MITRE Compiled a List of the 25 Most Dangerous Bugs

25 most dangerous bugs

MITRE specialists have published a list of the 25 most dangerous bugs in software over the past two years. It included a variety of shortcomings, including vulnerabilities and errors in the code, architecture, implementation and design of the software.

Love lists of some hacker stuff or cyber threats? Check out this: Huge Ransomware List by Gridinsoft Research: Part #1, Part #2. Or like this: US Authorities List Vulnerabilities That Chinese Hackers Attack.

Such flaws can jeopardize the security of systems where problematic software is installed and running. They can become an entry point for attackers trying to take control of vulnerable devices, help attackers gain access to sensitive data, or provoke a denial of service.

To compile this list, MITRE bug analysts examined in detail 43,996 CVE IDs from the NIST National Vulnerability Database (NVD) discovered and described in 2021 and 2022. Experts paid special attention to those CVEs that were added to the list of known exploited vulnerabilities (KEV), which is compiled by analysts from the Cybersecurity and Infrastructure Security Agency (CISA).

Problems in the list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWE differ from CVE in that, in fact, the former are the predecessors of the latter, that is, CWE lead to the appearance of vulnerabilities directly.

CWEs are divided into more than 600 categories that combine very broad classes of diverse problems, such as CWE-20 (incorrect input validation), CWE-200 (information disclosure), and CWE-287 (incorrect authentication).

The most dangerous problems in MITRE continue to be bugs that are easy to detect, have a strong impact, and are widespread in software released in the last two years.

CISA encourages all developers and security response teams to review the top 25 CWE list and evaluate recommended mitigation measures to determine the most appropriate ones to adopt.CISA recommends.

The top 25 CWE list compiled by MITRE is as follows:

RankIDNameScoreCVEs in KEVRank Change vs. 2022
1CWE-787Out-of-bounds Write63.72700
2CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)45.5440
3CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)34.2760
4CWE-416Use After Free16.7144+3
5CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)15.6523+1
6CWE-20Improper Input Validation15.5035-2
7CWE-125Out-of-bounds Read14.602-2
8CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.11160
9CWE-352Cross-Site Request Forgery (CSRF)11.7300
10CWE-434Unrestricted Upload of File with Dangerous Type10.4150
11CWE-862Missing Authorization6.900+5
12CWE-476NULL Pointer Dereference6.590-1
13CWE-287Improper Authentication6.3910+1
14CWE-190Integer Overflow or Wraparound5.894-1
15CWE-502Deserialization of Untrusted Data5.5614-3
16CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)4.954+1
17CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer4.757+2
18CWE-798Use of Hard-coded Credentials4.572-3
19CWE-918Server-Side Request Forgery (SSRF)4.5616+2
20CWE-306Missing Authentication for Critical Function3.788-2
21CWE-362Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)3.538+1
22CWE-269Improper Privilege Management3.315+7
23CWE-94Improper Control of Generation of Code (‘Code Injection’)3.306+2
24CWE-863Incorrect Authorization3.160+4
25CWE-276Incorrect Default Permissions3.160-5

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *