2020 SANS/CWE Top 25 Most Dangerous Software Weaknesses
The 2020 SANS/CWE Top 25 reveals key software vulnerabilities. Explore essential preventive measures and insights.
Introduction
The 2020 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a list of the most common and impactful issues observed over the past two years. These weaknesses are considered dangerous because they are easily discoverable, exploitable, and can lead to complete system compromise, data theft, or application failure. The CWE Top 25 serves as a valuable resource for developers, testers, users, project managers, security researchers, and educators, offering insights into the most severe and current security weaknesses.
In compiling the 2020 list, the CWE Team relied on data from the Common Vulnerabilities and Exposures (CVE®) found in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), along with the associated scores from the Common Vulnerability Scoring System (CVSS) for each CVE. A scoring formula was applied to assess the overall prevalence and severity of each weakness.
The CWE Top 25
Below is a brief listing of the weaknesses in the 2020 CWE Top 25, including the overall score of each.
| Rank | ID | Name | Score |
|---|---|---|---|
| [1] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 46.82 |
| [2] | CWE-787 | Out-of-bounds Write | 46.17 |
| [3] | CWE-20 | Improper Input Validation | 33.47 |
| [4] | CWE-125 | Out-of-bounds Read | 26.50 |
| [5] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 23.73 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 20.69 |
| [7] | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 19.16 |
| [8] | CWE-416 | Use After Free | 18.87 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 17.29 |
| [10] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 16.44 |
| [11] | CWE-190 | Integer Overflow or Wraparound | 15.81 |
| [12] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 13.67 |
| [13] | CWE-476 | NULL Pointer Dereference | 8.35 |
| [14] | CWE-287 | Improper Authentication | 8.17 |
| [15] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 7.38 |
| [16] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6.95 |
| [17] | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 6.53 |
| [18] | CWE-522 | Insufficiently Protected Credentials | 5.49 |
| [19] | CWE-611 | Improper Restriction of XML External Entity Reference | 5.33 |
| [20] | CWE-798 | Use of Hard-coded Credentials | 5.19 |
| [21] | CWE-502 | Deserialization of Untrusted Data | 4.93 |
| [22] | CWE-269 | Improper Privilege Management | 4.87 |
| [23] | CWE-400 | Uncontrolled Resource Consumption | 4.14 |
| [24] | CWE-306 | Missing Authentication for Critical Function | 3.85 |
| [25] | CWE-862 | Missing Authorization | 3.77 |
Analysis and Comment
The 2020 CWE Top 25 list shows a shift towards more specific weaknesses rather than abstract class-level weaknesses compared to the previous year. While class-level weaknesses still exist on the list, they have moved down in ranking as the community improves its mapping to more specific weaknesses. This transition benefits users trying to understand the actual threats to today's systems.
The biggest upward movement on the list is seen in weaknesses related to Authentication and Authorization. CWE-522 (Insufficiently Protected Credentials) moved from #27 to #18, CWE-306 (Missing Authentication for Critical Function) moved from #36 to #24, CWE-862 (Missing Authorization) moved from #34 to #25, and CWE-863 (Incorrect Authorization) moved from #33 to #29. These weaknesses represent challenging areas to analyze in a system.
Four weaknesses that have moved down the list are CWE-426 (Untrusted Search Path) from #22 to #26, CWE-295 (Improper Certificate Validation) from #25 to #28, CWE-835 (Loop with Unreachable Exit Condition) from #26 to #36, and CWE-704 (Incorrect Type Conversion or Cast) from #28 to #37. It is believed that the improvement in education, tooling, and analysis capabilities related to more specific weaknesses has reduced their occurrence, thus lowering their ranking.
Another significant movement is the result of mapping to a more specific weakness. In 2019, CWE-772 (Missing Release of Resource after Effective Lifetime) was ranked #21, but this did not provide enough information about the type of resource not being released. In 2020, a more precise mapping was used, leading to the inclusion of CWE-401 (Missing Release of Memory after Effective Lifetime) at #32, while CWE-772 representing all non-memory resources dropped to #75. This change allows for a more accurate identification of the actual issue.
In addition, CWE-77 (Improper Neutralization of Special Elements used in a Command) has been added to the On the Cusp list at #31. The term "Command Injection" is often used inconsistently in vulnerability descriptions, which hinders accurate understanding of the root weakness. The CWE Team is actively researching this area to improve future releases of the CWE Top 25.
Methodology
The 2020 CWE Top 25 ranking is based on vulnerability data obtained from the NVD (National Vulnerability Database). The NVD collects data from CVE (Common Vulnerabilities and Exposures) and supplements it with additional analysis and information, such as mappings to weaknesses and CVSS scores. This data-driven approach provides an objective look at real-world vulnerabilities and allows for a repeatable process.
