Common Weakness Enumeration

CWE Glossary Definition

News & Events - 2024

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

2024 “CWE Top 25” Now Available!

November 19, 2024 | Share this article

The “2024 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses” (2024 CWE Top 25) is now available on the CWE website! The Top 25 highlights the most severe and prevalent weaknesses behind the 31,770 CVE® Records in this year’s dataset. Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place. These weaknesses lead to serious vulnerabilities in software, and an attacker can often exploit them to take control of an affected system, steal data, or prevent applications from working.

What’s Changed

There are several notable shifts in ranked positions of weakness types from last year’s list, including weaknesses dropping away or making their first appearance in a CWE Top 25.

The 2024 Top 25’s #1 ranked weakness is CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross Site Scripting’), which regains the top position from CWE-787: Out-of-bounds Write after three years. Weaknesses moving up the rankings this year include CWE-352: Cross-Site Request Forgery (CSRF), CWE-94: Improper Control of Generation of Code ('Code Injection'), CWE-269: Improper Privilege Management, and CWE-863: Incorrect Authorization, while CWE-20: Improper Input Validation, CWE-476: NULL Pointer Dereference, CWE-190: Integer Overflow or Wraparound, and CWE-306: Missing Authentication moved down. Two weaknesses fell off the Top 25 list this year, CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') and CWE-276: Incorrect Default Permissions, which were replaced with CWE-400: Uncontrolled Resource Consumption and CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

Visit the Key Insights page for additional information.

Leveraging Real-World Data

The 2024 CWE Top 25 is the first published where the CNA community directly contributed CWE mapping reviews within the dataset, leveraging their expert knowledge of the products and access to information that might not be present in the CVE Record. In general, CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves.

To create the 2024 list, the CWE Program leveraged public vulnerability data containing CWE mappings and Common Vulnerability Scoring System (CVSS) scores. A formula was then applied to the data to score each weakness based on prevalence and severity.

The 2024 CWE Top 25 leverages CVE Records for vulnerabilities published between June 1, 2023, and June 1, 2024. A scoring formula is used to calculate a ranked order of weaknesses by combining the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities as measured by CVSS.

For more information about how the list was created and the ranking methodology, visit the Methodology page. Also, be sure to also check out the CWE Top 25 page going forward for additional articles and insight.

Over the coming weeks and months, the CWE Program will continue publishing further analyses to help illustrate how root cause mapping and vulnerability management plays an important role in shifting the balance of cybersecurity risk. These will include but may not be limited to the following:

• Weaknesses on the Cusp — those weaknesses that did not make the 2024 CWE Top 25 of which readers should be aware.
• Actively Exploited — Ranking Weaknesses by the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

Feedback Welcome

Please send any feedback or questions to the CWE Research email discussion list, CWE on X, CWE page on LinkedIn, or contact us directly.

CWE Version 4.16 Now Available

November 19, 2024 | Share this article

CWE Version 4.16 has been posted on the CWE List page to add support for the recently released “2024 CWE Top 25 Most Dangerous Software Weaknesses” list, to add 1 new artificial intelligence (AI)-related weakness, and usability improvements to 14 additional weakness entry pages, among other updates.

A detailed report is available that lists specific changes between Version 4.15 and Version 4.16.

Main Changes

CWE 4.16 includes the addition of 1 new view to support the release of the 2024 CWE Top 25. The software weakness types included in the 2024 CWE Top 25 also include observed examples drawn from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog to show relevance to real-world exploits. This release also includes 1 new AI-related weakness for “Improper Neutralization of Input Used for LLM Prompting.” The CWE Program thanks the members of the Artificial Intelligence Working Group (AI WG) for their collaboration preparing for this new version.

One new view added:

• CWE-1430: Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses

One new AI-related weakness added:

• CWE-1427: Improper Neutralization of Input Used for LLM Prompting – “The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives.”

Usability Improvements

• This release includes the second installment of major usability improvements that are underway for the CWE website. For this installment, the 14 CWE Entry pages (listed below the example image) have been upgraded and will now include a concise summary of the weakness along with a visual aid at the top of each entry page. An example image of this new introductory section is below. View an overview of the first installment of major usability improvements that occurred with the release of CWE 4.15 here.
  
  To further improve the usability of the entry pages, the “Alternate Terms,” “Comon Consequences,” and “Mitigations” sections will continue be reordered so that they appear directly below this new introductory section. The remaining sections of the page (such as “Relationships,” “Applicable Platforms,” “Demonstrative Examples,” etc.) will not be changed.
  
  In this second installment of the usability improvements, the following 14 CWE Entry pages (all of which were included in the CWE 2024 Top 25 list) have been upgraded to the new look and feel. We especially thank Abhi Balakrishnan for contributing to the visual aid images included in these CWEs.
  
  
  • CWE-288: Authentication Bypass Using an Alternate Path or Channel
  • CWE-863: Incorrect Authorization
  • CWE-307: Improper Restriction of Excessive Authentication Attempts
  • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
  • CWE-184: Incomplete List of Disallowed Inputs
  • CWE-862: Missing Authorization
  • CWE-502: Deserialization of Untrusted Data
  • CWE-918: Server-Side Request Forgery (SSRF)
  • CWE-201: Insertion of Sensitive Information Into Sent Data
  • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  • CWE-532: Insertion of Sensitive Information into Log File
  • CWE-347: Improper Verification of Cryptographic Signature
  
  Additional CWE Entry pages will be upgraded with these enhancements as part of future releases.

Schema Changes

There were no schema updates.

Summary

There are 940 weaknesses and a total of 1,429 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.15_v4.16.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon. Please contact us with any comments or concerns.

“Leveraging Hardened Cybersecurity Frameworks for AI Security through the Common Weakness Enumeration (CWE)”

October 3, 2024 | Share this article

“Leveraging Hardened Cybersecurity Frameworks for AI Security through the Common Weakness Enumeration (CWE)” is the title and main topic of a September 10, 2024 blog article by CWE AI Working Group Co-Chair Kate Farris and WG member Alie Fordyce on the Robust Intelligence Blog.

The authors state: “With CWE’s recent expansion into AI to address the growing need for standardized identification and categorization of weaknesses specific to artificial intelligence systems, the CWE AI Working Group assembled experts from various technical fields across industry and government ... Through these efforts, new AI-related CWEs were published in the CWE 4.15 July release. CWE-1426 highlights the danger of not properly validating AI-generated outputs and CWE-1039, an automated recognition mechanism with inadequate detection or handling of adversarial input perturbations, was updated as an AI-related weakness. Additionally, a new demonstrative example was published in CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') , which shows how AI outputs can be manipulated for command injection attacks. In addition, an observed example is a publicly reported vulnerability in real-world products that exhibit the weakness. New AI-related observed examples were published to several entries including SQL injection (CWE-89), path traversal (CWE-22), and code injection (CWE-94).”

The authors conclude the article as follows: “Understanding the AI-security weakness that can result in an AI-related vulnerability enables engineers to mitigate them before AI model deployment, strengthening the AI pipeline and saving costs by preventing downstream effects ... As CWE continues to review AI-related submissions, future content releases are upcoming in late 2024 and early 2025.”

Videos Page Added to CWE Website

September 5, 2024 | Share this article

A CWE Videos page has been added to the CWE website to ensure stakeholders have immediate access to the CWE Program’s most important videos and can view them directly on the CWE website.

These select videos, as well as the entire collection of CWE Program videos and podcasts, will continue to be hosted on the CWE Program Channel on YouTube.

New Video: “CWE: An Outsider’s Perspective (or: a Retrospective on the New Microarchitectural Weaknesses)”

August 29, 2024 | Share this article

In the “CWE: An Outsider’s Perspective (or: a Retrospective on the New Microarchitectural Weaknesses)” video, Scott Constable of Intel Labs discuses microarchitectural weaknesses in the CWE List that relate to transient execution, especially the four new microarchitectural weakness entries added with the release of CWE Version 4.14:

• CWE-1420: Exposure of Sensitive Information during Transient Execution
• CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
• CWE-1422: Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
• CWE-1423: Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

The video is now available on the CWE YouTube Channel. Or, watch below:

This talk was presented to the Hardware CWE Special Interest Group (HW CWE SIG) on March 8, 2024.

CWE REST API Now Available

August 8, 2024 | Share this article

The CWE™ Program is pleased to announce that the “CWE REST API” is now available. We thank the REST API Working Group for their collaboration in developing the API.

The CWE REST API enables program partners in vulnerability management as well as software (SW) and hardware (HW) developers and architects, electronic design automation (EDA) tool developers, verification engineers, and others who are concerned about mitigating security risks in their products an easy and efficient way to stay up to date with CWE content.

We expect this API to be a major improvement for leveraging CWE content changes as it is always up to date when requested by downstream applications and provided using a JSON representation.

Accessing the CWE REST API

The root URL to access the CWE REST API, which is available without any need to register or use any credentials, is available here.

We suggest using the API to populate a cache of the CWE content locally, which can be refreshed whenever a new release becomes available.

Documentation, Available Endpoints, and More

To view the API documentation, a list of endpoints, as well as several example endpoint URLs, please visit the “Quick Start Instructions for CWE REST API Users” on GitHub.

Please email us at cwe@mitre.org with any comments or concerns.

CWE Version 4.15 Now Available

July 16, 2024 | Share this article

CWE Version 4.15 has been posted on the CWE List page and includes a number of exciting updates. There is 1 new weakness entry related to artificial intelligence (AI), CWE-1426: Improper Validation of Generative AI Output; 1 new AI-related demonstrative example added to CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'); and observed examples added to multiple CWEs related to AI/ML and generative AI prompts, including one example of “prompt injection.” The schema was updated to add AI/ML as an applicable platform to various CWEs.

This release also includes the first installment of major usability improvements that are underway to enhance the understandability, navigability, and usability of CWE content (see “CWE Program Embarks on Improving Usability” for details). While this release includes upgrades to a selection of CWE Entry pages (see below), future releases will include other improvements.

The CWE Program thanks the Artificial Intelligence Working Group (AI WG) and CWE User Experience Working Group (UEWG) for their collaboration preparing for this new version.

Main Changes

New Weakness Entry:

• CWE-1426: Improper Validation of Generative AI Output – “The product invokes a generative AI/ML component whose behaviors and outputs cannot be directly controlled, but the product does not validate or insufficiently validates the outputs to ensure that they align with the intended security, content, or privacy policy.”

New Demonstrative Example:

• A new demonstrative example for “prompt injection” was added to CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection').

New Observed Examples:

• New observed examples were added to multiple CWEs related to AI/ML and generative AI prompts, including one example of “prompt injection.”

Usability Improvements

• This release includes the first installment of major usability improvements that are underway for the CWE website. For this installment, the main improvement is that a select number of CWE Entry pages (listed below the example image) will now include a concise summary of the weakness along with a visual aid at the top of each entry page. An example image of this new introductory section is below.
  
  To further improve the usability of the entry pages, the “Alternate Terms,” “Comon Consequences,” and “Mitigations” sections will be reordered so that they appear directly below this new introductory section. The remaining sections of the page (such as “Relationships,” “Applicable Platforms,” “Demonstrative Examples,” etc.) will remain in the same order as on the current page.
  
  In this first installment of the usability improvements, the following 15 CWE Entry pages (all of which were included in the CWE 2023 Top 25 list) have been upgraded to the new look and feel. We especially thank Abhi Balakrishnan for contributing all 15 of the new visual aid images included in these CWEs.
  
  
  • CWE-787:Out-of-bounds Write
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CWE-416: Use After Free
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-125: Out-of-bounds Read
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-434: Unrestricted Upload of File with Dangerous Type
  • CWE-476: NULL Pointer Dereference
  • CWE-287: Improper Authentication
  • CWE-190: Integer Overflow or Wraparound
  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-798: Use of Hard-coded Credentials
  • CWE-306: Missing Authentication for Critical Function
  • CWE-269: Improper Privilege Management
  
  Additional CWE Entry pages will be upgraded with these enhancements as part of future releases.

A detailed report is available that lists specific changes between Version 4.14 and Version 4.15.

The schema was updated to version 7.2 to add AI/ML to the TechnologyNameEnumeration simpleType and to add the Diagram attribute to the Weakness element to support images in the Description element.

Summary

There are 939 weaknesses and a total of 1,427 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.14_v4.15.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on @cwecapec on X (formerly Twitter), and on @CWE_Program on Mastodon. Please contact us with any comments or concerns.

CWE Program Embarks on Improving Usability

July 16, 2024 | Share this article

In a significant step towards enhancing usability, the CWE Program, in collaboration with the CWE User Experience Working Group (UEWG) and the Root Cause Mapping Working Group (RCM WG), will be introducing a series of comprehensive improvements in upcoming CWE releases. The improvements aim to enhance the understandability, navigability, and usability of all CWE content.

There are two main thrusts to the usability improvements, referred to as “macro-level” and “micro-level” improvements:

• Macro-level improvements — Focused on better organization of CWEs at a structural, site-wide level, simplifying access to various views and groupings, enhancing site-wide navigation, and ensuring all entries are populated with the necessary elements.
• Micro-level improvements — Focused on revising CWEs for clarity, removing redundancy, simplifying descriptions, reorder schema elements to foreground key information, and adding visualizations to entries for better topic explanation.

Some micro-level improvements were implemented with the release of CWE 4.15, while macro-level improvements will be implemented in the future. A complete list of the micro-level improvements is noted in the “CWE Version 4.15 Now Available” news article, a visual example of which, is included below.

A before (on the left) and after (on the right) example of the micro-level CWE entry page usability improvements is available below. Note that these images show only the tops of the CWE Entry page, using CWE-798 as the example. Sections of the entry that are not shown above will continue to be included on the entry page but are omitted here for brevity.

Feedback about these improvements is welcome at cwe@mitre.org.

Join the Artificial Intelligence Working Group!

June 10, 2024 | Share this article

Several CWE™ Program and CVE® Program community stakeholders have established the Artificial Intelligence Working Group (AI WG) to identify and address gaps in the CWE corpus where AI-related weaknesses are not adequately covered, and work collaboratively to fix them.

The AI WG is accepting new members. If you are interested in participating, please email us at cwe@mitre.org.

CWE Blog: “Major Usability Improvements to Viewing CWE Content Underway”

June 10, 2024 | Share this article

The CWE Program is currently in the process of making changes to the presentation of CWE entries on the CWE website and have prepared a set of usability mockups as a preview for the community. These mockups are available now in our “Major Usability Improvements to Viewing CWE Content Underway” blog article on the CWE Blog on Medium.

We are inviting you to provide your feedback early in our working process so that we can incorporate your valuable insights and suggestions. The changes we are proposing are focused on presenting important and concise text first for easy digestion by the reader.

The article, and before and after mockup images, are here.

Videos of the Two CWE-Focused Sessions at VulnCon 2024 Now Available

May 13, 2024 | Share this article

Videos of the two CWE-focused sessions — “The CWE Program: Current State and Road Ahead” (presentation) and “Enabling Accurate, Decentralized Root Cause Mapping at Scale” (discussion panel) — from CVE/FIRST VulnCon 2024 are now available on the CWE YouTube Channel. Or, watch below:

New CWE Board Member from NVIDIA

April 18, 2024 | Share this article

Deana O’Meara of NVIDIA has joined the CWE Board.

Through open and collaborative discussions, CWE Board members provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. Members include technical implementers that provide input and guidance regarding the creation, design, review, maintenance, and applications of CWE entries; subject matter experts who are domain experts in weakness and/or attack pattern fields and represent a significant constituency related to, or affected by, CWE; and advocates who actively support and promote CWE throughout the community in a highly visible and responsible manner.

Join the “Root Cause Mapping” Working Group!

April 10, 2024 | Share this article

Several CWE™ Program and CVE® Program stakeholder organizations — Intel, Microsoft, Red Hat, Rapid 7, CISA, HSSEDI — have established the Root Cause Mapping Working Group (RCM WG) focused on identifying the capabilities, processes, and information needed to improve and scale accurate root cause mapping of vulnerabilities.

“Root cause mapping” is the identification of the underlying cause(s) of a vulnerability. Accurate and precise root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers.

RCM WG efforts will include:

• Identifying and describing the current challenges in performing and reporting accurate root cause mapping
• Defining how the CWE hierarchy and content must improve to facilitate better root cause mapping which will have the effect of better achieving CWE program adoption and coverage goals
• Developing new capabilities to simplify the root cause mapping process

The RCM WG is accepting new members. If you are interested in participating, please email us at cwe@mitre.org.

