DATASHEET

CWE Weakness Enforcement (2023)

ENFORCEMENT FOR KW 2024.2

CWE enforcement is measured against defined lists of weaknesses which do not all apply to every language.

2023 CWE Top 25 Most Dangerous Software Weaknesses

https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html

Rank

CWE ID

Description

Enforced C/C++

Enforced C#

Enforced Java

[1]

CWE-787

Out-of-bounds Write

Yes

Yes

No

[2]

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Yes

Yes

Yes

[3]

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Yes

Yes

Yes

[4]

CWE-416

Use After Free

Yes

Yes

No

[5]

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Yes

Yes

Yes

[6]

CWE-20

Improper Input Validation

Yes

Yes

Yes

[7]

CWE-125

Out-of-bounds Read

Yes

Yes

No

[8]

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Yes

Yes

Yes

[9]

CWE-352

Cross-Site Request Forgery (CSRF)

No

Yes

Yes

[10]

CWE-434

Unrestricted Upload of File with Dangerous Type

No

No

Yes

[11]

CWE-862

Missing Authorization

No

Yes

Yes

[12]

CWE-476

NULL Pointer Dereference

Yes

Yes

Yes

[13]

CWE-287

Improper Authentication

Yes

No

Yes

[14]

CWE-190

Integer Overflow or Wraparound

Yes

Yes

Yes

[15]

CWE-502

Deserialization of Untrusted Data

No

Yes

Yes

[16]

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Yes

No

No

[17]

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

Yes

Yes

No

[18]

CWE-798

Use of Hard-coded Credentials

Yes

No

No

[19]

CWE-918

Server-Side Request Forgery (SSRF)

No

No

Yes

[20]

CWE-306

Missing Authentication for Critical Function

No

No

Yes

[21]

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Yes

No

No

[22]

CWE-269

Improper Privilege Management

Yes

Yes

Yes

[23]

CWE-94

Improper Control of Generation of Code ('Code Injection')

Yes

Yes

Yes

[24]

CWE-863

Incorrect Authorization

No

No

No

[25]

CWE-276

Incorrect Default Permissions

Yes

No

No