原文参见 2023 CWE Top 25
中文版
| 排名 | ID | 名称 | 分数 | KEV 中的 CVEs | 与 2022 年相比排名变化 |
|---|---|---|---|---|---|
| 1 | CWE-787 | 越界写入 (Out-of-bounds Write) | 63.72 | 70 | 0 |
| 2 | CWE-79 | 网页生成期间输入未正确中和 ('跨站脚本') | 45.54 | 4 | 0 |
| 3 | CWE-89 | SQL 命令中特殊元素未正确中和 ('SQL 注入') | 34.27 | 6 | 0 |
| 4 | CWE-416 | 释放后使用 (Use After Free) | 16.71 | 44 | +3 |
| 5 | CWE-78 | 操作系统命令中特殊元素未正确中和 ('命令注入') | 15.65 | 23 | +1 |
| 6 | CWE-20 | 输入验证不正确 | 15.50 | 35 | -2 |
| 7 | CWE-125 | 越界读取 (Out-of-bounds Read) | 14.60 | 2 | -2 |
| 8 | CWE-22 | 路径名限制到受限目录不正确 ('路径遍历') | 14.11 | 16 | 0 |
| 9 | CWE-352 | 跨站请求伪造 (CSRF) | 11.73 | 0 | 0 |
| 10 | CWE-434 | 危险类型文件的无限制上传 | 10.41 | 5 | 0 |
| 11 | CWE-862 | 缺少授权 | 6.90 | 0 | +5 |
| 12 | CWE-476 | 空指针解引用 | 6.59 | 0 | -1 |
| 13 | CWE-287 | 身份验证不正确 | 6.39 | 10 | +1 |
| 14 | CWE-190 | 整数溢出或环绕 | 5.89 | 4 | -1 |
| 15 | CWE-502 | 不可信数据的反序列化 | 5.56 | 14 | -3 |
| 16 | CWE-77 | 命令中使用的特殊元素未正确中和 ('命令注入') | 4.95 | 4 | +1 |
| 17 | CWE-119 | 内存缓冲区范围内操作限制不正确 | 4.75 | 7 | +2 |
| 18 | CWE-798 | 使用硬编码凭据 | 4.57 | 2 | -3 |
| 19 | CWE-918 | 服务器端请求伪造 (SSRF) | 4.56 | 16 | +2 |
| 20 | CWE-306 | 关键功能缺少身份验证 | 3.78 | 8 | -2 |
| 21 | CWE-362 | 使用共享资源的并发执行中同步不正确 ('竞争条件') | 3.53 | 8 | +1 |
| 22 | CWE-269 | 权限管理不正确 | 3.31 | 5 | +7 |
| 23 | CWE-94 | 代码生成的控制不正确 ('代码注入') | 3.30 | 6 | +2 |
| 24 | CWE-863 | 授权不正确 | 3.16 | 0 | +4 |
| 25 | CWE-276 | 默认权限不正确 | 3.16 | 0 | -5 |
English version
| Rank | ID | Name | Score | CVEs in KEV | Rank Change vs. 2022 |
|---|---|---|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write | 63.72 | 70 | 0 |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 45.54 | 4 | 0 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 34.27 | 6 | 0 |
| 4 | CWE-416 | Use After Free | 16.71 | 44 | +3 |
| 5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 15.65 | 23 | +1 |
| 6 | CWE-20 | Improper Input Validation | 15.50 | 35 | -2 |
| 7 | CWE-125 | Out-of-bounds Read | 14.60 | 2 | -2 |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 14.11 | 16 | 0 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.73 | 0 | 0 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.41 | 5 | 0 |
| 11 | CWE-862 | Missing Authorization | 6.90 | 0 | +5 |
| 12 | CWE-476 | NULL Pointer Dereference | 6.59 | 0 | -1 |
| 13 | CWE-287 | Improper Authentication | 6.39 | 10 | +1 |
| 14 | CWE-190 | Integer Overflow or Wraparound | 5.89 | 4 | -1 |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.56 | 14 | -3 |
| 16 | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 4.95 | 4 | +1 |
| 17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.75 | 7 | +2 |
| 18 | CWE-798 | Use of Hard-coded Credentials | 4.57 | 2 | -3 |
| 19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.56 | 16 | +2 |
| 20 | CWE-306 | Missing Authentication for Critical Function | 3.78 | 8 | -2 |
| 21 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 3.53 | 8 | +1 |
| 22 | CWE-269 | Improper Privilege Management | 3.31 | 5 | +7 |
| 23 | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 3.30 | 6 | +2 |
| 24 | CWE-863 | Incorrect Authorization | 3.16 | 0 | +4 |
| 25 | CWE-276 | Incorrect Default Permissions | 3.16 | 0 | -5 |
扫一扫
1309
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
