MITRE has shared this year’s top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years.
Software weaknesses are flaws, bugs, vulnerabilities, and various other types of errors impacting a software solution’s code, architecture, implementation, or design, potentially exposing systems it’s running on to attacks.
MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD) (roughly 27,000 CVEs).
“A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation,” MITRE explained.
“This approach provides an objective look at what vulnerabilities are currently seen in the real world, creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions, and makes the process easily repeatable.”
MITRE’s 2021 top 25 bugs are dangerous because they are usually easy to discover, have a high impact, and are prevalent in software released during the last two years
They can also be abused by attackers to potentially take complete control of vulnerable systems, steal targets’ sensitive data, or trigger a denial-of-service (DoS) following successful exploitation.
The list below provides insight to the community at large into the most critical and current software security weaknesses.
|||CWE-79||Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)||46.84|
|||CWE-20||Improper Input Validation||20.47|
|||CWE-78||Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)||19.55|
|||CWE-89||Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)||19.54|
|||CWE-416||Use After Free||16.83|
|||CWE-22||Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)||14.69|
|||CWE-352||Cross-Site Request Forgery (CSRF)||14.46|
|||CWE-434||Unrestricted Upload of File with Dangerous Type||8.45|
|||CWE-306||Missing Authentication for Critical Function||7.93|
|||CWE-190||Integer Overflow or Wraparound||7.12|
|||CWE-502||Deserialization of Untrusted Data||6.71|
|||CWE-476||NULL Pointer Dereference||6.54|
|||CWE-798||Use of Hard-coded Credentials||6.27|
|||CWE-119||Improper Restriction of Operations within the Bounds of a Memory Buffer||5.84|
|||CWE-276||Incorrect Default Permissions||5.09|
|||CWE-200||Exposure of Sensitive Information to an Unauthorized Actor||4.74|
|||CWE-522||Insufficiently Protected Credentials||4.21|
|||CWE-732||Incorrect Permission Assignment for Critical Resource||4.2|
|||CWE-611||Improper Restriction of XML External Entity Reference||4.02|
|||CWE-918||Server-Side Request Forgery (SSRF)||3.78|
|||CWE-77||Improper Neutralization of Special Elements used in a Command (‘Command Injection’)|