To create the 2020 CWE Top 25, the NVD data from 2018 and 2019 was used. This data consisted of approximately 27,000 CVEs that were associated with a weakness. A scoring formula was applied to calculate a ranked order of weaknesses based on their frequency and projected severity.
The frequency of a weakness is determined by the number of times it is mapped to a CVE within the NVD. Only CVEs with associated weaknesses are considered to ensure meaningful frequency rates. The formula for frequency calculation is:
Freq = count(CWE_X ∈ NVD) for each CWE_X in NVD
The severity of a weakness is represented by the average CVSS score of all CVEs that map to it. The formula for severity calculation is:
Sv(CWE_X) = (average_CVSS_for_CWE_X - min(CVSS)) / (max(CVSS) - min(CVSS))
The danger level of a weakness is determined by multiplying the frequency score by the severity score:
Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100
The methodology considers several properties. Weaknesses that are rarely discovered or have a low impact will not receive a high score. Only weaknesses that are both common and have the potential to cause significant harm will receive a high score. This ensures that the CWE Top 25 highlights the most critical vulnerabilities.
The CWE Top 25 with Scoring Metrics
The table below shows the 2020 CWE Top 25 vulnerabilities along with relevant scoring information from the NVD data set. The table includes the number of entries related to each vulnerability (NVD Count), the average CVSS score, and the overall score.
| Rank | CWE | NVD Count | Avg CVSS | Overall Score |
|---|---|---|---|---|
| [1] | CWE-79 | 3788 | 5.80 | 46.82 |
| [2] | CWE-787 | 2225 | 8.31 | 46.17 |
| [3] | CWE-20 | 1910 | 7.35 | 33.47 |
| [4] | CWE-125 | 1578 | 7.13 | 26.5 |
| [5] | CWE-119 | 1189 | 8.08 | 23.73 |
| [6] | CWE-89 | 901 | 8.98 | 20.69 |
| [7] | CWE-200 | 1467 | 6.01 | 19.16 |
| [8] | CWE-416 | 918 | 8.26 | 18.87 |
| [9] | CWE-352 | 866 | 8.08 | 17.29 |
| [10] | CWE-78 | 767 | 8.52 | 16.44 |
| [11] | CWE-190 | 846 | 7.7 | 15.81 |
| [12] | CWE-22 | 792 | 7.27 | 13.67 |
| [13] | CWE-476 | 529 | 6.83 | 8.35 |
| [14] | CWE-287 | 412 | 8.05 | 8.17 |
| [15] | CWE-434 | 346 | 8.5 | 7.38 |
| [16] | CWE-732 | 426 | 6.99 | 6.95 |
| [17] | CWE-94 | 295 | 8.74 | 6.53 |
| [18] | CWE-522 | 283 | 7.92 | 5.49 |
| [19] | CWE-611 | 277 | 7.88 | 5.33 |
| [20] | CWE-798 | 234 | 8.76 | 5.19 |
| [21] | CWE-502 | 217 | 8.93 | 4.93 |
| [22] | CWE-269 | 278 | 7.36 | 4.87 |
| [23] | CWE-400 | 249 | 7.09 | 4.14 |
| [24] | CWE-306 | 193 | 8.1 | 3.85 |
| [25] | CWE-862 | 236 | 6.9 | 3.77 |
Please note that the rankings are based on the overall scores, which take into account both the NVD Count and Avg CVSS.
Weaknesses On the Cusp
Continuing on the theme from last year, the CWE team believes it is important to share these fifteen additional weaknesses that scored just outside of the final Top 25. According to the scoring formula, these weaknesses were potentially not severe enough or not prevalent enough to be included in the 2020 CWE Top 25.
