Bugs

MITRE has shared this year’s top 25 list of the most common and dangerous software weaknesses behind more than 31,000 vulnerabilities disclosed between June 2023 and June 2024.

Software weaknesses refer to flaws, bugs, vulnerabilities, and errors found in software’s code, architecture, implementation, or design.

Attackers can exploit them to breach systems where the vulnerable software is running, enabling them to gain control over affected devices and access sensitive data or trigger denial-of-service attacks.

“Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working,” MITRE said today.

“Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place — benefiting both industry and government stakeholders.”

To create this year’s ranking, MITRE scored each weakness based on its severity and frequency after analyzing 31,770 CVE records for vulnerabilities that “would benefit from re-mapping analysis” and reported across 2023 and 2024, with a focus on security flaws added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

“This annual list identifies the most critical software weaknesses that adversaries frequently exploit to compromise systems, steal sensitive data, or disrupt essential services,” CISA added today.

“Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”

Rank ID Name Score KEV CVEs Change
1 CWE-79 Cross-site Scripting 56.92 3 +1
2 CWE-787 Out-of-bounds Write 45.20 18 -1
3 CWE-89 SQL Injection 35.88 4 0
4 CWE-352 Cross-Site Request Forgery (CSRF) 19.57 0 +5
5 CWE-22 Path Traversal 12.74 4 +3
6 CWE-125 Out-of-bounds Read 11.42 3 +1
7 CWE-78 OS Command Injection 11.30 5 -2
8 CWE-416 Use After Free 10.19 5 -4
9 CWE-862 Missing Authorization 10.11 0 +2
10 CWE-434 Unrestricted Upload of File with Dangerous Type 10.03 0 0
11 CWE-94 Code Injection 7.13 7 +12
12 CWE-20 Improper Input Validation 6.78 1 -6
13 CWE-77 Command Injection 6.74 4 +3
14 CWE-287 Improper Authentication 5.94 4 -1
15 CWE-269 Improper Privilege Management 5.22 0 +7
16 CWE-502 Deserialization of Untrusted Data 5.07 5 -1
17 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 5.07 0 +13
18 CWE-863 Incorrect Authorization 4.05 2 +6
19 CWE-918 Server-Side Request Forgery (SSRF) 4.05 2 0
20 CWE-119 Improper Operations Restriction in Memory Buffer Bounds 3.69 2 -3
21 CWE-476 NULL Pointer Dereference 3.58 0 -9
22 CWE-798 Use of Hard-coded Credentials 3.46 2 -4
23 CWE-190 Integer Overflow or Wraparound 3.37 3 -9
24 CWE-400 Uncontrolled Resource Consumption 3.23 0 +13
25 CWE-306 Missing Authentication for Critical Function 2.73 5 -5

CISA also regularly releases “Secure by Design” alerts highlighting the prevalence of widely known and documented vulnerabilities that have yet to be eliminated from software despite available and effective mitigations.

Some have been issued in response to ongoing malicious activity, like a July alert asking vendors to eliminate path OS command injection vulnerabilities exploited by Chinese Velvet Ant state hackers in recent attacks targeting Cisco, Palo Alto, and Ivanti network edge devices.

In May and March, the cybersecurity agency published two more “Secure by Design” alerts urging tech executives and software developers to prevent path traversal and SQL injection (SQLi) vulnerabilities in their products and code.

CISA also urged tech vendors to stop shipping software and devices with default passwords and small office/home office (SOHO) router manufacturers to secure them against Volt Typhoon attacks.

Last week, the FBI, the NSA, and Five Eyes cybersecurity authorities released a list of the top 15 routinely exploited security vulnerabilities last year, warning that attackers focused on targeting zero-days (security flaws that have been disclosed but are yet to be patched).

“In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day,” they cautioned.

Source: www.bleepingcomputer.com