2019 CWE Top 25 Most Dangerous Software Errors -- Draft

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

2019 CWE Top 25 Most Dangerous Software Errors -- Draft

asummers
Administrator

Dear CWE Research Community,

 

It is our pleasure to share with you a draft version of the 2019 CWE Top 25 Most Dangerous Software Errors. These rankings may change before the final release, as we re-evaluate certain CVE <-> CWE mappings.

 

Please refer to my previous post to this list on July 16 for an overview of the new methodology used to calculate this new release of the CWE Top 25. In short, we are pulling CWE-related data directly from NVD and using both frequency and an average CVSS score to determine a rank order. The main advantage of this approach is that the Top 25 will be an objective look at what we are actually seeing in the real-world.

 

For the 2019 Top 25, vulnerabilities for the calendar years 2017 and 2018 are used. The CWE Team has worked very hard over the last few months to correct several thousand mis-mapped CVEs, and we have worked with NIST to help improve the mapping of newly reported vulnerabilities with the updated CWE-1003 view.

 

We will continue our efforts to evaluate these mappings over the coming year to improve things further in advance of a 2020 Top 25. For this upcoming 2019 release, we will provide some explanations for a few inconsistencies such as why CWE-119 is in the list, along with some of its children. In short, this is a cue that we need to improve the mappings that are currently being done, when enough detail is available. The same is true for CWE-20 and CWE-200, both of which are very broad and more specific CWEs are desired.

 

We look forward to addressing any questions, as well as hearing any thoughts and comments you might have. We certainly appreciate all your interest, participation, and engagement with CWE, and we look forward to your continued support. Thank you!

 

Cheers,

Alec and the CWE Team

 

 

CWE Top 25

 

Rank

CWE

NVD Count

Avg. CVSS

Name

1

119

3466

8.04

Improper Restriction of Operations within the Bounds of a Memory Buffer

2

79

3197

5.77

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

3

20

2197

7.28

Improper Input Validation

4

200

2217

5.97

Information Exposure

5

125

1406

7.27

Out-of-bounds Read

6

89

936

9.13

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7

416

774

8.38

Use After Free

8

190

845

7.70

Integer Overflow or Wraparound

9

352

652

8.35

Cross-Site Request Forgery (CSRF)

10

22

741

7.27

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

11

78

481

8.71

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

12

787

489

8.19

Out-of-bounds Write

13

287

459

8.24

Improper Authentication

14

476

561

6.84

NULL Pointer Dereference

15

732

328

7.38

Incorrect Permission Assignment for Critical Resource

16

74

273

7.95

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

17

434

234

8.59

Unrestricted Upload of File with Dangerous Type

18

611

254

7.96

Improper Restriction of XML External Entity Reference

19

94

219

8.71

Improper Control of Generation of Code ('Code Injection')

20

798

210

8.76

Use of Hard-coded Credentials

21

772

298

6.70

Missing Release of Resource after Effective Lifetime

22

400

269

6.96

Uncontrolled Resource Consumption

23

426

215

7.82

Untrusted Search Path

24

502

168

8.92

Deserialization of Untrusted Data

25

269

213

7.34

Improper Privilege Management

 

 

“On-the-Cusp”

 

Rank

CWE

NVD Count

Avg. CVSS

Name

26

295

241

6.62

Improper Certificate Validation

27

835

217

6.61

Loop with Unreachable Exit Condition ('Infinite Loop')

28

522

147

8.46

Insufficiently Protected Credentials

29

704

141

8.48

Incorrect Type Conversion or Cast

30

362

178

6.75

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

31

918

123

7.93

Server-Side Request Forgery (SSRF)

32

285

137

7.08

Improper Authorization

33

601

150

6.13

URL Redirection to Untrusted Site ('Open Redirect')

34

415

103

7.98

Double Free

35

306

65

8.55

Missing Authentication for Critical Function

36

532

81

7.16

Inclusion of Sensitive Information in Log Files

37

384

76

7.08

Session Fixation

38

617

76

6.73

Reachable Assertion

39

326

69

7.20

Inadequate Encryption Strength

40

427

62

7.62

Uncontrolled Search Path Element

 

 

-- 

Alec J. Summers

Cyber Solutions Division

Cyber Security Engineer, Lead

(781) 271-6970

 

signature_1572055371

 

MITRE - Solving Problems for a Safer World

 


smime.p7s (6K) Download Attachment