MITRE shared today this year’s list of the top 25 most dangerous weaknesses plaguing software during the previous two years.
Software weaknesses encompass a wide range of issues, including flaws, bugs, vulnerabilities, and errors in software solutions’ code, architecture, implementation, or design.
Weaknesses can endanger the security of the systems on which the software is installed and running. They can provide an entry point for malicious actors attempting to gain control over affected devices, access sensitive data, or trigger denial-of-service states.
“These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working,” CISA warned today.
To create this list, MITRE scored each weakness based on its severity and prevalence after analyzing 43,996 CVE entries from NIST’s National Vulnerability Database (NVD) for vulnerabilities discovered and reported across 2021 and 2022, and a focus on CVE records added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
“After the collection, scoping, and remapping process, a scoring formula was used to calculate a rank order of weaknesses that combines the frequency (the number of times that a CWE is the root cause of a vulnerability), with the average severity of each of those vulnerabilities when they are exploited (as measured by the CVSS score),” MITRE said.
“In both cases, the frequency and severity are normalized relative to the minimum and maximum values observed in the dataset.”
MITRE’s 2023 top 25 weaknesses are dangerous due to their significant impact and widespread occurrence in software released over the past two years.
Successful exploitation can allow attackers to take complete control of targeted systems, harvest and exfiltrate sensitive data, or trigger a denial-of-service (DoS).
By sharing this list, MITRE provides the broader community with valuable information regarding the most critical software security weaknesses that require immediate attention.
Rank | ID | Name | Score | CVEs in KEV | Rank Change |
---|---|---|---|---|---|
1 | CWE-787 | Out-of-bounds Write | 63.72 | 70 | 0 |
2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.54 | 4 | 0 |
3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 34.27 | 6 | 0 |
4 | CWE-416 | Use After Free | 16.71 | 44 | +3 |
5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 15.65 | 23 | +1 |
6 | CWE-20 | Improper Input Validation | 15.50 | 35 | -2 |
7 | CWE-125 | Out-of-bounds Read | 14.60 | 2 | -2 |
8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.11 | 16 | 0 |
9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.73 | 0 | 0 |
10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.41 | 5 | 0 |
11 | CWE-862 | Missing Authorization | 6.90 | 0 | +5 |
12 | CWE-476 | NULL Pointer Dereference | 6.59 | 0 | -1 |
13 | CWE-287 | Improper Authentication | 6.39 | 10 | +1 |
14 | CWE-190 | Integer Overflow or Wraparound | 5.89 | 4 | -1 |
15 | CWE-502 | Deserialization of Untrusted Data | 5.56 | 14 | -3 |
16 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 4.95 | 4 | +1 |
17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.75 | 7 | +2 |
18 | CWE-798 | Use of Hard-coded Credentials | 4.57 | 2 | -3 |
19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.56 | 16 | +2 |
20 | CWE-306 | Missing Authentication for Critical Function | 3.78 | 8 | -2 |
21 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 3.53 | 8 | +1 |
22 | CWE-269 | Improper Privilege Management | 3.31 | 5 | +7 |
23 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 3.30 | 6 | +2 |
24 | CWE-863 | Incorrect Authorization | 3.16 | 0 | +4 |
25 | CWE-276 | Incorrect Default Permissions | 3.16 | 0 | -5 |
Warnings regarding software and hardware bugs
In a collaborative effort involving cybersecurity authorities worldwide, a comprehensive compilation of the top 15 vulnerabilities commonly exploited in attacks throughout 2021 was released in April 2022. This joint endeavor involved notable organizations such as the NSA and the FBI.
Furthermore, an inventory of routinely exploited bugs in 2020 was disclosed by CISA and the FBI in conjunction with the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC).
CISA and the FBI have also shared a catalog featuring the top 10 most frequently exploited security flaws between 2016 to 2019.
Finally, MITRE also offers a list outlining the most dangerous programming, design, and architecture security flaws plaguing hardware systems.
“CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt,” CISA added today.
“Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk.”