CWE or Common Weakness Enumeration table shows what are the typical (most frequent and critical) software vulnerabilities in software based on the US National Vulnerability Database (NVD).
As they stated:
“An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.”
Unfortunately, most of these are ages old and can be avoided using well known methods in software development. See our other blog post about it.
Here is the link to the tables:
CWE – 2023 CWE Top 25 Most Dangerous Software Weaknesses (mitre.org)
Every company should check these, including of course, software developers.
Here is the table:
2023 CWE Top 25
Rank | ID | Name | Score | CVEs in KEV | Rank Change vs. 2022 |
1 | CWE-787 | Out-of-bounds Write | 63.72 | 70 | 0 |
2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.54 | 4 | 0 |
3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 34.27 | 6 | 0 |
4 | CWE-416 | Use After Free | 16.71 | 44 | +3 |
5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 15.65 | 23 | +1 |
6 | CWE-20 | Improper Input Validation | 15.50 | 35 | -2 |
7 | CWE-125 | Out-of-bounds Read | 14.60 | 2 | -2 |
8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.11 | 16 | 0 |
9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.73 | 0 | 0 |
10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.41 | 5 | 0 |
11 | CWE-862 | Missing Authorization | 6.90 | 0 | +5 |
12 | CWE-476 | NULL Pointer Dereference | 6.59 | 0 | -1 |
13 | CWE-287 | Improper Authentication | 6.39 | 10 | +1 |
14 | CWE-190 | Integer Overflow or Wraparound | 5.89 | 4 | -1 |
15 | CWE-502 | Deserialization of Untrusted Data | 5.56 | 14 | -3 |
16 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 4.95 | 4 | +1 |
17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.75 | 7 | +2 |
18 | CWE-798 | Use of Hard-coded Credentials | 4.57 | 2 | -3 |
19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.56 | 16 | +2 |
20 | CWE-306 | Missing Authentication for Critical Function | 3.78 | 8 | -2 |
21 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 3.53 | 8 | +1 |
22 | CWE-269 | Improper Privilege Management | 3.31 | 5 | +7 |
23 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 3.30 | 6 | +2 |
0 Comments