>
>
CWE Top 25 2022. Review of changes

Mikhail Gelvikh
Articles: 13

CWE Top 25 2022. Review of changes

The CWE Top 25 list reflects the most serious software security weaknesses. I invite you to read the updated top list to become aware of the changes happened over the past year.

We position the PVS‑Studio analyzer not only as a tool for searching bugs in code but also as a tool for static application security testing (SAST) tool. For a better understanding of trends and planning of diagnostic rules, there is nothing better than to look at the latest list of the most relevant security issues. There are several such lists, for example, OWASP Top 10, SANS Top 25, and the above-mentioned CWE Top 25.

By the way, last year we already wrote about changes in the CWE Top 25 2021 — you can find the article here.

A bit of theory

To better understand the context, let's brush up on some topics. To do this, let's skim through the following points:

  • how does CVE differ from CWE;
  • why do we need CVSS;
  • what are NVD and KEV;
  • how the CWE Top 25 2022 is ranked.

If you feel CWE savvy, you can safely skip this section. Otherwise, I strongly recommend that you refresh those points before you read the article. Below is a rather free interpretation of some questions from CWE FAQ and CVE FAQ:

How does a software weakness differ from a software vulnerability?

Weaknesses are defects, failures and other issues of implementation, design or architecture of the software that may lead to vulnerabilities.

Vulnerabilities are errors that have already been found by someone. Attackers may exploit these vulnerabilities to get access to a system or a network, to disrupt services, etc.

What is CWE and how is it different from CVE? How does CVSS figure here and where did KEV come from?

  • CWE (Common Weakness Enumeration) is a general list of security defects.
  • CVE (Common Vulnerabilities and Exposures) is a list of vulnerabilities found in various software.
  • CVSS (Common Vulnerability Scoring System) is a numerical score that indicates the potential severity of a vulnerability (CVE). It is based on a standardized set of characteristics.
  • KEV (Known Exploited Vulnerabilities) is a catalog of known exploited vulnerabilities.

Why do I need to know about CWE?

Today, developers use CWE as the main tool when discussing the elimination and/or minimizing security defects in the architecture, design, code, and software implementation. Organizations use CWE as a standard measure for evaluating software security verification tools and as a common baseline standard for identifying, preventing, and minimizing negative consequences.

What is CWE Top 25?

CWE Top 25 is a list of the most dangerous and common defects. These defects are dangerous because someone can easily find and exploit them. Attackers can use them to disrupt the application's operation, steal data or even completely take over a system. CWE Top 25 is a significant community resource that can help you get an idea of the currently most common and dangerous security defects.

What is an algorithm to compile and rank the CWE Top 25 list?

The main sources for this year's list were:

  • data from U.D National Vulnerability Database (NVD) for 2020–2021;
  • the Known Exploited Vulnerabilities (KEV) catalog that was compiled in November 2021 by Cybersecurity and Infrastructure Security Agency (CISA).

The CWE team researches handled the obtained data according to the View-1003 method to reduce the specificity of records. For example, CWE-122 (Heap-Based Buffer Overflow) is converted to basic CWE-787 (Out-of-Bounds Write). The CWE team also filtered the data and removed from the Top 25 list the following items:

  • CVEs if they do not have a CVSS score;
  • CVEs whose description is labeled "REJECT";
  • CVEs without a mapping to any CWE;
  • CVEs that are labeled with "CWE-Other" or "NVD-CWE-noinfo".

Next, the team of researchers used their own formula to calculate the ranking order. This formula takes into account the potential danger of exploit and the frequency, with which a defect (CWE) is the main cause of a vulnerability. The team made the formula that way, so it normalizes the frequency and predicted severity relative to their minimum and maximum values. To obtain the frequency of mentions, the formula calculates how many times CVE referred to CWE within the NVD.

Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD}

Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq))

Another important component of the scoring formula is a defect's severity. The following formula calculates it:

Sv(CWE_X) = (average_CVSS_for_CWE_X - min(CVSS)) / (max(CVSS) - min(CVSS))

At the end, the final score is calculated by multiplying the frequency of mention by the severity score.

Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100

In general, the methodology of data analysis has not changed much this year. But next year, the CWE team is planning more significant changes. Here are some of them:

  • support generation of more specialized lists, such as Top 25 for mobile applications, etc.;
  • consider changing the metrics used to generate the list to minimize some of the bias (here are more details);
  • enhance the View-1003 methodology;
  • perform normalization using different views besides View-1003.
  • if possible, perform more CVE -> CWE mappings to reduce the number of one-off edits to the mapping data.

You can find more information about the methodology of data preparation and analysis in the supplemental details pertaining to the CWE Top 25 list.

How big is the sampling this year?

The dataset contained a total of 37,899 CVEs from the previous two calendar years.

Is the Top 25 updated every year?

Yes, it is updated annually. For information about previous versions, visit CWE Top 25 archive.

Who participates in the development of CWE Top 25?

The CWE community includes individual researchers and representatives of numerous organizations, the scientific community, and government agencies. They are all interested in elimination of software defects. You can get a list of CWE Team members on the "CWE Community Members" page.

Read more about classification on the cwe.mitre.org website.

The situation today

Below is a table of correspondence between the CWE Top 25 2022 list and the PVS-Studio diagnostic rules, divided by programming languages. You can always check the most up-to-date table with CWE Top 25 coverage on our website.

#

CWE ID

Name

Score

KEV

PVS‑Studio diagnostics

1

CWE-787

Out-of-bounds Write

64.20

62

C++: V512, V557, V582, V645

C#: V3106

Java: V6025

2

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

45.97

2

C#: V5610

3

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

22,11

7

C#: V5608

4

CWE-20

Improper Input Validation

20,63

20

C++: V739, V781, V1010, V1024, V5009

5

CWE-125

Out-of-bounds Read

17,67

1

C++: V512, V557, V582

C#: V3106

Java: V6025

6

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

17.53

32

C++: V1010, V5009

C#: V5616

7

CWE-416

Use After Free

15.50

28

C++: V623, V723, V758, V774, V1017

8

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

14.08

19

C#: V5609

9

CWE-352

Cross-Site Request Forgery (CSRF)

11.53

1

Coming in the future

10

CWE-434

Unrestricted Upload of File with Dangerous Type

9,56

6

Coming in the future

11

CWE-476

NULL Pointer Dereference

7,15

0

C++: V522, V595, V664, V713, V1004

C#: V3027, V3042, V3080, V3095, V3100, V3125, V3145, V3146, V3148, V3149, V3152, V3153, V3168

Java: V6008, V6060, V6093

12

CWE-502

Deserialization of Untrusted Data

6.68

7

C#: V5611

13

CWE-190

Integer Overflow or Wraparound

6,53

2

C++: V629, V658, V673, V683, V1026, V1028, V1083, V1085, V5004, V5005, V5006, V5007, V5010, V5011

C#: V3113

Java: V6105

14

CWE-287

Improper Authentication

6.35

4

Coming in the future

15

CWE-798

Use of Hard-coded Credentials

5.66

0

C++: V5013

C#: V5601

Java: V5305

16

CWE-862

Missing Authorization

5,53

1

Coming in the future

17

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

5.42

5

C#: V5616

18

CWE-306

Missing Authentication for Critical Function

5.15

6

Coming in the future

19

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

8.85

6

C++: V512, V557, V582, V769, V783, V1004

20

CWE-276

Incorrect Default Permissions

4.84

0

Coming in the future

21

CWE-918

Server-Side Request Forgery (SSRF)

4.27

8

C#: V5618

22

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

3.57

6

Coming in the future

23

CWE-400

Uncontrolled Resource Consumption

3.56

2

Coming in the future

24

CWE-611

Improper Restriction of XML External Entity Reference

3.38

0

C#: V5614

25

CWE-94

Improper Control of Generation of Code ('Code Injection')

3.32

4

C++: V1076

The table shows that the PVS-Studio static analyzer now covers 68% (17 out of 25) the CWE Top 25 2022 list. Last year, the coverage was 52%. Significant improvement in coverage over the year is a credit to the large number of SAST-oriented diagnostic rules that were released by PVS-Studio over the past year.

