MITRE releases new list of top 25 most dangerous software bugs

MITRE shared today this year’s list of the top 25 most dangerous weaknesses plaguing software during the previous two years.

Software weaknesses encompass a wide range of issues, including flaws, bugs, vulnerabilities, and errors in software solutions’ code, architecture, implementation, or design.

Weaknesses can endanger the security of the systems on which the software is installed and running. They can provide an entry point for malicious actors attempting to gain control over affected devices, access sensitive data, or trigger denial-of-service states.

“These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working,” CISA warned today.

To create this list, MITRE scored each weakness based on its severity and prevalence after analyzing 43,996 CVE entries from NIST’s National Vulnerability Database (NVD) for vulnerabilities discovered and reported across 2021 and 2022, and a focus on CVE records added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

“After the collection, scoping, and remapping process, a scoring formula was used to calculate a rank order of weaknesses that combines the frequency (the number of times that a CWE is the root cause of a vulnerability), with the average severity of each of those vulnerabilities when they are exploited (as measured by the CVSS score),” MITRE said.

“In both cases, the frequency and severity are normalized relative to the minimum and maximum values observed in the dataset.”

MITRE’s 2023 top 25 weaknesses are dangerous due to their significant impact and widespread occurrence in software released over the past two years.

Successful exploitation can allow attackers to take complete control of targeted systems, harvest and exfiltrate sensitive data, or trigger a denial-of-service (DoS).

By sharing this list, MITRE provides the broader community with valuable information regarding the most critical software security weaknesses that require immediate attention.

RankIDNameScoreCVEs in KEVRank Change
1CWE-787Out-of-bounds Write63.72700
2CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)45.5440
3CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)34.2760
4CWE-416Use After Free16.7144+3
5CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)15.6523+1
6CWE-20Improper Input Validation15.5035-2
7CWE-125Out-of-bounds Read14.602-2
8CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.11160
9CWE-352Cross-Site Request Forgery (CSRF)11.7300
10CWE-434Unrestricted Upload of File with Dangerous Type10.4150
11CWE-862Missing Authorization6.900+5
12CWE-476NULL Pointer Dereference6.590-1
13CWE-287Improper Authentication6.3910+1
14CWE-190Integer Overflow or Wraparound5.894-1
15CWE-502Deserialization of Untrusted Data5.5614-3
16CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)4.954+1
17CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer4.757+2
18CWE-798Use of Hard-coded Credentials4.572-3
19CWE-918Server-Side Request Forgery (SSRF)4.5616+2
20CWE-306Missing Authentication for Critical Function3.788-2
21CWE-362Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)3.538+1
22CWE-269Improper Privilege Management3.315+7
23CWE-94Improper Control of Generation of Code (‘Code Injection’)3.306+2
24CWE-863Incorrect Authorization3.160+4
25CWE-276Incorrect Default Permissions3.160-5

Warnings regarding software and hardware bugs

In a collaborative effort involving cybersecurity authorities worldwide, a comprehensive compilation of the top 15 vulnerabilities commonly exploited in attacks throughout 2021 was released in April 2022. This joint endeavor involved notable organizations such as the NSA and the FBI.

Furthermore, an inventory of routinely exploited bugs in 2020 was disclosed by CISA and the FBI in conjunction with the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC).

CISA and the FBI have also shared a catalog featuring the top 10 most frequently exploited security flaws between 2016 to 2019.

Finally, MITRE also offers a list outlining the most dangerous programming, design, and architecture security flaws plaguing hardware systems.

“CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt,” CISA added today.

“Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk.”

By Sergiu Gatlan for bleepingcomputer.com