2021 SANS/CWE Top 25 Most Dangerous Software Weaknesses
Review the 2021 SANS/CWE Top 25 list highlighting critical software vulnerabilities and their risk to systems.
Introduction
The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a list that showcases the most common and impactful issues observed in the past two years. These weaknesses are considered dangerous because they are easily exploitable and can lead to complete system takeover, data theft, or application failure. The CWE Top 25 serves as a valuable resource for developers, testers, users, project managers, security researchers, and educators to gain insights into the latest and most severe security weaknesses.
To compile the 2021 list, the CWE Team utilized data from the Common Vulnerabilities and Exposures (CVE®) database, available through the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). The Common Vulnerability Scoring System (CVSS) scores associated with each CVE record were also considered. A scoring formula was applied to assess the prevalence and severity of each weakness.
The CWE Top 25
Below is a brief listing of the weaknesses in the 2021 CWE Top 25, including the overall score of each.
| Rank | ID | Name | Score | 2020 Rank Change |
|---|---|---|---|---|
| [1] | CWE-787 | Out-of-bounds Write | 65.93 | +1 |
| [2] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 46.84 | -1 |
| [3] | CWE-125 | Out-of-bounds Read | 24.9 | +1 |
| [4] | CWE-20 | Improper Input Validation | 20.47 | -1 |
| [5] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 19.55 | +5 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 19.54 | 0 |
| [7] | CWE-416 | Use After Free | 16.83 | +1 |
| [8] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 14.69 | +4 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 14.46 | 0 |
| [10] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 8.45 | +5 |
| [11] | CWE-306 | Missing Authentication for Critical Function | 7.93 | +13 |
| [12] | CWE-190 | Integer Overflow or Wraparound | 7.12 | -1 |
| [13] | CWE-502 | Deserialization of Untrusted Data | 6.71 | +8 |
| [14] | CWE-287 | Improper Authentication | 6.58 | 0 |
| [15] | CWE-476 | NULL Pointer Dereference | 6.54 | -2 |
| [16] | CWE-798 | Use of Hard-coded Credentials | 6.27 | +4 |
| [17] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 5.84 | -12 |
| [18] | CWE-862 | Missing Authorization | 5.47 | +7 |
| [19] | CWE-276 | Incorrect Default Permissions | 5.09 | +22 |
| [20] | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 4.74 | -13 |
| [21] | CWE-522 | Insufficiently Protected Credentials | 4.21 | -3 |
| [22] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 4.2 | -6 |
| [23] | CWE-611 | Improper Restriction of XML External Entity Reference | 4.02 | -4 |
| [24] | CWE-918 | Server-Side Request Forgery (SSRF) | 3.78 | +3 |
| [25] | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 3.58 | +6 |
Analysis and Comment
The major difference between the 2020 and 2021 CWE Top 25 lists is the shift towards more specific weaknesses rather than abstract, class-level weaknesses. It is estimated that the percentage of base-level CWEs has increased from approximately 60% to 71% of all Top 25 entries, while the percentage of class-level CWEs has decreased from about 30% to 20% of entries. The levels of other weaknesses, such as category, compound, and variant, have remained relatively unchanged.
Although a few class-level weaknesses still appear on the list, they have decreased in rank due to prioritization in the remapping task. This trend is expected to continue as the community improves its mappings to more precise weaknesses. This transition towards more specific CWEs allows stakeholders to gain better insights into the actual issues that pose threats to today's systems.
Some of the specific CWEs that have moved up the list include CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-306 (Missing Authentication for Critical Function), CWE-502 (Deserialization of Untrusted Data), CWE-862 (Missing Authorization), and CWE-276 (Incorrect Default Permissions). The ascent of these weaknesses in the rankings will benefit users in understanding the vulnerabilities that their systems face.
