CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Weaknesses
Home > News  
ID

News & Events

Right-click and copy a URL to share an article. Please contact us to provide feedback about this page.

CWE/CAPEC Podcast: “The CWE 15th Anniversary Special”

October 14, 2021 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

Our fourth episode, “The CWE 15th Anniversary Special,” is a special cybersecurity awareness month podcast where we discuss the 15-year history and future of the CWE/CAPEC program with those who made significant contributions to CWE: Bob Martin, Senior Principal Software and Supply Chain Assurance Engineer at MITRE; Joe Jarzombek, Director of Government and Critical Infrastructure Programs at Synopsis; Chris Eng, Chief Research Officer at Veracode; Chris Levendis, CWE/CAPEC Program Leader at MITRE; and Drew Buttner, Software Assurance Capability Area Lead at MITRE.

Out of Bounds Read podcast episode 4 - The CWE 15th Anniversary Special

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org. We look forward to hearing from you!

CWE/CAPEC Blog: “The Most Important CWEs and CAPECs to Pay Attention to When Building Software”

October 6, 2021 | Share this article

The CWE Team’s “The Most Important CWEs and CAPECs to Pay Attention to When Building Software” blog article includes 5 checks for your development process.

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE/CAPEC Podcast: “All About the 2021 Top 25 Most Dangerous Software Weaknesses”

September 15, 2021 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our third episode, “All About the 2021 Top 25 Most Dangerous Software Weaknesses,” Steve Battista of the CWE/CAPEC Program interviews Rushi Purohit, who has helped lead the efforts behind the last few years' Top 25 most dangerous software weaknesses publications. We talk about the new 2021 release of this list.

Out of Bounds Read podcast episode 3 - All About the 2021 Top 25 Most Dangerous Software Weaknesses

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube and on other podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org. We look forward to hearing from you!

Minutes from CWE/CAPEC Board Teleconference Meeting on August 17 Now Available

September 1, 2021 | Share this article

The CWE/CAPEC Board held a teleconference meeting on August 17, 2021. Read the meeting minutes.

CWE/CAPEC Podcast: “What is CAPEC, Why is It important, and How Can it Help Me?”

September 1, 2021 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our second episode, “What is CAPEC, Why is It important, and How Can it Help Me?,” Steve Battista of the CWE/CAPEC Program interviews Rich Piazza, the CAPEC Task Lead, about what Common Attack Pattern Enumeration and Classification (CAPEC™) and the problem it aims to solve, who can benefit from CAPEC and how to leverage it, the role of the community, how CAPEC has evolved over time, and possibilities for the future.

Out of Bounds Read podcast episode 2 - What is CAPEC, Why is It important, and How Can it Help Me?

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube and on other podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org or cwe@.mitre.org. We look forward to hearing from you!

CWE Blog Article Focuses on the “Shadow Copy” Weakness

August 18, 2021 | Share this article

The CWE Team has posted a “Who Knows What Passwords Lurk in the Heart of Windows? The Shadow Knows!” blog article focuses on the shadow copy weakness nicknamed “SeriousSAM” or “HiveNightmare.”

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE Top 25 logo

2021 “CWE Top 25” Now Available!

July 20, 2021 | Share this article

The official version of the “2021 CWE Top 25 Most Dangerous Software Weaknesses,” a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software, is now available on the CWE website.

These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

What’s Changed

The major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract class-level weaknesses.

Significant downward movement from high-level classes included CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer; CWE-94: Improper Control of Generation of Code (‘Code Injection’); CWE-269: Improper Privilege Management; and CWE-732: Incorrect Permission Assignment for Critical Resource.

With the relative decline of class-level weaknesses, more specific CWEs have moved higher up in the rankings, such as CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’); CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’); CWE-434: Unrestricted Upload of File with Dangerous Type; CWE-306: Missing Authentication for Critical Function; CWE-502: Deserialization of Untrusted Data; CWE-862: Missing Authorization; and CWE-276: Incorrect Default Permissions.

