News & Events - 2022 ArchiveRight-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org. CWE Version 4.9 Now Available October 13, 2022 | Share this article CWE Version 4.9* has been posted on the CWE List page. There is one new software entry, CWE-1389: Incorrect Parsing of Numbers with Different Radices, which includes a demonstrative example that recognizes CWE Team member Kelly Todd. There are five additional entries, applicable to software and hardware, related to weak authentication and default credentials. One obsolete view has been deprecated. 693 entries were modified, primarily with small changes to new schema values or CVE-related URLs, and other changes to simplify content production for the CWE REST API, which is still under development. Significant content changes for CWE 4.9 include:
A detailed report is available that lists specific changes between Version 4.8 and Version 4.9. * This CWE release is dedicated to the memory of our friend and colleague, Kelly Todd. He was a valuable, entertaining member of the team and his contributions will not be forgotten. Viewing Customized CWE Information The CWE Team, in collaboration with the CWE/CAPEC User Experience Working Group (UEWG), has updated how users can view Weaknesses to display only those weakness details that are most relevant to them, as noted below. This update replaces the often-overlooked dropdown menu with four new filter options that better reflect the needs of our audience. The four new presentation filters include:
See an example below: 
We plan to continue updating the visible fields in collaboration with the UEWG. Join today to provide your feedback, or contact us at cwe@mitre.org. Main Changes: 5 new software/hardware weaknesses added:
1 new software weakness added: 1 view deprecated: The schema was updated from v6.8 to v6.9 to use more consistent and understandable values in some enumerations, to allow Mapping notes, and for other small changes, some of which facilitate CWE REST API development. View the schema difference report for details. Summary: There are 933 weaknesses and a total of 1,395 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.8_v4.9.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. New CWE/CAPEC Board Member from University of Nebraska Omaha September 9, 2022 | Share this article Robin Gandhi of University of Nebraska Omaha has joined the CWE/CAPEC Board. Through open and collaborative discussions, CWE/CAPEC Board members provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. Members include technical implementers that provide input and guidance regarding the creation, design, review, maintenance, and applications of CWE/CAPEC entries; subject matter experts who are domain experts in weakness and/or attack pattern fields and represent a significant constituency related to, or affected by, CWE/CAPEC; and advocates who actively support and promote CWE/CAPEC throughout the community in a highly visible and responsible manner. CWE/CAPEC Podcast: “Using CWE/CAPEC in Education” July 11, 2022 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our latest episode, “Using CWE/CAPEC in Education,” we chat with Pietro Braione of Università degli Studi di Milano - Bicocca about how he uses CWE and CAPEC to help in college-level classes to teach cybersecurity. How the taxonomy can help teach the breath of issues for software development is also discussed. 
The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org or cwe@.mitre.org. We look forward to hearing from you! 
2022 “CWE Top 25” Now Available! June 28, 2022 | Share this article The official version of the “2022 CWE Top 25 Most Dangerous Software Weaknesses,” a demonstrative list of the most common and impactful software weaknesses that can lead to exploitable vulnerabilities in software, is now available on the CWE website. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations. What’s Changed The major difference between the 2021 and 2022 CWE Top 25 lists are the addition of three new weakness types and several notable shifts in ranked positions for weakness types, including three weakness types that fell entirely off the list. The three new additions are CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'); CWE-94: Improper Control of Generation of Code ('Code Injection'); and CWE-400: Uncontrolled Resource Consumption. Weakness types moving higher on the list include CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') and CWE-476: NULL Pointer Dereference, while CWE-306: Missing Authentication for Critical Function moved lower. The three weakness types that fell off the list are CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-522: Insufficiently Protected Credentials; and CWE-732: Incorrect Permission Assignment for Critical Resource. Leveraging Real-World Data To create the 2022 list, the CWE Program leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE Record, including a focus on CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. A formula was then applied to the data to score each weakness based on prevalence and severity. The 2022 CWE Top 25 leverages NVD data from the years 2020 and 2021, which consists of 37,899 CVEs that are associated with a weakness. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities’ exploitation as measured by CVSS. