MITER experts have published a list of the 25 most dangerous problems of 2022

list of 25 problems 2022

MITER experts have published a list of the 25 most common and dangerous problems of 2022. Such bugs can potentially expose systems to attack, allow attackers to take control of vulnerable devices, access sensitive information, or cause a denial of service.

By the way, we also love all sorts of lists and tops, for example: Top Threats That Gridinsoft Anti-Malware Catches, or here’s another: TOP Facts About Adware Attacks To Be Reminded Today.

This time, the list was compiled with the support of the National Security Systems Design and Engineering Institute and the Cybersecurity and Infrastructure Security Agency (CISA). Interestingly, a few years ago the list was built on the basis of surveys and personal interviews with developers, leading security analysts, researchers, and vendors.

Problems in the list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWE differ from CVE in that, in fact, the former are the predecessors of the latter, that is, CWE lead to the appearance of vulnerabilities directly.

CWEs are divided into more than 600 categories that combine very broad classes of diverse problems, such as CWE-20 (incorrect input validation), CWE-200 (information disclosure), and CWE-287 (incorrect authentication).

MITER reports that the dataset used to compile the new top contained a total of 37,899 CVE IDs over the past two calendar years. Also this time, the calculation methodology has changed slightly: the list is based on information from the NVD (National Vulnerability Database) and the Known Exploited Vulnerabilities (KEV) catalog, which CISA began compiling in 2021. Currently, KEV contains information about 800 known vulnerabilities used in attacks.

The most dangerous bugs in MITER continue to be those that are easy to spot, have a high impact, and are widespread in software released in the last two years.

The top 25 issues identified by MITER experts can be seen in the table below.

Place ID Problem Grade Number of KEVs (CVEs) Change from 2021
1 CWE-787 Out-of-bounds entry 64,2 62 0
2 CWE-79 Incorrect input neutralization during webpage creation (cross-site scripting) 45,97 2 0
3 CWE-89 Incorrect neutralization of special elements used in SQL commands (SQL injection) 22,11 7 3
4 CWE-20 Incorrect input validation 20,63 20 0
5 CWE-125 Out-of-bounds reading 17,67 1 -2
6 CWE-78 Incorrect neutralization of special elements used in OS commands (command injection) 17,53 32 -1
7 CWE-416 Use After Free 15,5 28 0
8 CWE-22 Directory Traversal 14,08 19 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11,53 1 0
10 CWE-434 Unlimited downloads of dangerous files 9,56 6 0
11 CWE-476 Null pointer dereference 7,15 0 4
12 CWE-502 Deserialization of Untrusted Data 6,68 7 1
13 CWE-190 Integer overflow or carry 6,53 2 -1
14 CWE-287 Invalid Authentication 6,35 4 0
15 CWE-798 Using Hardcoded Credentials 5,66 0 1
16 CWE-862 No authorization 5,53 1 2
17 CWE-77 Incorrect neutralization of special elements used in commands (command injection) 5,42 5 8
18 CWE-306 Lack of authentication for a critical function 5,15 6 -7
19 CWE-119 Incorrect limitation of operations within the memory buffer 4,85 6 -2
20 CWE-276 Invalid default permissions 4,84 0 -1
21 CWE-918 Server Side Request Forgery (SSRF) 4,27 8 3
22 CWE-362 Race condition 3,57 6 11
23 CWE-400 Uncontrolled consumption of resources 3,56 2 4
24 CWE-611 Incorrect restriction of links to external XML 3,38 0 -1
25 CWE-94 Incorrect control over code generation (code injection) 3,32 4 3

Compared to the 2021 top, three types of vulnerabilities have disappeared from the list: disclosure of confidential information to an unauthorized subject (dropped to 33rd place), insufficient protection of credentials (now at 38th place) and incorrect assignment of permissions for critical resources (30th place).

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *