71.6 F
Washington D.C.
Sunday, September 26, 2021

2021 CWE Top 25 Most Dangerous Software Weaknesses

The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.

The major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses. A preliminary estimate suggests that the percentage of Base-level CWEs has increased from ~60% to ~71% of all Top 25 entries, and the percentage of Class-level CWEs has decreased from ~30% to ~20% of entries. Other weakness levels (e.g., category, compound, and variant) remain relatively unchanged.

While a few class-level weaknesses still exist in the list, they have declined noticeably in the ranking, as influenced by prioritization in the remapping task (see Remapping Task section below). This movement is expected to continue in future years as the community improves its mappings to more precise weaknesses.

With the relative decline of class-level weaknesses, more specific CWEs have moved up to take the place of these high-level classes, such as CWE-78 (Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)), CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-306 (Missing Authentication for Critical Function), CWE-502 (Deserialization of Untrusted Data), CWE-862 (Missing Authorization), and CWE-276 (Incorrect Default Permissions). Subsequent future movement will greatly benefit users that are attempting to understand the actual issues that threaten today’s systems, as the Top 25 Team believes that Base-level weaknesses are more informative to stakeholders than Class-level weaknesses.

The biggest movement up the list is:

  • CWE-276 (Incorrect Default Permissions): from #41 to #19
  • CWE-306 (Missing Authentication for Critical Function): from #24 to #11
  • CWE-502 (Deserialization of Untrusted Data): from #21 to #13
  • CWE-862 (Missing Authorization): from #25 to #18
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25

Most of these weaknesses represent some of the most difficult areas to analyze a system on. A theory about this movement is that the community has improved its education, tooling, and analysis capabilities related to some of the more implementation specific weaknesses identified in previous editions of the CWE Top 25 and have reduced their occurrence. This would lower their ranking, in turn raising the ranking of these more difficult weaknesses.

Five of the biggest downward movers are:

  • CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): from #7 to #20
  • CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer): from #5 to #17
  • CWE-94 (Improper Control of Generation of Code (‘Code Injection’)): from #17 to #28
  • CWE-269 (Improper Privilege Management): from #22 to #29
  • CWE-732 (Incorrect Permission Assignment for Critical Resource): from #16 to #22

New entries in the Top 25 are:

  • CWE-276 (Incorrect Default Permissions): from #41 to #19
  • CWE-918 (Server-Side Request Forgery (SSRF)): from #27 to #24
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25

Entries that fell off the Top 25 are:

  • CWE-400 (Uncontrolled Resource Consumption): from #23 to #27
  • CWE-94 (Improper Control of Generation of Code (‘Code Injection’)): from #17 to #28
  • CWE-269 (Improper Privilege Management): from #22 to #29

See the full CWE list

Homeland Security Todayhttp://www.hstoday.us
The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles


- Advertisement -

Latest Articles