
The MITRE shared the list of the 2022 top 25 most common and dangerous weaknesses, it could help organizations to assess internal infrastructure and determine their surface of attack.
MITRE created the 2022 CWE Top 25 list leveraging Common Vulnerabilities and Exposures data found within the National Institute of Standards and Technology and National Vulnerability Database and the Common Vulnerability Scoring System scores associated with each vulnerability. The organization also used CVE Records from the CISA) Known Exploited Vulnerabilities Catalog and applied a formula to score each weakness based on prevalence and severity.
The dataset analyzed by MITRE researchers to calculate the 2022 Top 25 contained a total of 37,899 CVE Records from the previous two calendar years.
Upward Movers List:
- CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)): from #33 to #22
- CWE-94 (Improper Control of Generation of Code (‘Code Injection’)): from #28 to #25
- CWE-400 (Uncontrolled Resource Consumption): from #27 to #23
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #25 to #17
- CWE-476 (NULL Pointer Dereference): from #15 to #11
Downward Movers List:
- CWE-306 (Missing Authentication for Critical Function): from #11 to #18
- CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): from #20 to #33
- CWE-522 (Insufficiently Protected Credentials): from #21 to #38
- CWE-732 (Incorrect Permission Assignment for Critical Resource): from #22 to #30
New Comers:
- CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)): from #33 to #22
- CWE-94 (Improper Control of Generation of Code (‘Code Injection’)): from #28 to #25
- CWE-400 (Uncontrolled Resource Consumption): from #27 to #23
Out of Top 25:
- CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): from #20 to #33
- CWE-522 (Insufficiently Protected Credentials): from #21 to #38
- CWE-732 (Incorrect Permission Assignment for Critical Resource): from #22 to #30
Rank | ID | Name | Score | KEV Count (CVEs) | Rank Change vs. 2021 |
1 | CWE-787 | Out-of-bounds Write | 64.20 | 62 | 0 |
2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.97 | 2 | 0 |
3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 22.11 | 7 | +3 |
4 | CWE-20 | Improper Input Validation | 20.63 | 20 | 0 |
5 | CWE-125 | Out-of-bounds Read | 17.67 | 1 | -2 |
6 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 17.53 | 32 | -1 |
7 | CWE-416 | Use After Free | 15.50 | 28 | 0 |
8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.08 | 19 | 0 |
9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.53 | 1 | 0 |
10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 9.56 | 6 | 0 |
11 | CWE-476 | NULL Pointer Dereference | 7.15 | 0 | +4 |
12 | CWE-502 | Deserialization of Untrusted Data | 6.68 | 7 | +1 |
13 | CWE-190 | Integer Overflow or Wraparound | 6.53 | 2 | -1 |
14 | CWE-287 | Improper Authentication | 6.35 | 4 | 0 |
15 | CWE-798 | Use of Hard-coded Credentials | 5.66 | 0 | +1 |
16 | CWE-862 | Missing Authorization | 5.53 | 1 | +2 |
17 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 5.42 | 5 | +8 |
18 | CWE-306 | Missing Authentication for Critical Function | 5.15 | 6 | -7 |
19 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.85 | 6 | -2 |
20 | CWE-276 | Incorrect Default Permissions | 4.84 | 0 | -1 |
21 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.27 | 8 | +3 |
22 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 3.57 | 6 | +11 |
23 | CWE-400 | Uncontrolled Resource Consumption | 3.56 | 2 | +4 |
24 | CWE-611 | Improper Restriction of XML External Entity Reference | 3.38 | 0 | -1 |
25 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 3.32 | 4 | +3 |