Among the biggest movers up the list are CWE-276, CWE-306, CWE-502, CWE-862, and CWE-77. These weaknesses represent challenging areas to analyze in a system. It is theorized that the improvement in education, tooling, and analysis capabilities related to these implementation-specific weaknesses has led to a reduction in their occurrence and subsequently raised the ranking of these more difficult weaknesses.
On the other hand, some weaknesses have moved down the list, including CWE-200, CWE-119, CWE-94, CWE-269, and CWE-732. These weaknesses have experienced a decline in ranking, potentially indicating a decrease in their occurrence due to improved security practices and awareness.
There are also new entries in the Top 25 list, such as CWE-276, CWE-918, and CWE-77, which have gained recognition for their significance in the realm of system vulnerabilities.
Conversely, some weaknesses have fallen off the Top 25 list, including CWE-400, CWE-94, and CWE-269. These weaknesses no longer rank among the Top 25, suggesting a decrease in their prevalence.
For a more detailed understanding of the shifts in the rankings, refer to the "Remapping Task" section, which provides insights into how the prioritization of remapping activities may have influenced the rankings.
Methodology
The 2021 CWE Top 25 was developed using vulnerability data obtained from the National Vulnerability Database (NVD). The NVD collects vulnerability data from CVE and adds additional analysis and information, including mapping to weaknesses and a CVSS score. The goal of using NVD data is to provide an objective and data-driven approach to identifying vulnerabilities, rather than relying on subjective surveys and opinions.
The 2021 CWE Top 25 is based on NVD data from the years 2019 and 2020, downloaded on March 18, 2021. This data consists of approximately 32,500 CVEs associated with weaknesses.
A scoring formula is used to calculate the ranked order of weaknesses in the CWE Top 25. This formula combines the frequency of a weakness being the root cause of a vulnerability with the projected severity of its exploitation. The frequency and severity are normalized relative to the minimum and maximum values observed.
To determine the frequency of a weakness, the number of times a CWE is mapped to a CVE in the NVD is calculated. Only CVEs with associated weaknesses are included in this calculation, to avoid low frequency rates and minimize differences among weakness types.
The severity of a weakness is determined by the average CVSS score of all CVEs mapped to that weakness. The CVSS score represents the potential severity of a vulnerability. The severity score is normalized relative to the minimum and maximum CVSS scores observed.
The danger level of a weakness is calculated by multiplying the severity score by the frequency score.
There are a few key points to note about the methodology:
- Weaknesses that are rarely discovered or have a low impact will receive lower scores.
- Weaknesses that are common and can cause significant harm will receive higher scores.
| Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD} |
|---|
| Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD} |
| Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq)) |
|---|
| Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq)) |
| Sv(CWE_X) = (average_CVSS_for_CWE_X - min(CVSS)) / (max(CVSS) - min(CVSS)) |
|---|
| Sv(CWE_X) = (average_CVSS_for_CWE_X - min(CVSS)) / (max(CVSS) - min(CVSS)) |
| Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100 |
|---|
| Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100 |
Overall, the 2021 CWE Top 25 methodology aims to provide a comprehensive and objective ranking of vulnerabilities based on real-world data.
The CWE Top 25 with Scoring Metrics
The 2021 CWE Top 25 is a list of the most common and impactful software weaknesses. The table below provides information on the ranking of each weakness, the number of entries related to each weakness in the NVD data set, and the average Common Vulnerability Scoring System (CVSS) score for each weakness.