Leveraging Real-World Data

To create the 2021 list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents.

The 2021 CWE Top 25 leverages NVD data from the years 2019 and 2020, which consists of approximately 32,500 CVEs that are associated with a weakness. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen.

For more detailed information including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page.

Feedback Welcome

Please send any feedback or questions to the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or contact us directly.

CWE Version 4.5 Now Available

July 20, 2021 | Share this article

CWE Version 4.5 has been posted on the CWE List page to add support for the recently released “2021 CWE Top 25 Most Dangerous Software Weaknesses” list, among other updates.

A detailed report is available that lists specific changes between Version 4.4 and Version 4.5.

Main Changes:

CWE 4.5 includes the addition of 1 new view to support the release of the 2021 CWE Top 25, 3 new software weaknesses, and 1 new hardware weaknesses. In addition, there were many updates related to randomness.

The schema was updated from v6.4 to v6.5 to make the Content_History element required on all top-level elements (Views, Categories, and Weaknesses) and add “Rust” to the LanguageNameEnumeration, which is used in the Applicable_Platform and Demonstrative_Example elements in Weaknesses. In addition, several CWE entries now use <img> tags to include images, such as CWE-1339 and CWE-1256. These tags are valid for earlier schema versions, but they might require a change in functionality for programs that render the XML. View the schema difference report for details.

One new view added:

Three new software weaknesses added:

One new hardware weakness added:

Summary:

There are 922 weaknesses and a total of 1,343 entries on the CWE List.

Changes for the new version include the following:

New Views Added:1
Views Deprecated:0
New Entries Added:4
Entries Deprecated:0
Entries with Major Changes:139
Entries with only Minor Changes:2
Entries Unchanged:1,197

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.4_v4.5.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

CWE/CAPEC Program Launches New Podcast!

July 16, 2021 | Share this article

The CWE/CAPEC Program’s new “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our first-ever episode, Steve Battista of the CWE/CAPEC Program interviews Steve Christey Coley, the CWE/CAPEC Program Technical Lead, about what Common Weakness Enumeration (CWE™) is and the problem it aims to solve, who can benefit from CWE and how to leverage it, the role of the community, how CWE has evolved over time, and possibilities for the future.

Out of Bounds Read podcast episode 1 - What Is CWE, Why Is It Important, and How Can It Help Me?

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube and on the CWE website as an MP3. Other podcast platforms coming soon.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org. We look forward to hearing from you!

CWE Blog Article Discusses the “Integer Overflow or Wraparound” Weakness

July 15, 2021 | Share this article

The CWE Team has posted a “Buffett Overflow Integer Overflow in Berkshire Hathaway Stock” blog article about the CWE-190: Integer Overflow or Wraparound, in which “software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.”

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE Blog Article Focuses on the Two Weaknesses that Led to an Apple iOS 0 day

July 1, 2021 | Share this article

The CWE Team has posted an “Inconsistent reading of XML leading to an Apple iOS 0 day” blog article about how sometimes weaknesses are not in a specific piece of code or executable but in how multiple executables interpret the same inputs which can cause them to behave differently.

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE Blog Article Discusses Spectre Mitigation for Developers, Technical Staff, and Leadership

June 17, 2021 | Share this article

The CWE Team has posted a “Once theoretical, the practical implementation of Spectre haunts web applications” blog article about the still looming and practical threat of Spectre and its side-channel attack, along with Spectre mitigation advice for developers, technical staff, and leadership.

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE Mappings Included in “2021 Top 20 Secure PLC Coding Practices List”

June 17, 2021 | Share this article

The CWE Program is pleased to have participated in a first-of-its-kind, community-driven effort to capture best practices for coding on Programmable Logic Controllers (PLCs). Each entry on the “2021 Top 20 Secure PLC Coding Practices List” maps its practices to their underlying root-cause weaknesses (CWEs).

According to the PLC Security website, “The aim of this project is to provide guidelines to engineers that are creating software (ladder logic, function charts etc.) to help improve the security posture of Industrial Control Systems. These practices leverage natively available functionality in the PLC/DCS. Little to no additional software tools or hardware is needed to implement these practices. They can all be fit into the normal PLC programming and operating workflow. More than security expertise, good knowledge of the PLCs to be protected, their logic, and the underlying process is needed for implementing these practices.”

The CWE Program shares a common goal with the Top 20 Secure PLC Coding Practices project to help stop vulnerabilities at the source and prevent them from ever showing up in production code. We encourage you to leverage the Top 20 Secure PLC Coding Practices, and avoid their underlying CWEs, when programming PLCs.

Join the CWE/CAPEC User Experience Working Group!

June 10, 2021 | Share this article

Interested in working to improve the way we present weaknesses and attack patterns? Join the new CWE/CAPEC User Experience Working Group that will meet every two weeks to strategize and develop solutions for optimizing content and educating users.

To join or learn more, direct message us on Twitter at @cwecapec or email us at cwe@.mitre.org.

Minutes from CWE/CAPEC Board Teleconference Meeting on May 18 Now Available

May 26, 2021 | Share this article

The CWE/CAPEC Board held a teleconference meeting on May 18, 2021. Read the meeting minutes.

CWE Blog Article Offers Possible Solutions for Avoiding the “Double Free” Weaknesses

May 19, 2021 | Share this article

The CWE Team has posted a “If You Love Something, Set It Free — But Only Once” blog article that offers possible solutions for avoiding the Double Free weakness.

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE/CAPEC Program Launches YouTube Channel

May 12, 2021 | Share this article

The CWE/CAPEC Program is now on YouTube!

Our new CWE/CAPEC Channel on YouTube currently includes several videos about the CWE Compatibility program from the “CWE Compatibility Program Vendor Summit 2021.”

Please check out the videos and let us know what you think by commenting on YouTube. We look forward to hearing from you!

CWE Blog Article Focuses on Avoiding Uncontrolled Search Path Weaknesses

May 6, 2021 | Share this article

The CWE Team has posted a “Why Your Build Chain Might Be Installing Random Packages” blog article that discusses how to avoid the Uncontrolled Search Path Element weakness.

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE Is Main Topic of Riscure Webinar

April 29, 2021 | Share this article

CWE/CAPEC team lead Alec Summers presented a Riscure Webinar entitled “Common Weakness Enumeration (CWE): A Common Language for Software and Hardware Design Weaknesses.”

CWE Blog Article Focuses on Preventing Hardware Weaknesses

April 21, 2021 | Share this article

The CWE Team has posted a “Addressing Thunderspy, One Weakness at A Time” blog article that discusses how incorporating security into hardware design and implementation can prevent weaknesses that could lead to future vulnerabilities.

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE Blog Article Focuses on How the Mitigation for One Weakness Can Introduce Another Weakness

April 6, 2021 | Share this article

The CWE Team has posted a “When Mitigations Have Their Own Weaknesses” blog article that also discusses how future issues can be reduced by testing across multiple weakness types.

Read the complete article on the CWE/CAPEC Blog on Medium.

Guidance for Mapping CVEs to CWEs Now Available

March 25, 2021 | Share this article

Guidance for mapping vulnerabilities to weaknesses is now available on the “CVE → CWE Mapping Guidance” page on the CWE website. Vendors and researchers who produce or analyze CVE Records can use this guidance to better align newly discovered vulnerabilities (i.e., CVE Records) to their respective, underlying weaknesses (i.e., CWE Entries).

This guidance is informed by two years of experience in analyzing and mapping thousands of CVE Records in the NIST’s National Vulnerability Database (NVD) to CWEs for calculating the annual CWE Top 25 list. By aligning CVE Records to the most applicable CWE Entries, the community will be in a better position to mitigate or eliminate their associated operational risk most effectively.

Guidance

The new guidance provides an overview of CWE, a section of helpful resources with a refresher on CWE Entry structure, and offers five different mapping methodologies that can be used on the CWE website to help identify appropriate weakness mappings for CVE Records:

  • Keyword Search – via CWE ID (if known) or keywords.
  • CWE View-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities” – which is a hierarchical subset of CWEs that cover the most commonly-used CWEs that are mapped by CVEs.
  • Other Useful Hierarchical Views – via “CWE View-1000: Research Concepts,” “CWE View-699: Software Development,” and “CWE View-1194: Hardware Design,” each of which are targeted at specific hierarchical subsets of CWEs.
  • Relationship Graph Visualizations in PDF Format – each of which includes only CWE names but can be useful in quickly seeing closely related issues.
  • Keyword Scraper – a CWE Program-developed CVE description parsing script that identifies keywords in NVD’s CVE descriptions is expected to be available to the public in the near future. Meanwhile, vendors and researchers can create their own customized scripts/tools to fit their specific needs using suggestions in Keyword Scraper.

A mapping cheat sheet and mapping examples are also included.

Feedback Welcome

Please contact us with any comments or concerns about this guidance. We look forward to hearing from you!

CWE Blog Article Focuses on How Mapping Vulnerabilities to Weaknesses Can Help Prevent Future Vulnerabilities

March 25, 2021 | Share this article

The CWE Team has posted a “Slowing down with sudo or (The importance of accurately mapping vulnerabilities to weaknesses)” blog article about the benefits of mapping vulnerabilities to weaknesses.

Read the complete article on the CWE/CAPEC Blog on Medium.

Minutes from CWE/CAPEC Board Teleconference Meeting on February 10 Now Available

March 19, 2021 | Share this article

The CWE/CAPEC Board held a teleconference meeting on February 10, 2021. Read the meeting minutes.

CWE Version 4.4 Now Available

March 15, 2021 | Share this article

CWE Version 4.4 has been posted on the CWE List page to add 1 new View, CWE Entries with Maintenance Notes, which assessment vendors may use to anticipate future changes to CWE and help their customers prepare for those changes; 2 new Software Development Weakness entries: Generation of Weak Initialization Vector (IV) and Inefficient Regular Expression Complexity; as well as updates to 244 other entries. A detailed report is available that lists specific changes between Version 4.3 and Version 4.4.

The CWE Content Team conducted in-depth research and analysis in the following areas:

  • Hardware: identified overlapping/duplicate issues, which will need community consultation to resolve. Also investigating a different way to organize entries besides the hardware view (CWE-1194), and adding Functional_Area elements related to Power and Clock.
  • Cryptography/randomness subtree analysis (CWE-330): the team began investigating how to describe randomness, entropy, and unpredictability in a consistent way and created a new Base (CWE-1204) prompted by community feedback about CWE-329. More changes for randomness are planned, and the CWE research community will be consulted for important decisions.
  • Root cause analysis for access of unintialized memory: this led to updates to several entries, with more demonstrative and observed examples, and identified the need to clarify differences between CWE-456 and CWE-457, and possibly deprecate CWE-456 in the future.
  • Maintenance view: created new maintenance view (CWE-1081) to make it easier for CWE users to anticipate future changes. Reviewed and updated maintenance notes for over 130 entries.
  • Content checks: improved checks for invalid or inconsistent content, such as relationship gaps (e.g., a Class being a parent of a Variant), incorrect relationships (e.g., a Weakness that is a “ChildOf” a category), or entries where more than one relationship is labeled “Primary”. This work will be ongoing.
  • Consistency: phrasing of mitigations was made more consistent. This work will be ongoing, in collaboration with the Common Attack Pattern Enumeration and Classification (CAPEC™) Team.
  • SEI CERT Perl secure coding view (CWE-1178): added member weaknesses to categories.

