Common Weakness Enumeration is a freely accessible list of typical vulnerabilities in software and hardware. It categorizes vulnerabilities and serves as a basis and common language for identifying security-related weaknesses. The list is maintained by the community and published by the MITRE Corporation. A top 25 list of the 25 most significant vulnerabilities are published periodically.
What is CWE (Common Weakness Enumeration)?
CWE is the abbreviation for Common Weakness Enumeration. It is a community-maintained listing of various types of vulnerabilities in software and hardware published by the MITRE Corporation. The vulnerabilities are categorized and given uniquely identifiable IDs. As a result, the list forms a basis and universal language for identifying, describing, preventing and remediating typical software and hardware vulnerabilities.
MITRE Corporation has maintained the list, which is freely accessible via the Internet, since 2006. The current version of the list is version 4.3 and contains over 900 vulnerabilities. Among them are vulnerabilities such as buffer overflows, cross-site scripting, hard-coded passwords or insecure random numbers.
Common Weakness Enumeration can be used, for example, for vulnerability analyses in newly developed software, for security tests or to prevent risks in the use of hardware and software. Large companies such as Apple and Microsoft belong to the Common Weakness Enumeration community.
The goals of the Common Weakness Enumeration.
The most important goal of the Common Weakness Enumeration is to prevent the typical errors and weaknesses in hardware and software by listing the vulnerabilities even before the affected products come into circulation. Security analysts, programmers, or developers can take the list and use it for their work.
Vulnerabilities can be described and discussed in a generally accepted language. In addition, the list provides not only descriptions of the typical weaknesses but also sample solutions and conceptual approaches on how to fix them.
Some example weaknesses of Common Weakness Enumeration
To better understand Common Weakness Enumeration, below are some example vulnerabilities from the 900+ entry long list. Each vulnerability is assigned a unique ID in the form of “CWE-IDXY”.
- CWE-19: Data handling
- CWE-121: Stack-based buffer overflow
- CWE-229: Improper Handling of Values
- CWE-303: Incorrect Implementation of Authentication Algorithm
- CWE-494: Download of Code without Integrity Check
- CWE-532: Information Exposure through Log Files
- CWE-640: Weak Password Recovery Mechanism
- CWE-760: Use of a One-Way Hash with a Predictable Salt
- CWE-835: Loop with Unreachable Exit Condition (Infinite Loop)
- CWE-912: Hidden Functionality (Backdoor)
The list is freely available on the MITRE website. It can be filtered, sorted, and searched online according to various criteria or downloaded in full as HTML, CSV, PDF, or XML files. The PDF file of the current version 4.3 comprises 2325 pages.
Common Weakness Enumeration Top 25.
Periodically, MITRE updates and publishes the Common Weakness Enumeration Top 25, which includes the 25 vulnerabilities deemed most dangerous. The 2020 Top 25 list includes, for example, lack of authentication for critical functions, use of hard-coded passwords, cross-site request forgery (CSRF), insufficient input validation, or disclosure of sensitive information to unauthorized users. The top 25 can be used to realistically assess risks for vulnerabilities, as the list somewhat reflects the evolution of cybercrime.