MITER experts have published a list of the 25 most dangerous problems of 2022

list of 25 problems 2022

MITER experts have published a list of the 25 most common and dangerous problems of 2022. Such bugs can potentially expose systems to attack, allow attackers to take control of vulnerable devices, access sensitive information, or cause a denial of service.

By the way, we also love all sorts of lists and tops, for example: Top Threats That Gridinsoft Anti-Malware Catches, or here’s another: TOP Facts About Adware Attacks To Be Reminded Today.

This time, the list was compiled with the support of the National Security Systems Design and Engineering Institute and the Cybersecurity and Infrastructure Security Agency (CISA). Interestingly, a few years ago the list was built on the basis of surveys and personal interviews with developers, leading security analysts, researchers, and vendors.

Problems in the list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWE differ from CVE in that, in fact, the former are the predecessors of the latter, that is, CWE lead to the appearance of vulnerabilities directly.

CWEs are divided into more than 600 categories that combine very broad classes of diverse problems, such as CWE-20 (incorrect input validation), CWE-200 (information disclosure), and CWE-287 (incorrect authentication).

MITER reports that the dataset used to compile the new top contained a total of 37,899 CVE IDs over the past two calendar years. Also this time, the calculation methodology has changed slightly: the list is based on information from the NVD (National Vulnerability Database) and the Known Exploited Vulnerabilities (KEV) catalog, which CISA began compiling in 2021. Currently, KEV contains information about 800 known vulnerabilities used in attacks.

The most dangerous bugs in MITER continue to be those that are easy to spot, have a high impact, and are widespread in software released in the last two years.

The top 25 issues identified by MITER experts can be seen in the table below.

PlaceIDProblemGradeNumber of KEVs (CVEs)Change from 2021
1CWE-787Out-of-bounds entry64,2620
2CWE-79Incorrect input neutralization during webpage creation (cross-site scripting)45,9720
3CWE-89Incorrect neutralization of special elements used in SQL commands (SQL injection)22,1173
4CWE-20Incorrect input validation20,63200
5CWE-125Out-of-bounds reading17,671-2
6CWE-78Incorrect neutralization of special elements used in OS commands (command injection)17,5332-1
7CWE-416Use After Free15,5280
8CWE-22Directory Traversal14,08190
9CWE-352Cross-Site Request Forgery (CSRF)11,5310
10CWE-434Unlimited downloads of dangerous files9,5660
11CWE-476Null pointer dereference7,1504
12CWE-502Deserialization of Untrusted Data6,6871
13CWE-190Integer overflow or carry6,532-1
14CWE-287Invalid Authentication6,3540
15CWE-798Using Hardcoded Credentials5,6601
16CWE-862No authorization5,5312
17CWE-77Incorrect neutralization of special elements used in commands (command injection)5,4258
18CWE-306Lack of authentication for a critical function5,156-7
19CWE-119Incorrect limitation of operations within the memory buffer4,856-2
20CWE-276Invalid default permissions4,840-1
21CWE-918Server Side Request Forgery (SSRF)4,2783
22CWE-362Race condition3,57611
23CWE-400Uncontrolled consumption of resources3,5624
24CWE-611Incorrect restriction of links to external XML3,380-1
25CWE-94Incorrect control over code generation (code injection)3,3243

Compared to the 2021 top, three types of vulnerabilities have disappeared from the list: disclosure of confidential information to an unauthorized subject (dropped to 33rd place), insufficient protection of credentials (now at 38th place) and incorrect assignment of permissions for critical resources (30th place).

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.