Microsoft Announces It Will Use CWE for Root Cause Mapping of Its CVEs

April 10, 2024 | Share this article

On April 8, 2024, Microsoft announced in a Microsoft Security Response Center blog article entitled “Toward greater transparency: Adopting the CWE standard for Microsoft CVEs” that it will now “publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard.”

In addition to explaining how Microsoft will use CWE, along with providing an example of Microsoft CVE Record with CWE information (i.e., in CVE Record CVE-2024-29990, when viewing the JSON for this record), blog author Lisa Olson, Senior Program Manager Security Release at Microsoft, states: “We believe adopting CWE will better serve our customers, developers, and security practitioners across the industry. This standard will facilitate more effective community discussions about finding and mitigating these weaknesses in existing software and hardware, while also minimizing them in future updates and releases. Ultimately, our commitment to CWE represents a meaningful step toward a more cyber-secure world.”

Read the complete “Toward greater transparency: Adopting the CWE standard for Microsoft CVEs” article on the Microsoft website.

CWE Program Updates Guidance for the “Root Cause Mapping” of Vulnerabilities

March 22, 2024 | Share this article

The CWE Program has updated its guidance for mapping the root cause(s) of vulnerabilities on the “Root Cause Mapping Guidance” page on the CWE website.

Importance of Root Cause Mapping

“Root cause mapping” is the identification of the underlying cause(s) of a vulnerability. Accurate and precise root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers.

Additionally, it enables:

1. Driving the removal of classes of vulnerabilities: Root cause mapping encourages a valuable feedback loop into a vendor’s software development lifecycle or architecture design planning.
2. Saving money: the more weaknesses avoided in product development, the less vulnerabilities to manage after deployment.
3. Trend analysis (e.g., how big of a problem is memory safety compared to other problems like injection?).
4. Further insight to potential “exploitability” based on root cause (e.g., command injection vulnerabilities tend to see increased adversary attention, be targeted by certain actors).
5. Organizations demonstrating transparency to customers about how they are targeting and addressing problems in their products.

Today, however, root cause mapping is not done accurately at scale by the vulnerability management ecosystem. The CWE Program’s new and improved guidance addresses this problem.

New and Improved Guidance for Root Cause Mapping

Root cause mapping is best accomplished by correlating CVE Records and/or bug or vulnerability tickets with CWE entries. The new and improved guidance provides an overview and step-by-step methodologies for mapping CVEs to CWEs.

This guidance is intended to help CVE Numbering Authorities (CNAs) and those who produce or analyze CVE Records. It is also likely to be helpful to those who are analyzing vulnerabilities that are not tracked by the CVE Program.

View the new and improved root cause mapping guidance here.

Working Group

Several CVE and CWE stakeholder organizations have established a working group focused on identifying the capabilities, processes, and information needed to improve and scale accurate root cause mapping. Efforts include:

• Identifying and describing the current challenges in performing and reporting accurate root cause mapping
• Defining how the CWE hierarchy and content must improve to facilitate better root cause mapping which will have the effect of better achieving CWE program adoption and coverage goals
• Developing new capabilities to simplify the root cause mapping process

If you are interested in participating, please email us at cwe@mitre.org.

CWE at CVE/FIRST VulnCon 2024

March 22, 2024 | Share this article

CWE was the main focus of two sessions at CVE/FIRST VulnCon 2024 at the McKimmon Center in Raleigh, North Carolina, USA, held March 25-27, 2024:

• “The CWE Program: Current State and Road Ahead” presentation — “An overview of the CWE Program’s current efforts to implement its federation strategy to increase program coverage and adoption. This includes efforts to modernize CWE Program infrastructure (e.g., deploying a REST API), federate CWE content development (e.g., launch the CWE Content Development Repository (CDR) to provide a platform for program partners to collaborate transparently on CWE content development), and an overview of the CWE community working groups/special interest groups and what they are trying to accomplish.”
• “Enabling Accurate, Decentralized Root Cause Mapping at Scale” discussion panel — “Root cause mapping is the identification of the underlying cause of a vulnerability. The Root Cause Mapping Working Group (RCM WG) was established by CVE and CWE community stakeholders with the purpose of determining how to improve and scale accurate root cause mapping. Specifically, the working group is exploring the feasibility of an effective decentralized root cause mapping ecosystem to enable trend analysis and risk management. This moderated discussion panel with members of the RCM WG covered the value, challenge, and potential for accurate and decentralized root cause mapping at scale.”