| Rank | CWE | NVD Count | Avg CVSS | Overall Score |
|---|---|---|---|---|
| 1 | CWE-787 | 3033 | 8.22 | 65.93 |
| 2 | CWE-79 | 3564 | 5.80 | 46.84 |
| 3 | CWE-125 | 1448 | 6.94 | 24.90 |
| 4 | CWE-20 | 1120 | 7.25 | 20.47 |
| 5 | CWE-78 | 833 | 8.71 | 19.55 |
| 6 | CWE-89 | 830 | 8.73 | 19.54 |
| 7 | CWE-416 | 807 | 7.98 | 16.83 |
| 8 | CWE-22 | 783 | 7.39 | 14.69 |
| 9 | CWE-352 | 741 | 7.60 | 14.46 |
| 10 | CWE-434 | 381 | 8.36 | 8.45 |
| 11 | CWE-306 | 381 | 7.98 | 7.93 |
| 12 | CWE-190 | 368 | 7.56 | 7.12 |
| 13 | CWE-502 | 280 | 8.87 | 6.71 |
| 14 | CWE-287 | 324 | 7.84 | 6.58 |
| 15 | CWE-476 | 404 | 6.67 | 6.54 |
| 16 | CWE-798 | 275 | 8.54 | 6.27 |
| 17 | CWE-119 | 278 | 8.04 | 5.84 |
| 18 | CWE-862 | 361 | 6.38 | 5.47 |
| 19 | CWE-276 | 298 | 6.92 | 5.09 |
| 20 | CWE-200 | 330 | 6.16 | 4.74 |
| 21 | CWE-522 | 232 | 7.23 | 4.21 |
| 22 | CWE-732 | 249 | 6.87 | 4.20 |
| 23 | CWE-611 | 206 | 7.62 | 4.02 |
| 24 | CWE-918 | 207 | 7.26 | 3.78 |
| 25 | CWE-77 | 164 | 8.28 | 3.58 |
This ranking is based on the number of entries for each weakness in the NVD data set and the average CVSS score for each weakness. The higher the number of entries and the higher the average CVSS score, the higher the overall score for the weakness. Developers should pay attention to these weaknesses and prioritize them in their software development and security efforts.
Weaknesses On the Cusp
Continuing on the theme from last year, the CWE team believes it is important to share these fifteen additional weaknesses that scored just outside of the final Top 25. According to the scoring formula, these weaknesses were potentially not severe enough or prevalent enough to be included in the 2021 CWE Top 25.
Individuals that perform mitigation and risk decision-making using the 2021 CWE Top 25 may want to consider including these additional weaknesses in their analyses.
| Rank | CWE | Name | NVD Count | Avg CVSS | Overall Score | 2020 Rank Change |
|---|---|---|---|---|---|---|
| [26] | CWE-295 | Improper Certificate Validation | 201 | 6.99 | 3.47 | +2 |
| [27] | CWE-400 | Uncontrolled Resource Consumption | 200 | 6.99 | 3.46 | -4 |
| [28] | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 138 | 8.63 | 3.18 | -11 |
| [29] | CWE-269 | Improper Privilege Management | 172 | 7.30 | 3.16 | -7 |
| [30] | CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | 128 | 9.05 | 3.14 | +17 |
| [31] | CWE-59 | Improper Link Resolution Before File Access ('Link Following') | 177 | 7.11 | 3.13 | +9 |
| [32] | CWE-401 | Missing Release of Memory after Effective Lifetime | 205 | 6.42 | 3.13 | 0 |
| [33] | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 202 | 6.47 | 3.12 | +1 |
| [34] | CWE-427 | Uncontrolled Search Path Element | 158 | 7.66 | 3.10 | +24 |
| [35] | CWE-319 | Cleartext Transmission of Sensitive Information | 177 | 6.99 | 3.06 | +7 |
| [36] | CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | 124 | 8.51 | 2.80 | +9 |
| [37] | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | 184 | 6.12 | 2.62 | -2 |
| [38] | CWE-863 | Incorrect Authorization | 155 | 6.80 | 2.57 | -9 |
| [39] | CWE-532 | Insertion of Sensitive Information into Log File | 171 | 6.26 | 2.51 | -6 |
| [40] | CWE-770 | Allocation of Resources Without Limits or Throttling | 136 | 6.99 | 2.34 | -1 |
For more information and details, please refer to the CWE-ID links provided.
Limitations of the Methodology
There are several limitations to the data-driven approach used in creating the CWE Top 25.