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen. For more detailed information including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page. Feedback Welcome Please send any feedback or questions to the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or contact us directly. CWE Version 4.8 Now Available June 28, 2022 | Share this article CWE Version 4.8 has been posted on the CWE List page to add support for the recently released “2022 CWE Top 25 Most Dangerous Software Weaknesses” list, among other updates. A detailed report is available that lists specific changes between Version 4.7 and Version 4.8. Main Changes: CWE 4.8 includes the addition of 1 new view to support the release of the 2022 CWE Top 25, 1 new software weaknesses, and 1 new hardware category. The software weakness types included in the 2022 CWE Top 25 also include observed examples drawn from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog to show relevance to real-world exploits. One new view added: One new software weaknesses added: One new hardware category added: The schema was updated from v6.7 to v6.8 to update TechnologyNameEnumeration to emphasize hardware in some values. View the schema difference report for details. Summary: There are 927 weaknesses and a total of 1,389 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.7_v4.8.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. CWE/CAPEC Blog: “How to Effectively Utilize Hardware CWEs Across your Organization” Contributed by Jason Oberg of Tortuga Logic May 15, 2022 | Share this article The CWE/CAPEC Program is pleased to welcome the contribution of this CWE/CAPEC Blog article by Tortuga Logic, one of our key partners. The article, “How to Effectively Utilize Hardware CWEs Across your Organization,” which discusses two ways that hardware CWE can be applied to enable higher levels of security assurance throughout semiconductor organizations, was written by Jason Oberg of Tortuga Logic, co-founder of Tortuga Logic. It should be noted that the views and opinions expressed in this article do not necessarily state or reflect those of the CWE/CAPEC Program, and any reference to a specific product, process, or service does not constitute or imply an endorsement by the CWE/CAPEC Program of the product, process, or service, or its producer or provider. Read the complete article on the CWE/CAPEC Blog on Medium. CWE/CAPEC Blog: “The Missing Piece in Vulnerability Management” Contributed by Fil Filiposki of AttackForge May 5, 2022 | Share this article The CWE/CAPEC Program is pleased to welcome the contribution of this CWE/CAPEC Blog article by AttackForge, one of our key partners. The article, “The Missing Piece in Vulnerability Management,” which discusses the need for normalizing pen testing results so they can be merged with vulnerability management systems — and how Common Attack Pattern Enumeration and Classification (CAPEC™) is part of the solution, was written by Fil Filiposki, co-founder of AttackForge, and is our first-ever blog contributed by a CWE/CAPEC Program partner. It should be noted that the views and opinions expressed in this article do not necessarily state or reflect those of the CWE/CAPEC Program, and any reference to a specific product, process, or service does not constitute or imply an endorsement by the CWE/CAPEC Program of the product, process, or service, or its producer or provider. Read the complete article on the CWE/CAPEC Blog on Medium. New CWE/CAPEC Board Member from Red Hat May 5, 2022 | Share this article Jeremy West of Red Hat, Inc. has joined the CWE/CAPEC Board. Through open and collaborative discussions, CWE/CAPEC Board members provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. Members include technical implementers that provide input and guidance regarding the creation, design, review, maintenance, and applications of CWE/CAPEC entries; subject matter experts who are domain experts in weakness and/or attack pattern fields and represent a significant constituency related to, or affected by, CWE/CAPEC; and advocates who actively support and promote CWE/CAPEC throughout the community in a highly visible and responsible manner. CWE Version 4.7 Now Available April 28, 2022 | Share this article CWE Version 4.7 has been posted on the CWE List page to add support for the recently released categories of security vulnerabilities in industrial control systems (ICS) as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Continued expansion into ICS and operational technology (OT) CWE content will be discussed in the CWE-CAPEC ICS/OT Special Interest Group (SIG) launching on May 18, 2022. A detailed report is available that lists specific changes between Version 4.6 and Version 4.7. Main Changes: CWE 4.7 includes the addition of 1 new view, “Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS”; 1 new software weakness, CWE-1385: Missing Origin Validation in WebSockets; 1 new hardware weakness, CWE-1384: Improper Handling of Extreme Physical Environment Conditions; 1 new software/hardware weakness, CWE-1357: Reliance on Uncontrolled Component; 1 software weakness updated to also include hardware, CWE-1059: Insufficient Technical Documentation; 1 deprecated weakness, CWE-365: Race Condition in Switch; and updates to 144 other entries. Also, the Status attribute in the top right corner of each CWE entry page will no longer be displayed. It is commonly misinterpreted and causes confusion with respect to quality and completeness of CWE content. The Status attribute will continue to be included in the XML of each entry. The schema was updated from v6.6 to v6.7 to add new entries to the TechnologyNameEnumeration to mirror existing entries, but with “IP” removed, in accordance with Hardware CWE SIG discussions. Also, annotations were added to previous entries noting their deprecation. View the schema difference report for details. Summary: There are 926 weaknesses and a total of 1,386 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.6_v4.7.