Summary:

There are 918 weaknesses and a total of 1,338 entries on the CWE List.

Changes for the new version include the following:

New Views Added:1
New Entries Added:3
Entries Deprecated:0
Entries with Major Changes:241
Entries with only Minor Changes:3
Entries Unchanged:1,091

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.3_v4.4.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

Thank you to all who participated in the CWE Compatibility Program Vendor Summit 2021!

March 15, 2021 | Share this article

The CWE Program would like to thank everyone who participated in the CWE Compatibility Program Vendor Summit on March 11, 2021. The event included great discussions from multiple viewpoints on a topics important to CWE and the CWE Compatibility Program.

Special thanks to our panelists:

  • Customer Perceptions – Chris Eng, Veracode and Joe Jarzombek, Synopsys
  • Understanding CWE – Alexander Hoole, MicroFocus and Djenana Campara, KDM Analytics
  • CWE Mappings – Amy Gale, GrammaTech and Nick Tait, Red Hat
  • CWE Top 25 – Jeremy Bellay, Battelle and Chris Turner, NIST
  • Expanding Offerings – James Croall, Synopsys and Arthur Hicken, Parasoft

There was a tremendous amount of insight and thoughtful comments from the day that the CWE Team is distilling and developing into materials to share for follow-up engagement with the community. In the meantime, please help us continue the discussion by following us on @cwecapec on Twitter, the CWE page on LinkedIn, the CWE Blog, the CWE discussion lists, or by email. We look forward to hearing from you!

Event Agenda Now Available for the CWE Compatibility Program Vendor Summit 2021 on March 11

March 2, 2021 | Share this article

The event agenda for the CWE Compatibility Program Vendor Summit on March 11, 2021 from 10:30 a.m. - 4:30 p.m. (EST) is now available.

The focus areas for this event will be program improvements, education and awareness, and CWE modernization. Attendees will have the opportunity to participate in subsequent discussions around the following topics and more:

  • Assessing CWE offerings
  • MITRE’s vision for the program
  • Customer perceptions
  • Clarity around CWE’s purpose
  • CWE Mappings
  • CWE Top 25

If you haven’t registered, there’s still space so register today!


CWE Compatibility Program Vendor Summit 2021 — Registration Now Open!

February 24, 2021 | Share this article

Registration for this year’s CWE Compatibility Program Vendor Summit is now open! Participants in this free virtual event will have the opportunity to provide feedback on how CWE and the CWE Compatibility program are working for them and their customers.

An agenda for the summit, will be held on March 11, 2021 from 10:30 a.m. - 4:30 p.m. (EST), will be available soon. Register today!


CWE Compatibility Program Vendor Summit 2021

CWE Compatibility Program Vendor Summit 2021

“Make Hardware Strong With CWE” Article on Semiconductor Engineering

January 15, 2021 | Share this article

Use of CWE for hardware is encouraged in a December 9, 2020 article entitled “Make Hardware Strong With CWE” on Semiconductor Engineering.

In the article, the author defines what a hardware weakness is, explains why addressing them is imperative to hardware security, and describes how CWE for hardware helps. The author states: “Weaknesses could be introduced during any stage of the ASIC and FPGA hardware development process, including pre-silicon phases such as RTL coding, integrations of third-party intellectual properties (3PIPs), synthesis, place-and-route, and bitstream generation ... Unfortunately, when it comes to security weaknesses, the issues and consequences get even worse. Professional hackers, security researchers, and other very smart and creative people continuously try to find ways to breach security protections … Ultimately, one or more weaknesses may cause a vulnerability that is exploited by attackers to violate system security policies.”

The author describes the need for CWE for hardware, as follows: “Security requirements and assurance processes must be an integral part of all these applications’ hardware development life cycle ... CWE provides a common language and list of targets for IP and integrated circuit (IC) developers, and electronic design automation (EDA) tool vendors.”

More information is available — Please select a different filter.
Page Last Updated: October 14, 2021