Changes in the CWE Top 25 over the past year

The biggest upshifts:

#

CWE ID

Name

Position in 2021

Position in 2022

Annual change

1

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

33

22

11▲

2

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

25

17

8▲

3

CWE-400

Uncontrolled Resource Consumption

27

23

4▲

4

CWE-476

NULL Pointer Dereference

15

11

4▲

5

CWE-94

Improper Control of Generation of Code ('Code Injection')

28

25

3▲

The biggest downshifts:

#

CWE ID

Name

Position in 2021

Position in 2022

Annual change

1

CWE-522

Insufficiently Protected Credentials

21

38

17▼

2

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

20

33

13▼

3

CWE-732

Incorrect Permission Assignment for Critical Resource

22

30

8▼

4

CWE-306

Missing Authentication for Critical Function

11

18

7▼

"Newbies" in the Top 25:

#

CWE ID

Name

Position in 2021

Position in 2022

Annual change

1

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

33

22

11▲

2

CWE-400

Uncontrolled Resource Consumption

27

23

4▲

3

CWE-94

Improper Control of Generation of Code ('Code Injection')

28

25

3▲

And in the end — the defects that were dropped out of the CWE Top 25 in 2022:

#

CWE ID

Name

Position in 2021

Position in 2022

Annual change

1

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

20

33

13▼

2

CWE-522

Insufficiently Protected Credentials

21

23

2▼

3

CWE-732

Incorrect Permission Assignment for Critical Resource

22

30

8▼

Key points:

  • the top ten places remain fairly stable;
  • CWE-787 (Out-of-bounds Write) still holds the lead;
  • CWE-502 (Deserialization of Untrusted Data) and CWE-862 (Missing Authorization) are steadily rising to the top year by year;
  • this year, CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) broke into the top, immediately rising by 11 places compared to last year;
  • CWE-306 (Missing Authentication for Critical Function) that appeared in 2020 and skyrocketed last year, dropped this year;
  • the largest downward movement was marked by CWE-522 (Insufficiently Protected Credentials), which fell down by 17 points at once.

Below the top

As a bonus, let's see what defects did not make it into the 2022 CWE Top 25 and may well enter the top next year:

#

CWE ID

Name

Score

KEV

Annual change

26

CWE-295

Improper Certificate Validation

3.12

2

-

27

CWE-427

Uncontrolled Search Path Element

3.12

0

7▲

28

CWE-863

Incorrect Authorization

3.10

0

10▲

29

CWE-269

Improper Privilege Management

3.06

3

-

30

CWE-732

Incorrect Permission Assignment for Critical Resource

2.93

1

8▼

31

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

2.87

10

5▲

32

CWE-668

Exposure of Resource to Wrong Sphere

2.68

0

21▲

33

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

2.49

2

13▼

34

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

2.48

0

new

35

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

2.41

0

2▲

36

CWE-401

Missing Release of Memory after Effective Lifetime

2.39

0

4▼

37

CWE-59

Improper Link Resolution Before File Access ('Link Following')

2.38

4

6▼

38

CWE-522

Insufficiently Protected Credentials

2.25

0

17▼

39

CWE-319

Cleartext Transmission of Sensitive Information

2.15

0

4▼

40

CWE-312

Cleartext Storage of Sensitive Information

2.01

0

1▲

Although these defects did not make it to the top, they are still important because under favorable circumstances they may turn into vulnerabilities.

Conclusion

I hope you enjoyed this article and understood the current terminology.

Fortunately, static analyzers help us fight potential vulnerabilities. Therefore, I invite you to download and test the PVS-Studio static analyzer on your project. Maybe a couple of CWEs crept into your code and are about to become CVE :)

Additional links