MITRE Compiled a List of the 25 Most Dangerous Bugs

25 most dangerous bugs

MITRE specialists have published a list of the 25 most dangerous bugs in software over the past two years. It included a variety of shortcomings, including vulnerabilities and errors in the code, architecture, implementation and design of the software.

Love lists of some hacker stuff or cyber threats? Check out this: Huge Ransomware List by Gridinsoft Research: Part #1, Part #2. Or like this: US Authorities List Vulnerabilities That Chinese Hackers Attack.

Such flaws can jeopardize the security of systems where problematic software is installed and running. They can become an entry point for attackers trying to take control of vulnerable devices, help attackers gain access to sensitive data, or provoke a denial of service.

To compile this list, MITRE bug analysts examined in detail 43,996 CVE IDs from the NIST National Vulnerability Database (NVD) discovered and described in 2021 and 2022. Experts paid special attention to those CVEs that were added to the list of known exploited vulnerabilities (KEV), which is compiled by analysts from the Cybersecurity and Infrastructure Security Agency (CISA).

Problems in the list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWE differ from CVE in that, in fact, the former are the predecessors of the latter, that is, CWE lead to the appearance of vulnerabilities directly.

CWEs are divided into more than 600 categories that combine very broad classes of diverse problems, such as CWE-20 (incorrect input validation), CWE-200 (information disclosure), and CWE-287 (incorrect authentication).

The most dangerous problems in MITRE continue to be bugs that are easy to detect, have a strong impact, and are widespread in software released in the last two years.

CISA encourages all developers and security response teams to review the top 25 CWE list and evaluate recommended mitigation measures to determine the most appropriate ones to adopt.CISA recommends.

The top 25 CWE list compiled by MITRE is as follows:

Rank ID Name Score CVEs in KEV Rank Change vs. 2022
1 CWE-787 Out-of-bounds Write 63.72 70 0
2 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45.54 4 0
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 34.27 6 0
4 CWE-416 Use After Free 16.71 44 +3
5 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 15.65 23 +1
6 CWE-20 Improper Input Validation 15.50 35 -2
7 CWE-125 Out-of-bounds Read 14.60 2 -2
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.11 16 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.73 0 0
10 CWE-434 Unrestricted Upload of File with Dangerous Type 10.41 5 0
11 CWE-862 Missing Authorization 6.90 0 +5
12 CWE-476 NULL Pointer Dereference 6.59 0 -1
13 CWE-287 Improper Authentication 6.39 10 +1
14 CWE-190 Integer Overflow or Wraparound 5.89 4 -1
15 CWE-502 Deserialization of Untrusted Data 5.56 14 -3
16 CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) 4.95 4 +1
17 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.75 7 +2
18 CWE-798 Use of Hard-coded Credentials 4.57 2 -3
19 CWE-918 Server-Side Request Forgery (SSRF) 4.56 16 +2
20 CWE-306 Missing Authentication for Critical Function 3.78 8 -2
21 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 3.53 8 +1
22 CWE-269 Improper Privilege Management 3.31 5 +7
23 CWE-94 Improper Control of Generation of Code (‘Code Injection’) 3.30 6 +2
24 CWE-863 Incorrect Authorization 3.16 0 +4
25 CWE-276 Incorrect Default Permissions 3.16 0 -5

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *