2023 SANS/CWE Top 25 Most Dangerous Software Weaknesses
Discover the 2023 SANS/CWE list of Top 25 dangerous software weaknesses, identifying major security vulnerabilities and their impacts.
2023 CWE Top 25 Most Dangerous Software Weaknesses
| Rank | ID | Name | Score | CVEs in KEV | Rank Change vs. 2022 |
|---|---|---|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write | 63.72 | 70 | 0 |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 45.54 | 4 | 0 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 34.27 | 6 | 0 |
| 4 | CWE-416 | Use After Free | 16.71 | 44 | +3 |
| 5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 15.65 | 23 | +1 |
| 6 | CWE-20 | Improper Input Validation | 15.50 | 35 | -2 |
| 7 | CWE-125 | Out-of-bounds Read | 14.60 | 2 | -2 |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 14.11 | 16 | 0 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.73 | 0 | 0 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.41 | 5 | 0 |
| 11 | CWE-862 | Missing Authorization | 6.90 | 0 | +5 |
| 12 | CWE-476 | NULL Pointer Dereference | 6.59 | 0 | -1 |
| 13 | CWE-287 | Improper Authentication | 6.39 | 10 | +1 |
| 14 | CWE-190 | Integer Overflow or Wraparound | 5.89 | 4 | -1 |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.56 | 14 | -3 |
| 16 | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 4.95 | 4 | +1 |
| 17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.75 | 7 | +2 |
| 18 | CWE-798 | Use of Hard-coded Credentials | 4.57 | 2 | -3 |
| 19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.56 | 16 | +2 |
| 20 | CWE-306 | Missing Authentication for Critical Function | 3.78 | 8 | -2 |
| 21 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 3.53 | 8 | +1 |
| 22 | CWE-269 | Improper Privilege Management | 3.31 | 5 | +7 |
| 23 | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 3.30 | 6 | +2 |
| 24 | CWE-863 | Incorrect Authorization | 3.16 | 0 | +4 |
| 25 | CWE-276 | Incorrect Default Permissions | 3.16 | 0 | -5 |
Analysis
There have been significant changes in the ranked positions of weakness types compared to last year's list. Some weaknesses have dropped off the list, while others have made their first appearance in the Top 25.
The weaknesses that have moved up the list are:
- CWE-416: Use After Free - moved from #7 to #4.
- CWE-862: Missing Authorization - moved from #16 to #11.
- CWE-269: Improper Privilege Management - moved from #29 to #22.
- CWE-863: Incorrect Authorization - moved from #28 to #24.
On the other hand, the weaknesses that have moved down the list are:
- CWE-502: Deserialization of Untrusted Data - moved from #12 to #15.
- CWE-798: Use of Hardcoded Credentials - moved from #15 to #18.
- CWE-276: Incorrect Default Permissions - moved from #20 to #25.
There are two new entries in the Top 25:
Two weaknesses have fallen off the Top 25:
Dataset Collection/Scoping
The initial Top 25 dataset for the year 2023 was prepared by including all the CVE Records that were published in 2021 and 2022. However, before conducting the analysis, the dataset was trimmed to ensure a more accurate identification of true vulnerabilities. In order to map the root causes of these vulnerabilities, the National Vulnerability Database (NVD) utilizes a simplified collection of 130 weakness types known as "View-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities". If a CVE Record cannot be mapped to any entry in View-1003, it is labeled as "CWE-Other" by the NVD.
In the process of compiling the 2023 CWE Top 25 dataset, certain records were excluded based on the following criteria:
a) If the description of the CVE Record was labeled as "REJECT", indicating that the vulnerability record was no longer valid.
b) If there was insufficient information available to accurately perform root cause mapping, as determined either by the Top 25 team or by the NVD. In such cases, the CVE Record was not included in the Top 25 team's remapping review.
c) If the NVD marked the CVE Record as "CWE-Other" and the Top 25 team's remapping review could not find an appropriate mapping within View-1003, or if the CVE Record was not selected for the team's remapping review.
These criteria were applied to ensure that the final 2023 CWE Top 25 dataset consisted of the most relevant and accurately mapped vulnerabilities.
CWE Root Cause (Re)Mapping Review
This year's Top 25 effort focused on enhancing the quality and consistency of the list by documenting the analysis of the CWE root cause mapping. The CWE root cause mapping associates a vulnerability description with the CWE identifier(s) that represent the root cause or source condition for that vulnerability. These mappings are provided either at the time of disclosure or later by a third-party.
To ensure a more accurate and useful CWE Top 25 list, the team independently analyzed a subset of 7,466 CVE Records within the dataset. Records were selected based on automated keyword analysis of CVE descriptions that indicated inaccurate root cause mappings or mappings to more abstract high-level CWEs instead of precise root cause mappings. In cases where inconsistent criteria or errors were identified in the initial analysis, the team made necessary remappings. The entire CWE corpus was utilized for these remappings, which were then shared with NIST for confirmation and updating of the NVD data.
In some cases, a vulnerability can be the result of a sequential series of weaknesses, forming a root cause mapping "chain". In this year's analysis, the team aimed to capture these chains without altering the scoring. Consequently, both the initial weakness (X) and the final vulnerability (Y) in the chain were included in the analysis as if they were listed independently.
Scoring
After undergoing the collection, scoping, and remapping process, a scoring formula was utilized to rank weaknesses based on their frequency and severity. The frequency represents the number of times a Common Weakness Enumeration (CWE) is identified as the root cause of a vulnerability, while the severity is determined by the average Common Vulnerability Scoring System (CVSS) score when these vulnerabilities are exploited. To ensure fair comparison, both frequency and severity are normalized against the minimum and maximum values found in the dataset. The resulting metrics, referred to as "count" and "average_CVSS", are incorporated into the following formulas.
Frequency
The scoring formula calculates the number of times a CWE is mapped to a CVE Record in the National Vulnerability Database (NVD).
Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD}
Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq))
Severity
The scoring formula calculates the average CVSS score of all CVE Records associated with a specific CWE. The following equation is used for this calculation.
Sv(CWE_X) = (average_CVSS(CWE_X) - min(CVSS)) / (max(CVSS) - min(CVSS))
Danger Score
The danger score of a particular CWE is determined by multiplying the severity score with the frequency score.
Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100
Using this scoring approach, the following observations can be made:
- Weaknesses that are rarely discovered will not receive a high frequency score, regardless of the potential impact associated with their exploitation. If developers do not commonly make a particular mistake, it should not be highlighted in the CWE Top 25.
- Weaknesses that result in low-impact exploited vulnerabilities will not receive a high severity score, even if they are prevalent in the dataset. If a weakness typically leads to low-impact vulnerabilities, it should not be emphasized in the CWE Top 25.
- Weaknesses that are both common and detrimental will receive the highest scores in the ranking.