CWE (Common Weakness Enumeration)

CWE is the catalogue of vulnerability categories — CWE-79 for XSS, CWE-89 for SQL injection, CWE-787 for out-of-bounds write — that classifies what kind of bug a CVE actually is.

Definition

The Common Weakness Enumeration (CWE) is a community-developed classification, maintained by MITRE, of the underlying weakness categories that produce vulnerabilities. While a CVE answers "which specific bug?", a CWE answers "what kind of bug?". CWE-79 is cross-site scripting in general; the thousands of CVE ids that classify under CWE-79 are specific instances of it.

CWE ids feed into the Top 25 Most Dangerous Software Weaknesses list MITRE publishes annually, into the OWASP Top 10 mapping, and into vendor scoring systems. A CVE typically carries one to three CWEs assigned by its CNA.

Mitigation

Not applicable.

Examples

  • CWE-79 — Cross-Site Scripting (covers thousands of CVEs).
  • CWE-787 — Out-of-bounds Write (CWE-787 has topped the Top 25 list multiple years).

See also

References