper Control of Generation of Code ('Code Injection'): This vulnerability allows an attacker to inject code into a program that is not intended to process code. This could lead to the attacker taking control of the program and misusing it for their own purposes.

24. CWE-863 Incorrect Authorization: This vulnerability occurs when a system does not provide the correct authorization for an action or object. This could result in users being able to access resources they are not authorized to access or access resources they are not authorized to access.

25. CWE-276 Incorrect Default Permissions: This vulnerability occurs when a system does not provide the correct default permissions for an action or object. This can result in users being able to access resources that they are not authorized to access or access resources that they are not authorized to access. It can also result in users being able to access resources they are not authorized to access, or access resources they are not authorized to access.

Conclusion

The CWE Top 25 Most Dangerous Software Weaknesses 2023 is a valuable resource to help developers and security researchers identify and prevent the most common and dangerous software weaknesses. The list is updated annually to reflect the latest trends in software security and includes detailed descriptions and examples of each weakness. This helps developers make their software products secure and robust.