2020 CWE Top 25 Most Dangerous Software Weaknesses

2020 CWE Top 25 Most Dangerous Software Weaknesses


The 2020 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

To create the 2020 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE. A formula was applied to the data to score each weakness based on prevalence and severity.

The CWE Top 25

Below is a brief listing of the weaknesses in the 2020 CWE Top 25, including the overall score of each.

[1]CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)46.82
[2]CWE-787Out-of-bounds Write46.17
[3]CWE-20Improper Input Validation33.47
[4]CWE-125Out-of-bounds Read26.50
[5]CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer23.73
[6]CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)20.69
[7]CWE-200Exposure of Sensitive Information to an Unauthorized Actor19.16
[8]CWE-416Use After Free18.87
[9]CWE-352Cross-Site Request Forgery (CSRF)17.29
[10]CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)16.44
[11]CWE-190Integer Overflow or Wraparound15.81
[12]CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)13.67
[13]CWE-476NULL Pointer Dereference8.35
[14]CWE-287Improper Authentication8.17
[15]CWE-434Unrestricted Upload of File with Dangerous Type7.38
[16]CWE-732Incorrect Permission Assignment for Critical Resource6.95
[17]CWE-94Improper Control of Generation of Code (‘Code Injection’)6.53
[18]CWE-522Insufficiently Protected Credentials5.49
[19]CWE-611Improper Restriction of XML External Entity Reference5.33
[20]CWE-798Use of Hard-coded Credentials5.19
[21]CWE-502Deserialization of Untrusted Data4.93
[22]CWE-269Improper Privilege Management4.87
[23]CWE-400Uncontrolled Resource Consumption4.14
[24]CWE-306Missing Authentication for Critical Function3.85
[25]CWE-862Missing Authorization3.77

Back to top

Analysis and Comment

The major difference between the 2019 and 2020 CWE Top 25 lists is the increased transition to more specific weaknesses as opposed to abstract class-level weaknesses. While these class-level weaknesses still exist in the list, they have moved down in the ranking. This movement is expected to continue in future years as the community improves its mapping to more specific weaknesses. Looking at the list, class-level weaknesses CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation), and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) each move down a couple of spots; while more specific weaknesses like CWE-79 (Improper Neutralization of Input During Web Page Generation), CWE-787 (Out-of-bounds Write) and CWE-125 (Out-of-bounds Read) moved up to take their place. This change, and subsequent future movement, will greatly benefit users that are attempting to understand the actual issues that threaten today’s systems.

The biggest movement up the list involves four weaknesses that are related to Authentication and Authorization:

  • CWE-522 (Insufficiently Protected Credentials): from #27 to #18
  • CWE-306 (Missing Authentication for Critical Function): from #36 to #24
  • CWE-862 (Missing Authorization): from #34 to #25
  • CWE-863 (Incorrect Authorization): from #33 to #29

All four of these weaknesses represent some of the most difficult areas to analyze a system on. A theory about this movement is that the community has improved its education, tooling, and analysis capabilities related to some of the more implementation specific weaknesses identified in previous editions of the CWE Top 25 and have reduced the occurrence of those, thus lowering their ranking, and in turn raising the ranking of these more difficult weaknesses. Four of the biggest movers down are:

  • CWE-426 (Untrusted Search Path): from #22 to #26
  • CWE-295 (Improper Certificate Validation): from #25 to #28
  • CWE-835 (Loop with Unreachable Exit Condition): from #26 to #36
  • CWE-704 (Incorrect Type Conversion or Cast): from #28 to #37

Another big movement is again the result of mapping to a more specific weakness. In 2019, CWE-772 (Missing Release of Resource after Effective Lifetime) was #21. However, this didn’t tell the entire story as which type of resource not being released is important. For 2020, a more specific mapping was used to show the exact type of resource. Due to this change, CWE-401 (Missing Release of Memory after Effective Lifetime) went from not being on the list to being #32, and CWE-772 representing all non-memory resources dropped to #75. This change creates a more accurate CWE Top 25 and identifies the actual issue more precisely.

Also of note is the addition of CWE-77 (Improper Neutralization of Special Elements used in a Command) to the On the Cusp list at #31. “Command Injection” is a term that is used inconsistently in vulnerability descriptions, often at the expense of the more accurate “OS Command Injection,” or used to describe the resulting consequence and not the root weakness. This is an area of research for the CWE Team and one that will hopefully be improved in future releases of the CWE Top 25.

Publicado por: CODENET Cloud Computing

Samuel David Camilo é especialista em Cloud Computing e Segurança de Internet. Trabalha em Tecnologia da Informação ha 28 anos. Sócio na CODENET TECNOLOGIA , tendo dirigido projetos no Brasil e Estados Unidos. Formado em Análise de Sistemas Administração de Empresas MBA em Negócios Digitais. Consultor em Adequação de Empresas a Lei nº 13.709, de 14/08/2018, Lei Geral de Proteção de Dados LGPD.

Deixe um comentário

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair /  Alterar )

Foto do Google

Você está comentando utilizando sua conta Google. Sair /  Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair /  Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair /  Alterar )

Conectando a %s