Common Weakness Enumeration

2023 CWE Top 25 Methodology

The “2023 CWE Top 25 Most Dangerous Software Weaknesses” list was calculated by analyzing public vulnerability data in the U.S. National Vulnerability Database (NVD) for their root causes via CWE mappings. This year’s list is based on 43,996 CVE Records for vulnerabilities in 2021 and 2022. The mapping data was pulled from the NVD on March 27, 2023.

Dataset Collection/Scoping

The initial Top 25 data set comprised all CVE Records published in 2021 and 2022. Before analysis began, the data set was trimmed to provide a more accurate determination of “true” vulnerabilities. For its root cause mapping efforts, the NVD maps CVE Records to View-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities, a simplified collection of 130 weakness types. If a CVE Record cannot be mapped to an entry in View-1003, the NVD marks it as “CWE-Other”.

A record was removed from the 2023 CWE Top 25 data set if any of the following criteria applied:

1. The CVE Record description was labeled with “**REJECT**” which indicated that the vulnerability record was no longer valid.
2. There was insufficient information:
   1. The Top 25 team determined that there was insufficient information in the CVE Record to perform accurate root cause mapping.
   2. The NVD labeled the CVE Record as having insufficient information to map, and the CVE Record was not part of the Top 25 team’s remapping review.
3. The NVD marked the CVE Record as CWE-Other, and:
   1. The Top 25 team’s remapping review did not determine an appropriate mapping within View-1003.
   2. The CVE Record was not selected for the Top 25 team’s remapping review.

CWE Root Cause (Re)Mapping Review

This year’s Top 25 effort focused heavily on documenting the analysis of the CWE root cause mapping to increase the quality and consistency of the Top 25 List. CWE root cause mapping is an association of a vulnerability description with the CWE identifier(s) that most closely reflects the “root cause” or “source condition / reason” for that vulnerability. CWE root cause mappings are either provided at the time of disclosure (e.g., by a CVE Numbering Authority) or at a later time by a third-party (e.g., an NVD analyst).

To ensure a more accurate and useful CWE Top 25 list, the team independently analyzed a subset of 7,466 CVE Records in the total dataset for their root causes mappings. Records were selected via (1) automated keyword analysis of CVE descriptions that suggested inaccurate root cause mappings, or (2) if they mapped to more abstract, high-level CWEs as opposed to more precise root cause mappings. When necessary, the team remapped existing root cause mappings when it seemed that an inconsistent criterion was applied, or a mistake was made in the initial analysis. The team utilized the entire CWE corpus for these remappings, which are then shared with NIST for confirmation and updating the NVD data.

In some instances, a sequential series of weaknesses can result in a vulnerability. This creates a root cause mapping “chain”. In this year's analysis, the team attempted to capture chains as best as possible without any changes in the scoring. For any chain "X→Y", both X and Y were included in the analysis as if they were independently listed.

Scoring

After the collection, scoping, and remapping process, a scoring formula was used to calculate a rank order of weaknesses that combines the frequency (the number of times that a CWE is the root cause of a vulnerability), with the average severity of each of those vulnerabilities when they are exploited (as measured by the NVD and the Common Vulnerability Scoring System (CVSS) score). In both cases, the frequency and severity are normalized relative to the minimum and maximum values observed in the dataset. These metrics are presented as "count" and "average_CVSS", respectively in the following formulas.

Frequency

The scoring formula calculates the number of times a CWE was mapped to a CVE Record within the NVD.

Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD}

Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq))

Severity

The scoring formula calculates the average CVSS score of all CVE Records that map to the CWE. The equation below is used to calculate this value.

Sv(CWE_X) = (average_CVSS(CWE_X) - min(CVSS)) / (max(CVSS) - min(CVSS))

Danger Score

The level of danger presented by a particular CWE was then determined by multiplying the severity score by the frequency score.

Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100

With this scoring approach:

• Weaknesses that were rarely discovered will not receive a high Frequency score, regardless of the typical consequence associated with any exploitation. If developers are not making a particular mistake, then the weakness should not be highlighted in the CWE Top 25.
• Weaknesses whose exploitation was of low impact will not receive a high Severity score, regardless of how common it was in the dataset. If the weakness typically results in low-impact exploited vulnerabilities, then the weakness should not be highlighted in the CWE Top 25.
• Weaknesses that are both common and caused significant harm will receive the highest scores.

Acknowledgments:

The 2023 CWE Top 25 Team includes (in alphabetical order): Adrian Garcia Gonzalez, Alec Summers, Alicia Gillum, Charles Schmidt, Chris Coffin, Connor Mullaly, David Rothenberg, Gage Hackford, Gananand Kini, John DeCarlo, Jordan Burton, Kent Sanders, Luke Malinowski, O'Ryan Lattin, Rich Piazza, Robert L. Heinemann, Jr., Rushi Purohit, and Steve Christey Coley. Members of the NIST NVD Analysis Team that coordinated on the Top 25 include Christopher Turner, David Jung, Robert Byers, Tanya Brewer, and Srividya Ananthakrishna. Finally, thanks also to the broader CWE community for suggesting improvements to the process.