Dear CWE Community,
We are elated in announcing that 2022 CWE Top 25 Most Dangerous Software Weaknesses is now available on our website - https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html. The official version of the " <https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html> 2022 CWE Top 25 Most Dangerous Software Weaknesses," a demonstrative list of the most common and impactful software weaknesses that can lead to exploitable vulnerabilities in software, is now available on the CWE website. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations. What's Changed The major difference between the 2021 and 2022 CWE Top 25 lists are the addition of three new weakness types and several notable shifts in ranked positions for weakness types, including three weakness types that fell entirely off the list. The three new additions are <https://cwe.mitre.org/data/definitions/362.html> CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'); <https://cwe.mitre.org/data/definitions/94.html> CWE-94: Improper Control of Generation of Code ('Code Injection'); and <https://cwe.mitre.org/data/definitions/400.html> CWE-400: Uncontrolled Resource Consumption. Weakness types moving higher on the list include <https://cwe.mitre.org/data/definitions/77.html> CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') and <https://cwe.mitre.org/data/definitions/476.html> CWE-476: NULL Pointer Dereference, while <https://cwe.mitre.org/data/definitions/306.html> CWE-306: Missing Authentication for Critical Function moved lower. The three weakness types that fell off the list are <https://cwe.mitre.org/data/definitions/200.html> CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; <https://cwe.mitre.org/data/definitions/522.html> CWE-522: Insufficiently Protected Credentials; and <https://cwe.mitre.org/data/definitions/732.html> CWE-732: Incorrect Permission Assignment for Critical Resource. Leveraging Real-World Data To create the 2022 list, the CWE Program leveraged <https://www.cve.org/> Common Vulnerabilities and Exposures (CVER) data found within the National Institute of Standards and Technology (NIST) <https://nvd.nist.gov/> National Vulnerability Database (NVD) and the <https://nvd.nist.gov/vuln-metrics/cvss> Common Vulnerability Scoring System (CVSS) scores associated with each CVE Record, including a focus on CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) <https://www.cisa.gov/known-exploited-vulnerabilities-catalog> Known Exploited Vulnerabilities (KEV) Catalog. A formula was then applied to the data to score each weakness based on prevalence and severity. The 2022 CWE Top 25 leverages NVD data from the years 2020 and 2021, which consists of 37,899 CVEs that are associated with a weakness. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities' exploitation as measured by CVSS. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen. For more detailed information including methodology, rankings, scoring, and refined mappings, visit the <https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html> CWE Top 25 page. Feedback Welcome Please send any feedback or questions to the <https://cwe.mitre.org/community/registration.html> CWE Research email discussion list, <https://twitter.com/cwecapec> @cwecapec on Twitter, <https://www.linkedin.com/showcase/cve-cwe-capec> CWE page on LinkedIn, or <mailto:c...@mitre.org> contact us directly. Thank you, Rushi Purohit
smime.p7s
Description: S/MIME cryptographic signature