2020 CWE Top 25 Most Dangerous Software Weaknesses
The 2020 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.
To create the 2020 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE. A formula was applied to the data to score each weakness based on prevalence and severity.
The CWE Top 25
Below is a brief listing of the weaknesses in the 2020 CWE Top 25, including the overall score of each.
|||CWE-79||Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)||46.82|
|||CWE-20||Improper Input Validation||33.47|
|||CWE-119||Improper Restriction of Operations within the Bounds of a Memory Buffer||23.73|
|||CWE-89||Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)||20.69|
|||CWE-200||Exposure of Sensitive Information to an Unauthorized Actor||19.16|
|||CWE-416||Use After Free||18.87|
|||CWE-352||Cross-Site Request Forgery (CSRF)||17.29|
|||CWE-78||Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)||16.44|
|||CWE-190||Integer Overflow or Wraparound||15.81|
|||CWE-22||Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)||13.67|
|||CWE-476||NULL Pointer Dereference||8.35|
|||CWE-434||Unrestricted Upload of File with Dangerous Type||7.38|
|||CWE-732||Incorrect Permission Assignment for Critical Resource||6.95|
|||CWE-94||Improper Control of Generation of Code (‘Code Injection’)||6.53|
|||CWE-522||Insufficiently Protected Credentials||5.49|
|||CWE-611||Improper Restriction of XML External Entity Reference||5.33|
|||CWE-798||Use of Hard-coded Credentials||5.19|
|||CWE-502||Deserialization of Untrusted Data||4.93|
|||CWE-269||Improper Privilege Management||4.87|
|||CWE-400||Uncontrolled Resource Consumption||4.14|
|||CWE-306||Missing Authentication for Critical Function||3.85|
Analysis and Comment
The major difference between the 2019 and 2020 CWE Top 25 lists is the increased transition to more specific weaknesses as opposed to abstract class-level weaknesses. While these class-level weaknesses still exist in the list, they have moved down in the ranking. This movement is expected to continue in future years as the community improves its mapping to more specific weaknesses. Looking at the list, class-level weaknesses CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation), and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) each move down a couple of spots; while more specific weaknesses like CWE-79 (Improper Neutralization of Input During Web Page Generation), CWE-787 (Out-of-bounds Write) and CWE-125 (Out-of-bounds Read) moved up to take their place. This change, and subsequent future movement, will greatly benefit users that are attempting to understand the actual issues that threaten today’s systems.
The biggest movement up the list involves four weaknesses that are related to Authentication and Authorization:
- CWE-522 (Insufficiently Protected Credentials): from #27 to #18
- CWE-306 (Missing Authentication for Critical Function): from #36 to #24
- CWE-862 (Missing Authorization): from #34 to #25
- CWE-863 (Incorrect Authorization): from #33 to #29
All four of these weaknesses represent some of the most difficult areas to analyze a system on. A theory about this movement is that the community has improved its education, tooling, and analysis capabilities related to some of the more implementation specific weaknesses identified in previous editions of the CWE Top 25 and have reduced the occurrence of those, thus lowering their ranking, and in turn raising the ranking of these more difficult weaknesses. Four of the biggest movers down are:
- CWE-426 (Untrusted Search Path): from #22 to #26
- CWE-295 (Improper Certificate Validation): from #25 to #28
- CWE-835 (Loop with Unreachable Exit Condition): from #26 to #36
- CWE-704 (Incorrect Type Conversion or Cast): from #28 to #37
Another big movement is again the result of mapping to a more specific weakness. In 2019, CWE-772 (Missing Release of Resource after Effective Lifetime) was #21. However, this didn’t tell the entire story as which type of resource not being released is important. For 2020, a more specific mapping was used to show the exact type of resource. Due to this change, CWE-401 (Missing Release of Memory after Effective Lifetime) went from not being on the list to being #32, and CWE-772 representing all non-memory resources dropped to #75. This change creates a more accurate CWE Top 25 and identifies the actual issue more precisely.
Also of note is the addition of CWE-77 (Improper Neutralization of Special Elements used in a Command) to the On the Cusp list at #31. “Command Injection” is a term that is used inconsistently in vulnerability descriptions, often at the expense of the more accurate “OS Command Injection,” or used to describe the resulting consequence and not the root weakness. This is an area of research for the CWE Team and one that will hopefully be improved in future releases of the CWE Top 25.