Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

MITRE Publishes New List of Most Dangerous Software Weaknesses

The MITRE Corporation this week published an updated list of the most dangerous software weaknesses and vulnerabilities.

Known as the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors (CWE Top 25), the new list has been created based on real-world vulnerabilities found in the NVD (National Vulnerability Database).

The MITRE Corporation this week published an updated list of the most dangerous software weaknesses and vulnerabilities.

Known as the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors (CWE Top 25), the new list has been created based on real-world vulnerabilities found in the NVD (National Vulnerability Database).

This approach represents a major shift from the 2011 CWE Top 25, which was constructed using surveys and personal interviews with developers, top security analysts, researchers, and vendors.

CWE has over 600 categories and the aforementioned change in approach has resulted in new sets of weaknesses making it to the 2019 CWE Top 25.

One of the most notable changes is the inclusion of some class level CWEs that represent broad types of errors, namely CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation), CWE-200 (Information Exposure) and CWE-287 (Improper Authentication).

The entries, the CWE team explains, were prevalent in the data-driven analysis of NVD, mainly because vendors and researchers often use them to describe the root cause of a vulnerability being reported.

“Looking closer, however, these high-level weaknesses are often the parent of more detailed weaknesses that appeared in previous Top 25 lists,” the team explains.

Thus, CWE-119 is at the top of the new list, although CWE-120, its child, did not make it to Top 25 (but was #3 in the 2011 list). On the other hand, CWE-287, which is #13 in 2019 but did not appear in 2011, is parent of CWE-306, CWE-862, and CWE-863, which were #5, #6, and #15 in 2011 but are not on the 2019 list.

Advertisement. Scroll to continue reading.

“Another interesting change is that some weaknesses in the 2019 list are reported at a different place within a potential chain of weaknesses. For example, CWE-787 (Out-of-bounds Write) did not appear in the 2011 list but is #12 in 2019. CWE-787 is often part of a chain that starts with CWE-120, which was #3 in 2011,” the CWE team explains.

Other notable changes to the new list represent the inclusion of CWE-125 (Out-of-bounds Read) as #5; CWE-417 (Use After-Free), CWE-611 (Improper Restriction of XML External Entity Reference), and CWE-502 (Deserialization of Untrusted Data) appear at #7, #17, and #23 respectively; and CWE-476 (NULL Pointer Dereference) appears at #14 and not at all in the 2011 Top 25.

CWE-20 and CWE-200 (#3 and #4, respectively), which are class level weaknesses and well-known secure coding problem areas, likely made it high on the list because there are “potentially instances when these entries are used for mapping vulnerabilities to CWE when more specific, lower-level weakness types might be more appropriate,” the CWE team also notes.

The CWE Top 25 also includes weaknesses and vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), Path Traversal, OS Command Injection, Improper Authentication, Code Injection, Use of Hard-coded Credentials, and Incorrect Permission Assignment for Critical Resource, among others.

Related: Stop Using CVSS to Score Risk

Related: Risk-Based Vulnerability Management is a Must for Security & Compliance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.