Individuals who perform mitigation and risk decision-making using the 2020 CWE Top 25 may want to consider including these additional weaknesses in their analyses:
| Rank | CWE | Name | NVD Count | Avg CVSS | Overall Score |
|---|---|---|---|---|---|
| [26] | CWE-426 | Untrusted Search Path | 175 | 7.68 | 3.25 |
| [27] | CWE-918 | Server-Side Request Forgery (SSRF) | 161 | 7.85 | 3.08 |
| [28] | CWE-295 | Improper Certificate Validation | 180 | 7.19 | 3.04 |
| [29] | CWE-863 | Incorrect Authorization | 189 | 6.82 | 2.97 |
| [30] | CWE-284 | Improper Access Control | 173 | 7.22 | 2.94 |
| [31] | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 131 | 8.46 | 2.77 |
| [32] | CWE-401 | Missing Release of Memory after Effective Lifetime | 189 | 6.43 | 2.72 |
| [33] | CWE-532 | Insertion of Sensitive Information into Log File | 154 | 6.82 | 2.42 |
| [34] | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 157 | 6.68 | 2.39 |
| [35] | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | 176 | 6.12 | 2.35 |
| [36] | CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | 150 | 6.72 | 2.30 |
| [37] | CWE-704 | Incorrect Type Conversion or Cast | 109 | 8.48 | 2.30 |
| [38] | CWE-415 | Double Free | 117 | 8.04 | 2.30 |
| [39] | CWE-770 | Allocation of Resources Without Limits or Throttling | 139 | 7.06 | 2.29 |
| [40] | CWE-59 | Improper Link Resolution Before File Access ('Link Following') | 122 | 7.07 | 2.01 |
Limitations of the Methodology
There are several limitations to the data-driven approach used in creating the CWE Top 25.
Data Bias
The approach only uses publicly reported data captured in the National Vulnerability Database (NVD). This means that vulnerabilities without Common Vulnerabilities and Exposures (CVE) IDs are excluded. For example, vulnerabilities found and fixed before public release, in online services, or in proprietary software are not covered. Consequently, weaknesses leading to such vulnerabilities may be underrepresented in the 2020 CWE Top 25.
Even for vulnerabilities with CVEs, there is often insufficient information to accurately identify the corresponding Common Weakness Enumeration (CWE). Many CVE entries provide only a description of the impact without details of the vulnerability itself. In some cases, the CVE description mentions the attack method but not the associated weakness. This lack of specificity makes it challenging to determine the underlying CWE. Additionally, generic terms like "malicious input" are used, offering no indication of the associated weakness. Some useful information may be available in references, but it is difficult to analyze. Furthermore, mismatches in terminology and classification contribute to the limitations of this approach.
The CVE/NVD dataset also exhibits inherent bias based on the vendors reporting vulnerabilities and the programming languages they use. This bias influences the prevalence of certain weaknesses. For instance, if a major contributor primarily uses C as its programming language, the weaknesses commonly found in C programs will be overrepresented. Additionally, the proficiency of vulnerability researchers and detection tools can lead to a bias towards certain weakness types and underrepresentation of others within the CWE Top 25.
Furthermore, gaps or mischaracterizations in the CWE hierarchy itself can result in incorrect mappings. The ongoing remapping work is continuously improving the CWE hierarchy to address these content gaps and issues.
Metric Bias
The metric used in the CWE Top 25 indirectly prioritizes implementation flaws over design flaws. This is because implementation flaws are more prevalent within individual software packages. For example, a web application may have multiple Cross-Site Scripting (XSS) vulnerabilities due to a large attack surface, but only one instance of using an insecure cryptographic algorithm.
Please note that this content has been translated from HTML to markdown format for readability and SEO optimization.
Remapping Task
To prepare the CVE/NVD data for analysis, the CWE Team reviewed and "re-mapped" selected CVE/NVD entries to more appropriate CWE IDs. This re-mapping process was done for over ten thousand CVE entries for the 2020 Top 25 List. The remapped data has been shared with NIST to update their CVE entries within the NVD.
The primary activities involved:
-
Remapping CVE entries that were previously mapped to CWE categories. The CWE Team advised against mapping to categories and recommended only mapping weaknesses. Categories should be used for organization and navigation purposes only.
-
Conducting automated keyword searches to identify and correct incorrectly mapped CVE entries. For example, if a CVE entry was initially mapped to the higher-level CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), but the description indicated out-of-bounds read, the entry was remapped to the more precise CWE-125 (Out-of-bounds Read).
-
Focusing on high-level CWE classes to find more precise mappings. This involved detailed investigation of open-source bug reports and security researcher advisories. Due to the large number of CVE entries mapped to certain class-level CWEs (such as CWE-119, CWE-20, CWE-200, CWE-74, and CWE-284), not all class-level entries could be covered. This will be a continued focus in future years.
-
Identifying CVE entries that indicated gaps within the CWE itself. These were CVE entries with sufficient technical details to understand the weakness but did not have an appropriate CWE to be mapped to.
-
Updating the CWE-1003 view to ensure coverage with the most common CWE mappings. The view maintained a simplified two-level structure, with a class as the parent and weaknesses as children. Four weaknesses (CWE-77, CWE-401, CWE-917, and CWE-1236) were added to the CWE-1003 view based on their frequent use in mapping.
It is important to note that while the CWE team made efforts to minimize subjectivity in the remapping corrections, the lack of relevant and detailed information in some CVE descriptions required some subjective analytical conclusions for a small portion of the dataset.