Data Bias
First, the approach only uses data that was publicly reported and captured in the NVD, and numerous vulnerabilities exist that do not have CVE IDs. Vulnerabilities that are not included in the NVD are therefore excluded from this approach. Weaknesses that lead to these types of vulnerabilities may be under-represented in the 2021 CWE Top 25.
Second, even for vulnerabilities that receive a CVE, often there is not enough information to accurately identify the appropriate CWE being exploited. Many CVE entries only describe the impact of the vulnerability without providing details of the vulnerability itself. In other cases, the CVE description covers how the vulnerability is attacked, but this does not always indicate the associated weakness. This lack of detailed information can make it difficult to determine the underlying weakness.
Third, there is inherent bias in the CVE/NVD dataset due to the set of vendors that report vulnerabilities and the languages used by those vendors. Certain weaknesses may be more likely to appear if a vendor primarily uses a specific programming language. Additionally, vulnerability researchers and detection tools may be more proficient at finding certain weaknesses than others, leading to under-representation of those weaknesses in the 2021 CWE Top 25.
Finally, gaps or mischaracterizations in the CWE hierarchy itself can lead to incorrect mappings. The ongoing remapping work aims to address these content gaps and issues in subsequent CWE releases.
Metric Bias
An important bias to understand related to the metric is that it indirectly prioritizes implementation flaws over design flaws, due to their prevalence within individual software packages. An alternate metric could be devised that includes the percentage of products within NVD that have at least one CVE with a particular CWE.
Another limitation of the metric was raised by Galhardo, Bojanova, Mell, and Gueye in their ACSC paper "Measurements of the Most Significant Software Security Weaknesses". They found that the published equation highly biases frequency and almost ignores exploitability and impact in generating top lists. For example, CWE-79 is ranked #2, but it has the lowest average CVSS score (5.80) of the entire Top 25 and the Cusp.
Over the next year, the Top 25 Team will actively investigate alternate metrics and a new metric might be selected to determine the 2022 CWE Top 25.
Remapping Task
To prepare the CVE/NVD data for analysis, the CWE Team reviewed the CWE mappings of selected CVE/NVD entries and, where appropriate, "remapped" the entries so that they referenced more appropriate CWE IDs.
This remapping work was performed on over nine thousand CVE entries in consideration for the 2021 Top 25 List. The remapped data has been shared with NIST so that they can update their CVE entries within NVD.
The primary activities were:
- Download a "snapshot" of NVD data from 2019 and 2020. This repository was downloaded on March 18, 2021, and it was used throughout the analysis.
- Perform automated keyword searches to find likely remaps to CWE entries that were incorrectly mapped. For example, some CVE entries were mapped to the higher-level CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). However, phrases related to out-of-bounds read were automatically discoverable within CVE descriptions. In those cases, mapping to the lower level CWE-125 (Out-of-bounds Read) is considered more appropriate.
- Extend the keyword matcher to detect potential mappings for many more CWE entries, including some that had only been created in the past year or two. A related matcher was created to look for actual names of CWE entries within CVE descriptions, which was surprisingly successful.
- Identify the four highest-ranking classes based on a snapshot calculation of the Top 25 using the original March 18 NVD data, then investigate them more closely. These "top 4" focused classes were CWE-20, CWE-200, CWE-119, and CWE-269.
- Choose additional subject areas for emphasis. This year's emphasis included access control, cryptography, and randomness. Note that this is the first year in which cryptography-related CVEs were analyzed as a group; although this did not affect the Top 25, it was highly useful for understanding limitations of CWE for supporting mapping with respect to cryptography. Access control was also targeted because of the prevalence of class-level access-control issues in the Top 25 and the Cusp, as well as a suspicion that mappings would be inconsistent, which turned out to be true.
- Perform deeper analysis in some areas suspected to have mapping inaccuracies, especially injection. This typically involved looking more closely at references than in past years. For example, based on analysis in 2020, mappings to CWE-74 and CWE-77 were already known to have a good chance of being mapped to the more-precise CWE-78 when analyzing references.
