Common Weakness Enumeration

2023 “On the Cusp” Weaknesses Insights

The 2023 CWE Top 25 Most Dangerous Software Weaknesses list is a practical and convenient resource to help mitigate software security risk. But the complete dataset analyzed had 144 total weaknesses that were recorded, analyzed, and ranked. Beyond the Top 25, those performing mitigation and risk decision-making should consider these additional “On the Cusp” weaknesses in their efforts as they too can become severe, exploitable vulnerabilities under the right conditions.

Following are some observations on the weaknesses that did not make the 2023 CWE Top 25 list.

Analysis

The On the Cusp list comprises CWEs ranked in positions 26-40, per the 2023 CWE Top 25 Methodology. These CWEs continue to be prevalent and serious enough to cause concern.

Three CWEs have increased in rank to move them into this year’s On the Cusp list:

• CWE-639: Authorization Bypass Through User Controlled Key (up from #54 to #38)
• CWE-770: Allocation of Resources Without Limits or Throttling (up from #42 to #29)
• CWE-617: Reachable Assertion (up from #44 to #26)

Two CWEs that were on the 2022 CWE Top 25 list dropped to the 2023 On the Cusp list:

• CWE-611: Improper Restriction of XML External Entity Reference (down from #24 to #28)
• CWE-400: Uncontrolled Resource Consumption (down from #23 to #37)

Three CWEs that were on the 2022 On the Cusp list dropped out of this year’s On the Cusp list altogether (dropping to a position below the rank 40):

• CWE-312: Cleartext Storage of Sensitive Information (down from #40 to #43)
• CWE-843: Access of Resource Using Incompatible Type (Type Confusion) (down #31 to 46#)
• CWE-319: Cleartext Transmission of Sensitive Information (down #39 to #48)