MITRE shared this year's top 25 most common and dangerous weaknesses impacting software throughout the previous two calendar years.
Software weaknesses are flaws, bugs, vulnerabilities, or various other errors found in software solutions' code, architecture, implementation, or design.
They can potentially expose the systems they're running on to attacks that could enable threat actors to take control of affected devices, gain access to sensitive information, or trigger a denial-of-service condition.
To create this list, MITRE scored each weakness based on its prevalence and severity after analyzing data for 37,899 CVEs from NIST's National Vulnerability Database (NVD) and CISA's Known Exploited Vulnerabilities (KEV) Catalog.
"Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk," MITRE said.
"This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).
MITRE's top 25 bugs are considered dangerous because they're usually easy to discover, come with a high impact, and are prevalent in software released during the last two years.
The table below provides insight into the most critical and current security weaknesses affecting software worldwide.
| Rank | ID | Name | Score | KEV Count (CVEs) | Rank Change vs. 2021 |
|---|---|---|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write | 64.20 | 62 | 0 |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 45.97 | 2 | 0 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 22.11 | 7 | +3 |
| 4 | CWE-20 | Improper Input Validation | 20.63 | 20 | 0 |
| 5 | CWE-125 | Out-of-bounds Read | 17.67 | 1 | -2 |
| 6 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 17.53 | 32 | -1  |
| 7 | CWE-416 | Use After Free | 15.50 | 28 | 0 |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 14.08 | 19 | 0 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.53 | 1 | 0 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 9.56 | 6 | 0 |
| 11 | CWE-476 | NULL Pointer Dereference | 7.15 | 0 | +4  |
| 12 | CWE-502 | Deserialization of Untrusted Data | 6.68 | 7 | +1 |
| 13 | CWE-190 | Integer Overflow or Wraparound | 6.53 | 2 | -1 |
| 14 | CWE-287 | Improper Authentication | 6.35 | 4 | 0 |
| 15 | CWE-798 | Use of Hard-coded Credentials | 5.66 | 0 | +1 |
| 16 | CWE-862 | Missing Authorization | 5.53 | 1 | +2 |
| 17 | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 5.42 | 5 | +8 |
| 18 | CWE-306 | Missing Authentication for Critical Function | 5.15 | 6 | -7 |
| 19 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.85 | 6 | -2 |
| 20 | CWE-276 | Incorrect Default Permissions | 4.84 | 0 | -1 |
| 21 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.27 | 8 | +3 |
| 22 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 3.57 | 6 | +11 |
| 23 | CWE-400 | Uncontrolled Resource Consumption | 3.56 | 2 | +4 |
| 24 | CWE-611 | Improper Restriction of XML External Entity Reference | 3.38 | 0 | -1 |
| 25 | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 3.32 | 4 | +3 |
Top exploited vulnerabilities of 2021
In April, in partnership with the FBI and the NSA, cybersecurity authorities worldwide have also published a list of the top 15 vulnerabilities frequently exploited by threat actors during 2021.
As revealed in the joint advisory, malicious actors focused their attacks last year on newly disclosed vulnerabilities affecting internet-facing systems, including email and virtual private network (VPN) servers.
This was likely because malicious actors and security researchers published proof of concept (POC) exploits within two weeks after most of the top exploited bugs were disclosed in 2021.
However, they also focused some attacks on older flaws patched years before, showing that some organizations fail to update their systems even after a patch is available.
CISA and the FBI have also published a list of the top 10 most exploited security flaws between 2016 and 2019. A top of routinely exploited bugs in 2020 was also released in collaboration with the Australian Cyber Security Centre (ACSC) and the UK's National Cyber Security Centre (NCSC).
In November, MITRE has also shared a list of the topmost dangerous programming, design, and architecture security flaws plaguing hardware throughout the last year.
Comments
Bitbeisser - 2 years ago
CWE-787: Well, "Mit Pascal wär das nicht passiert!"