CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.4.1)  
ID

CWE VIEW: Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors

View ID: 1200
Type: Graph
Status: Stable
Downloads: Booklet | CSV | XML
+ Objective
CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
+ Audience
StakeholderDescription
Software DevelopersBy following the Top 25, developers will be able to significantly reduce the number of weaknesses that occur in their software.
Software CustomersIf a software developer claims to be following the Top 25, then customers can use the weaknesses in this view in order to formulate independent evidence of that claim.
EducatorsEducators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could focus on the Top 25.
+ Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and classes exist to group weaknesses. A category is a CWE entry that contains a set of other entries that share a common characteristic. Classes are weaknesses that are described in a very abstract fashion, typically independent of any specific language or technology and are more general than a base weakness. Within classes, base level weaknesses are used to present a more specific type of weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. A composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
1200 - Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Improper Restriction of Operations within the Bounds of a Memory Buffer - (119)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Memory Corruption
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.XSSHTML InjectionCSS
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Improper Input Validation - (20)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 20 (Improper Input Validation)
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Information Exposure - (200)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 200 (Information Exposure)
An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.Information LeakInformation Disclosure
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Out-of-bounds Read - (125)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 125 (Out-of-bounds Read)
The software reads data past the end, or before the beginning, of the intended buffer.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Use After Free - (416)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 416 (Use After Free)
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Dangling pointerUse-After-Free
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Integer Overflow or Wraparound - (190)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 190 (Integer Overflow or Wraparound)
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
*CompositeComposite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability.Cross-Site Request Forgery (CSRF) - (352)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 352 (Cross-Site Request Forgery (CSRF))
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Session RidingCross Site Reference ForgeryXSRF
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Directory traversalPath traversal
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Out-of-bounds Write - (787)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 787 (Out-of-bounds Write)
The software writes data past the end, or before the beginning, of the intended buffer.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Improper Authentication - (287)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 287 (Improper Authentication)
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.authentificationAuthC
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.NULL Pointer Dereference - (476)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 476 (NULL Pointer Dereference)
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Incorrect Permission Assignment for Critical Resource - (732)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 732 (Incorrect Permission Assignment for Critical Resource)
The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Unrestricted Upload of File with Dangerous Type - (434)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 434 (Unrestricted Upload of File with Dangerous Type)
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Unrestricted File Upload
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Restriction of XML External Entity Reference - (611)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 611 (Improper Restriction of XML External Entity Reference)
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.XXE
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Control of Generation of Code ('Code Injection') - (94)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 94 (Improper Control of Generation of Code ('Code Injection'))
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Use of Hard-coded Credentials - (798)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 798 (Use of Hard-coded Credentials)
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Uncontrolled Resource Consumption - (400)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 400 (Uncontrolled Resource Consumption)
The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Resource Exhaustion
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Missing Release of Resource after Effective Lifetime - (772)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 772 (Missing Release of Resource after Effective Lifetime)
The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Untrusted Search Path - (426)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 426 (Untrusted Search Path)
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.Untrusted Path
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Deserialization of Untrusted Data - (502)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 502 (Deserialization of Untrusted Data)
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Marshaling, UnmarshalingPickling, Unpickling
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Improper Privilege Management - (269)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 269 (Improper Privilege Management)
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Certificate Validation - (295)
1200 (Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors) > 295 (Improper Certificate Validation)
The software does not validate, or incorrectly validates, a certificate.
+ References
[REF-1028] "2019 CWE Top 25 Most Dangerous Software Errors". 2019-09-16. <http://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html>.
+ View Metrics
CWEs in this viewTotal CWEs
Weaknesses25out of 808
Categories0out of 295
Views0out of 38
Total25out of1141
+ Content History
Submissions
Submission DateSubmitterOrganization
2019-09-18CWE Content TeamMITRE
More information is available — Please select a different filter.
Page Last Updated: September 19, 2019