- De-prioritize categories. There were few CVEs remaining that still mapped to categories, due to the elimination of categories in View 1003 in late 2019. CVEs mapped to categories were not analyzed as a group per se, but they were often included in other groups such as cryptography or keyword matches. It should be noted that some CNA sources still used categories in 2020 data.
- Improve the manual mapping process with automated tooling and annotations. While some of these improvements were experimental, they are likely to be used in future Top 25 lists, such as automated syntax checks for remapping reports provided by analysts; the automated scraping of reference URLs for CWE IDs and keyword matches; and the shifting of CVE records between different "analysis batches" to deprioritize or reassign CVEs that presented more complex analysis challenges.
- While the CWE team made every possible effort to minimize subjectivity in the remapping corrections, the lack of relevant, detailed information present in some CVE descriptions meant that a small portion of the dataset still required some subjective analytical conclusions.
In previous years, at the same time as the Top 25 release, the CWE-1003 view was also modified to ensure that it could still provide coverage for the most common CWE mappings. This created additional technical complexity for both NIST and the CWE Top 25 Team. This year, View 1003 will be updated in the CWE 4.6 release, possibly in October.
Limitations of the Remapping Task
After using this remapping methodology for the 2019, 2020, and 2021 Top 25 lists, some limitations have become apparent:
- The number of CVEs with high-level CWE entries remains high, forcing manual remapping of a large number of CVEs, which is labor-intensive.
- Remapping was performed over a short time frame before the publication of the list, which increased timing and staffing pressures during this period. Also, data exchange with NIST was changed to provide mapping data over the entire review period, instead of all at once at the end. Still, the short time frame made it difficult for NVD staff to receive, analyze, and process all the mapping changes.
- Since data is from previous years, it prevents being able to give timely feedback to NIST staff so that they can adjust their training and mapping practices.
- The lack of relevant details for many CVEs continues to introduce time-consuming analysis and variability in mapping results, combined with an increasing preference to analyze references more closely.
- Even within the CWE Top 25 Team itself, different analysts can be inconsistent in which CWE mappings they choose for the same CVE, especially for vulnerabilities that do not have very clear phrasing about the weakness. It is not clear whether this is a limitation of CWE itself, variations in terminology within CVE descriptions, or the varying perspectives and levels of experience of the analysts who perform the mappings.
- Once the remapping task is complete, the version of NVD that was originally used is typically a few months old - for this year, NVD from March 18, 2021, was used. This can cause apparent inconsistencies for those who want to replicate the metric since new CVE records continue to be added for earlier years.
In the future, the remapping task might be changed to eliminate or mitigate these limitations.
Emerging Opportunities for Improvement
Despite the current limitations of the remapping task, there have been recent developments that show potential for improving the NVD/CWE mapping data used in future Top 25 lists:
-
NIST's Collaborative Vulnerability Metadata Acceptance Process (CVMAP) program has gained momentum and has had positive interactions with CVE Candidate Numbering Authorities (CNAs). These interactions are likely to enhance the quality of CWE mapping data provided by CNAs. The CWE Program aims to have closer collaboration with CNAs to obtain more accurate data. (Reference: CVMAP)
-
Version 5.0 of the CVE JSON record format now includes direct support for incorporating CWE mappings in CVE records. This update is expected to improve the quality and precision of CWE mappings. (Reference: CVE JSON record format)
-
In March 2021, the CWE Program released the "CVE->CWE Mapping Guidance," which simplifies the process for CNAs and other parties to identify appropriate CWE mappings for their vulnerabilities. This guidance aims to facilitate the technical task of mapping CVEs to CWEs. (Reference: CVE->CWE Mapping Guidance)
These advancements, including the CVMAP program, the updated CVE JSON record format, and the mapping guidance, are promising opportunities for improving the NVD/CWE mapping data and enhancing the accuracy of future Top 25 lists.