Common Weakness Enumeration (CWE)
Common Weakness Enumeration (CWE) is a classification and categorization of common software vulnerability types. There are currently over 600 categories ranging from buffer overflows, cross-site scripting to insecure random numbers. Weaknesses are generally vulnerabilities that may consist of flaws, bugs, or other errors in hardware or software, code, design, or architecture. These vulnerabilities create potential exposure to a cyberattack. The list of CWEs is organized with a taxonomy that makes it easier to find, identify and describe these weaknesses in a way that is easily understood by the entire community.
The objective of the CWE is to eliminate vulnerabilities by identifying the most common errors made by developers and engineers so that they avoid these problems in the products and systems they build. The CWE describes weaknesses with an easily navigable taxonomy and common language, helps developers check for weaknesses in existing software and products, and more.
Sponsorship and Management of the CWE Community
The CWE is community-developed and includes participants from both industry and government. CWE is sponsored by the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and is managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI), which is, in turn, operated by The Mitre Corporation (MITRE).
The Department of Homeland Security has a mission to secure the nation from a variety of threats. DHS has over 240,000 employees in positions that range from aviation and border security to emergency response, from cybersecurity analyst to chemical facility inspector.
CISA works with partners to defend against threats and collaborates to build a more secure and resilient infrastructure. For example, CISA leads efforts to protect the federal “.gov” domain of civilian government networks and collaborate with the private sector – the “.com” domain – to increase the security of critical networks.
The Homeland Security Act of 2002 authorized the Secretary of Homeland Security, through the Under Secretary for Science and Technology (USST), to establish one or more Federally Funded Research and Development Centers (FFRDCs). The goal of the FFRDCs is to provide an independent analysis of homeland security issues or to carry out other responsibilities under the Act. In 2009, DHS selected the MITRE Corporation to operate the Homeland Security Systems Engineering and Development Institute (HSSEDI) FFRDC. DHS established HSSEDI to serve as its primary systems engineering resource and to meet DHS-wide demand for rapid access to critical technical expertise.
MITRE is a non-profit that works in the public interest across federal, state, and local governments and industry and academia. MITRE develops innovative ideas in areas as varied as artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy, and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience. In addition, MITRE provides strong leadership in cybersecurity with well-known recent important innovations to include the MITRE ATT&CK matrix and much more.
The CWE List
The CWE list may be viewed or downloaded and is also searchable via https://cwe.mitre.org/index.html. It can be searched by software development, hardware design, research concepts, or other criteria.
The software development view organizes weaknesses around critical concepts used in software development, such as the software development lifecycle from design, architecture, and implementation. This view is generally helpful for architects, developers, and other related parties. In addition, it provides categories that simplify navigation, browsing, and mapping.
The hardware design view organizes weaknesses around essential concepts used in hardware design. As a result, this view maps nicely to the needs of designers and manufacturers. The hardware design view also provides a variety of categories that simplify navigation, browsing, and mapping.
The research concept view is intended to facilitate research into weaknesses and their inter-dependencies. It is organized according to abstractions of behaviors, where they appear in code or are introduced in the development life cycle.
Scoring and Examples of Weaknesses
The relative severity of weaknesses is scored using the Common Weakness Scoring System combined with a Common Weakness Risk Analysis Framework.
Hardware
- Power, clock, and reset concerns related to voltage, electrical current, temperature, clock control, and state saving/restoring
- Core and compute issues typically associated with CPUs, graphics, vision, AI, FPGA, and uControllers
Software
- Structure and validity problems
- Handler errors
- Authentication errors
- Code evaluation and injection
- Common special element manipulations
The CWE Top 25
The CWE Top 25 Most Dangerous Software Weaknesses is a community resource that identifies the most widespread and dangerous errors that lead to high-risk software vulnerabilities. The Top 25 includes those weaknesses that are easy to find and exploit. These weaknesses might enable an adversary to exfiltrate data, shut down critical applications, or completely take over a system.
For example, below is the Top 25 as of November 2021 as published on the CWE.MITRE.ORG website. For an updated list, please visit the CWE MITRE website.
| Rank | ID | Name | Score | 2020 Rank Change |
| [1] | CWE-787 | Out-of-bounds Write | 65.93 | +1 |
| [2] | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 46.84 | -1 |
| [3] | CWE-125 | Out-of-bounds Read | 24.9 | +1 |
| [4] | CWE-20 | Improper Input Validation | 20.47 | -1 |
| [5] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 19.55 | +5 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 19.54 | 0 |
| [7] | CWE-416 | Use After Free | 16.83 | +1 |
| [8] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.69 | +4 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 14.46 | 0 |
| [10] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 8.45 | +5 |
| [11] | CWE-306 | Missing Authentication for Critical Function | 7.93 | +13 |
| [12] | CWE-190 | Integer Overflow or Wraparound | 7.12 | -1 |
| [13] | CWE-502 | Deserialization of Untrusted Data | 6.71 | +8 |
| [14] | CWE-287 | Improper Authentication | 6.58 | 0 |
| [15] | CWE-476 | NULL Pointer Dereference | 6.54 | -2 |
| [16] | CWE-798 | Use of Hard-coded Credentials | 6.27 | +4 |
| [17] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 5.84 | -12 |
| [18] | CWE-862 | Missing Authorization | 5.47 | +7 |
| [19] | CWE-276 | Incorrect Default Permissions | 5.09 | +22 |
| [20] | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 4.74 | -13 |
| [21] | CWE-522 | Insufficiently Protected Credentials | 4.21 | -3 |
| [22] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 4.2 | -6 |
| [23] | CWE-611 | Improper Restriction of XML External Entity Reference | 4.02 | -4 |
| [24] | CWE-918 | Server-Side Request Forgery (SSRF) | 3.78 | +3 |
| [25] | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 3.58 | +6 |
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.