Common Weakness Enumeration

2024 “On the Cusp” Weaknesses Insights

The 2024 CWE Top 25 Most Dangerous Software Weaknesses list is a practical and convenient resource to help mitigate software security risk. But the complete dataset analyzed had 128 total weaknesses that were recorded, analyzed, and ranked. Beyond the Top 25, those performing mitigation and risk decision-making should consider these additional “On-the-Cusp” weaknesses in their efforts as they too can become severe, exploitable vulnerabilities under the right conditions.

Analysis

The On-the-Cusp list comprises CWEs ranked in positions 26-40, per the 2024 CWE Top 25 Methodology. These CWEs continue to be prevalent and the root cause of vulnerabilities severe enough to raise concern.

Five CWEs have increased in rank to move them into this year’s On the Cusp list:

• CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (up from #47 to #28)
• CWE-532: Insertion of Sensitive Information into Log File (up from #45 to #31)
• CWE-203: Observable Discrepancy (up from #51 to #37)
• CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') (up from #46 to #39)
• CWE-312: Cleartext Storage of Sensitive Information (up from #43 to #40)

Two CWEs that were on the 2023 CWE Top 25 list dropped to the 2024 On-the-Cusp list:

• CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (down from #21 to #34)
• CWE-276: Incorrect Default Permissions (down from #25 to #36)

Five CWEs that were on the 2023 On-the-Cusp list dropped out of this year’s On-the-Cusp list altogether (dropping to a position below the rank 40):

• CWE-617: Reachable Assertion (down from #26 to #59)
• CWE-611: Improper Restriction of XML External Entity Reference (down from #28 to #43)
• CWE-295: Improper Certificate Validation (down from #34 to #41)
• CWE-401: Missing Release of Memory after Effective Lifetime (down from #36 to #48)
• CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (down from #33 to #67)

Mapping Usage

There were 2,042 individual vulnerability mappings to the 2024 “On-the-Cusp” CWEs in this year’s list.

Every CWE is annotated with a “mapping usage recommendation” that suggests whether the CWE should be used for vulnerability root cause mapping given its level of abstraction and actionability.

The CWEs in the 2024 On-the-Cusp list had the following mapping usage recommendations:

• 10 Allowed -> 1,325 maps (64.89% of all Cusp mappings)
• 3 Allowed-with-Review -> 394 maps (19.29%)
• 2 Discouraged -> 323 maps (15.82%)

In contrast, last year’s 2023 On-the-Cusp list had the following mapping usage recommendations from 3,416 individual mappings:

• 10 Allowed -> 2,261 maps (66.19% of all 2023 On-the-Cusp mappings)
• 2 Allowed-with-Review -> 440 maps (12.88%)
• 3 Discouraged -> 715 maps (20.93%)

Abstraction

CWE contains over 900 weaknesses that range from abstract and conceptual to precise and technology- or language-specific. A precise weakness will have a “parent” weakness that is more abstract, which may also have “parent” weaknesses, and so on. There are four types of weakness abstractions, from most abstract to most specific: Pillar, Class, Base, and Variant.

For root cause mapping, CWE’s root cause mapping guidance recommends that Base and Variant level CWEs should be used whenever possible to ensure providing adequate specificity, actionability, and root cause information for a vulnerability. Class level CWEs may be used for root cause mapping if there is no accurate Base or Variant level CWE.

Number of CWEs per level of abstraction (2024 On-the-Cusp):

• 10 Bases with 1,325 maps (64.89%)
• 5 Classes with 717 maps (35.11%)

Number of CWEs per level of abstraction (2023 On-the-Cusp):

• 2 Variants with 374 maps (10.95%)
• 8 Bases with 1,887 maps (55.24%)
• 5 Classes with 1,155 maps (33.81%)

Possible Factors in Ranking Shifts

As described in the Top 25 Insights, the introduction of a new methodology likely changed many rankings compared to last year’s list. In previous years, CWE Team members attempted to re-analyze all CVEs with mappings to high-level classes (such as CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')) or clear keyword matches (suggesting mappings to more specific weaknesses such as CWE-617: Reachable Assertion or CWE-401: Missing Release of Memory after Effective Lifetime). CWE Team members often changed such mappings to more accurate, precise CWE IDs. The lack of chain analysis also may have contributed to the decline in some CWEs such as CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition').

There may be other factors unrelated to the methodology changes, such as improvements in tooling or other methods for detecting certain weaknesses, researchers prioritizing the investigation of some weaknesses over others, changes in CWE mapping practices, and the increase in certain weaknesses being introduced.