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. Join the CWE-CAPEC ICS/OT Special Interest Group! April 21, 2022 | Share this article In partnership with the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER), the CWE/CAPEC Program — operated by the CISA-funded Homeland Security Systems Engineering and Development Institute (HSSEDI) — is pleased to announce the “CWE-CAPEC ICS/OT SIG,” a new special interest group focusing on security weaknesses in industrial control systems (ICS) and operational technology (OT). While IT has an extant body of work related to identify and classifying security weaknesses, IT and ICS/OT are different, and existing IT classifications are not always useful in describing and managing security weaknesses in ICS/OT systems. Addressing this gap will help all stakeholders communicate more efficiently and effectively and promote a unity of effort in identifying and mitigating ICS/OT security weaknesses, especially in critical infrastructure. The newly formed CWE-CAPEC ICS/OT SIG will offer a forum for researchers and technical representatives from organizations operating in ICS/OT design, manufacturing, and security to interact, share opinions and expertise, and leverage each other’s experiences in supporting continued growth and adoption of CWE as a common language for defining ICS/OT security weaknesses and their associated patterns of attack. The kickoff will be held on Wednesday, May 18, 2022, from 3:00 to 4:30 pm ET. For additional information, including how to join, view the CWE-CAPEC ICS/OT SIG announcement. Minutes from CWE/CAPEC Board Teleconference Meeting on August 17 Now Available April 18, 2022 | Share this article The CWE/CAPEC Board held a teleconference meeting on February 15, 2022. Read the meeting minutes. CWE/CAPEC Podcast: “Why Cisco Uses CWE While Looking at Fixing Vulnerabilities” March 23, 2022 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our seventh episode, “Why Cisco Uses CWE While Looking at Fixing Vulnerabilities,” we talk with Cisco’s Tim Wadhwa-Brown, Security Research and Offensive Security for Professional Services in Europe and Jared Pendleton, Advanced Security Initiatives Group about Cisco using CWE for finding and fixing vulnerabilities. They find it useful to help categorize the types of vulnerabilities to help determine the root cause of possible future vulnerabilities.
The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org or cwe@.mitre.org. We look forward to hearing from you! Join the CWE/CAPEC REST API Working Group! March 23, 2022 | Share this article The objective of the “CWE/CAPEC REST API Working Group” is to ease the interface between security software and hardware architects, EDA tool developers, verification engineers concerned about mitigating security risks in their products; and the databases themselves. A new RESTful API will be designed. View the invitation to join the working group from Adam Cron of Synopsys, Chair of the CWE/CAPEC REST API Working Group. CWE/CAPEC Podcast: “Beyond the Buffer Overflow: Finding Weaknesses in Software, an Interview with Larry Cashdollar” February 22, 2022 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our sixth episode, “Beyond the Buffer Overflow: Finding Weaknesses in Software, an Interview with Larry Cashdollar,” Larry Cashdollar of Akamai talks about the types of weaknesses in the many CVEs he has found as a CVE Numbering Authority and how the frequency of these weaknesses have changed. CAPEC is also mentioned.
The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org or cwe@.mitre.org. We look forward to hearing from you! CWE/CAPEC Blog: “Mind Your REGEX or It Can Put Your Program Into an Infinite Loop” February 1, 2022 | Share this article The CWE Team’s “Mind Your REGEX or It Can Put Your Program Into an Infinite Loop” blog article discusses how if your project uses or implements regular expressions, you need to check them for a weakness that might allow an attacker to stop your program from working. Read the complete article on the CWE/CAPEC Blog on Medium. CWE/CAPEC Blog: “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques” January 13, 2022 | Share this article The CWE Team’s “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques” blog article provides a primer on the often conflated HTTP (response/request) (splitting/smuggling) attack techniques as well as information about which Common Attack Pattern Enumeration and Classification (CAPEC™) entries may help further distinguish between the two. Read the complete article on the CWE/CAPEC Blog on Medium. CWE/CAPEC Board Approves Version 1.0 of Board Charter January 10, 2022 | Share this article The CWE/CAPEC Board approved version 1.0 of the “CWE/CAPEC Board Charter” on January 7, 2022. The charter includes two main sections, “Board Overview and Member Responsibilities” and “Board Membership and Operations,” as well as a “Board Charter Review” section that describes the process for updating the charter. Along with version 1.0 of the charter document, the Board also approved the “CWE/CAPEC Program Professional Code of Conduct.” CWE/CAPEC Communications Survey January 6, 2022 | Share this article The CWE/CAPEC Program requests your feedback on our communications efforts. We would like to learn what you think about the topics being covered on our CWE/CAPEC Blog and Out-of-Bounds Read podcast, as well as anything else that you want to see or learn more about? Please respond to our “CWE/CAPEC Communications Survey” and share your thoughts today! CWE/CAPEC Board Member Jason Fung Discusses the Most Important Hardware CWEs on Podcast January 6, 2022 | Share this article Listen to CWE/CAPEC Board Member Jason Fung of Intel talk about the 2021 Most Important Hardware Weaknesses list and its potential impact on the hardware security industry on Intel’s Chips & Salsa podcast. |
