In its latest annual release, the esteemed US not-for-profit cybersecurity research organization, MITRE, has unveiled its highly anticipated list of the top 25 most dangerous software weaknesses for 2023. As the world becomes increasingly interconnected and reliant on digital technologies, cyber threats have become more sophisticated, making it crucial for organizations to stay informed about the most significant vulnerabilities that pose serious risks to their systems and data.
The 2023 Common Weakness Enumeration (CWE) list was meticulously calculated by MITRE’s team of experts. They conducted an extensive analysis of public vulnerability data within the National Vulnerability Database (NVD) for the past two calendar years, making sure to identify the root causes and mappings of CWE weaknesses. The result is a comprehensive and detailed assessment of software vulnerabilities that attackers could exploit to take control of systems, steal sensitive data, or cause severe disruptions to critical applications.
Unsurprisingly, the top three weaknesses remain unchanged from the previous year’s list, demonstrating their persistent threat to organizations worldwide. Topping the list once again are out-of-bounds write flaws, represented as CWE-787. These vulnerabilities occur when software writes data beyond the intended buffer boundaries, leading to potential crashes, corruption, or even unauthorized code execution. MITRE’s team identified and added a staggering 70 such vulnerabilities to the Known Exploited Vulnerabilities (KEV) list, emphasizing the importance of addressing these weaknesses urgently.
In the second position, we find cross-site scripting (XSS), a notorious class of vulnerabilities that continues to be a major concern. The team highlighted reflected XSS, where malicious content executes when victims’ browsers reflect data directly from HTTP requests back in HTTP responses. Additionally, the list features stored XSS, which involves storing malicious data in databases, and DOM-based XSS, where client-side scripts inject XSS into web pages.
Rounding out the top three is SQL Injection, a longstanding and dangerous weakness that allows attackers to manipulate improperly formatted SQL queries as commands. These attacks often target user inputs, which are then passed to databases without appropriate safeguards. Attackers can also leverage poisoned queries based on cookies to exploit this vulnerability further.
Notably, positions four and five on the list were secured by use after free flaws (CWE-416) and improper neutralization of special elements used in OS commands, also known as ‘OS command injection’ (CWE-78). The ‘use after free’ vulnerability refers to the risky practice of referencing memory after its release, potentially leading to program crashes or unintended code execution. Meanwhile, OS command injection permits the construction and execution of unauthorized commands, posing severe risks such as elevation of privileges. These weaknesses underscore the importance of robust memory management and command input validation to prevent exploitation.
Further up the list, missing authorization (CWE-862), improper privilege management (CWE-269), and incorrect authorization (CWE-863) have all climbed in prominence. The inclusion of incorrect authorization as a new entry in the top 25 emphasizes the significance of properly managing user access rights and permissions to prevent unauthorized actions.
On a positive note, certain vulnerabilities experienced a decrease in ranking, reflecting successful efforts to address these weaknesses. Deserialization of untrusted data (CWE-502), use of hardcoded credentials (CWE-798), and incorrect default permissions (CWE-276) all moved down in the list, suggesting that organizations have made progress in mitigating these risks.
Furthermore, the team reported that improper restriction of XML external entity reference (CWE-611) no longer poses a significant threat within the top 25. This illustrates the impact of proactive security measures and vigilant vulnerability management.
MITRE’s comprehensive list serves as an invaluable resource for organizations, providing them with crucial insights into the most pressing software weaknesses. By understanding and addressing these vulnerabilities, organizations can prioritize their security efforts, allocate resources effectively, and implement robust security controls to safeguard their systems, data, and users.
Staying informed about the evolving threat landscape is paramount, and MITRE’s annual release empowers organizations to take proactive steps in fortifying their defenses against cyber threats. With this knowledge, organizations can enhance their resilience, mitigate risks, and maintain the trust and security of their digital ecosystems.
By sharing this list, MITRE provides the broader community with valuable information regarding the most critical software security weaknesses that require immediate attention.
| Rank | ID | Name | Score | CVEs in KEV | Rank Change |
|---|---|---|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write | 63.72 | 70 | 0 |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.54 | 4 | 0 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 34.27 | 6 | 0 |
| 4 | CWE-416 | Use After Free | 16.71 | 44 | +3 |
| 5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 15.65 | 23 | +1 |
| 6 | CWE-20 | Improper Input Validation | 15.50 | 35 | -2 |
| 7 | CWE-125 | Out-of-bounds Read | 14.60 | 2 | -2 |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.11 | 16 | 0 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.73 | 0 | 0 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.41 | 5 | 0 |
| 11 | CWE-862 | Missing Authorization | 6.90 | 0 | +5 |
| 12 | CWE-476 | NULL Pointer Dereference | 6.59 | 0 | -1 |
| 13 | CWE-287 | Improper Authentication | 6.39 | 10 | +1 |
| 14 | CWE-190 | Integer Overflow or Wraparound | 5.89 | 4 | -1 |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.56 | 14 | -3 |
| 16 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 4.95 | 4 | +1 |
| 17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.75 | 7 | +2 |
| 18 | CWE-798 | Use of Hard-coded Credentials | 4.57 | 2 | -3 |
| 19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.56 | 16 | +2 |
| 20 | CWE-306 | Missing Authentication for Critical Function | 3.78 | 8 | -2 |
| 21 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 3.53 | 8 | +1 |
| 22 | CWE-269 | Improper Privilege Management | 3.31 | 5 | +7 |
| 23 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 3.30 | 6 | +2 |
| 24 | CWE-863 | Incorrect Authorization | 3.16 | 0 | +4 |
| 25 | CWE-276 | Incorrect Default Permissions | 3.16 | 0 | -5 |
Using this data
According to the team: “Trend analysis on vulnerability data like this enables organizations to make better investment and policy decisions in vulnerability management”.
“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk.”
The list is a useful reference for enterprises seeking to harden their CI/CD environments. Despite the existence of scanning tools to check for vulnerabilities, the list is a reminder that errors still slip into even the most used products.