Thank you so much to everyone who attended our RCM discussion panel and CWE talk at the first-ever VulnCon conference. We are already looking forward to next year’s event!

CWE Version 4.14 Now Available

February 29, 2024 | Share this article

CWE Version 4.14 has been posted on the CWE List page and includes a number of exciting updates. There are 4 new weakness entries related to related to hardware micro architectures; 1 new View for “Weaknesses Addressed by ISA/IEC 62443 Requirements” for industrial automation and control systems; updates to observed and demonstrative examples; 10 new demonstrative examples from the HACK@DAC security challenge contest; among other changes.

Also, a major enhancement has been made to CWE entry pages beginning with this release. All CWE entry web pages will now have vulnerability mapping labels underneath their titles. These include labels for when a CWE is approved, discouraged, or prohibited from vulnerability root cause mapping. In addition, the labels provide a direct link to the entry’s Mapping Notes for quick reference to more detailed information.

The CWE Program thanks Intel, AMD, ARM, Cycuity, Riscure, HACK@DAC contributors from Texas A&M University and Technical University of Darmstadt, and members of the CWE ICS/OT Special Interest Group (ICS/OT SIG) and Hardware CWE Special Interest Group (HW CWE SIG) for their collaboration preparing for this new version.

Main Changes

4 New Weakness Entries Related to Hardware Micro Architectures:

• CWE-1420: Exposure of Sensitive Information during Transient Execution
• CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
• CWE-1422: Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
• CWE-1423: Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

1 New View:

• CWE-1424: Weaknesses Addressed by ISA/IEC 62443 Requirements – This view covers weaknesses that are addressed by following requirements in the ISA/IEC 62443 series of standards for industrial automation and control systems (IACS). For this view, members of the CWE ICS/OT SIG analyzed a set of CWEs and mapped them to specific requirements covered by ISA/IEC 62443.

New and Updated Observed Examples:

• 38 CWEs were updated to include observed examples of weaknesses in the wild, which are a direct result of analyzing CVE Records as part of the 2023 CWE Top 25 effort, community collaboration, or highlighting canonical examples in parent CWEs.

New and Updated Demonstrative Examples:

• 91 CWEs were updated with demonstrative examples, including 10 resulting from collaboration with the participants (Texas A&M University and Technical University of Darmstadt) from the HACK@DAC security challenge contest.

A detailed report is available that lists specific changes between Version 4.13 and Version 4.14.

There were no schema updates.

Summary

There are 938 weaknesses and a total of 1,426 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.13_v4.14.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on @cwecapec on X (formerly Twitter), and on @CWE_Program on Mastodon. Please contact us with any comments or concerns.

CWE Podcast: “Red Hat’s CWE Journey”

January 18, 2024 | Share this article

“Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design.

In our latest episode, CWE Program Lead Alec Summers talks with Red Hat’s Przemyslaw Roguski, CWE Technical Lead Steve Christey, and CWE Top 25 Lead Connor Mullaly, about Common Weakness Enumeration (CWE™) and the problem it solves; how Red Hat’s experience and relationship with CWE began and developed over time; how Red Hat uses CWE today, especially “CWE-699: Software Development”; how CWE’s different “views” can be used to educate and enable new and/or existing CWE users; CWE mappings and why mapping to CWEs/root cause weaknesses is important in vulnerability disclosure; the CWE Top 25 list; CWE in the software development lifecycle; how ongoing development of CWE benefits users; and more.

Additional details about Red Hat’s ongoing use of CWE are included in these two articles on the Red Hat blog, “Red Hat’s CWE journey” and “Weakness risk-patterns: A Red Hat way to identify poor software practices in the secure development lifecycle.”

The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on YouTube, X-Twitter, LinkedIn, Mastodon, or by email. We look forward to hearing from you!