Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

MITRE Publishes New List of Most Dangerous Software Weaknesses

The MITRE Corporation this week published an updated list of the most dangerous software weaknesses and vulnerabilities.

Known as the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors (CWE Top 25), the new list has been created based on real-world vulnerabilities found in the NVD (National Vulnerability Database).

The MITRE Corporation this week published an updated list of the most dangerous software weaknesses and vulnerabilities.

Known as the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors (CWE Top 25), the new list has been created based on real-world vulnerabilities found in the NVD (National Vulnerability Database).

This approach represents a major shift from the 2011 CWE Top 25, which was constructed using surveys and personal interviews with developers, top security analysts, researchers, and vendors.

CWE has over 600 categories and the aforementioned change in approach has resulted in new sets of weaknesses making it to the 2019 CWE Top 25.

One of the most notable changes is the inclusion of some class level CWEs that represent broad types of errors, namely CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation), CWE-200 (Information Exposure) and CWE-287 (Improper Authentication).

The entries, the CWE team explains, were prevalent in the data-driven analysis of NVD, mainly because vendors and researchers often use them to describe the root cause of a vulnerability being reported.

“Looking closer, however, these high-level weaknesses are often the parent of more detailed weaknesses that appeared in previous Top 25 lists,” the team explains.

Thus, CWE-119 is at the top of the new list, although CWE-120, its child, did not make it to Top 25 (but was #3 in the 2011 list). On the other hand, CWE-287, which is #13 in 2019 but did not appear in 2011, is parent of CWE-306, CWE-862, and CWE-863, which were #5, #6, and #15 in 2011 but are not on the 2019 list.

“Another interesting change is that some weaknesses in the 2019 list are reported at a different place within a potential chain of weaknesses. For example, CWE-787 (Out-of-bounds Write) did not appear in the 2011 list but is #12 in 2019. CWE-787 is often part of a chain that starts with CWE-120, which was #3 in 2011,” the CWE team explains.

Other notable changes to the new list represent the inclusion of CWE-125 (Out-of-bounds Read) as #5; CWE-417 (Use After-Free), CWE-611 (Improper Restriction of XML External Entity Reference), and CWE-502 (Deserialization of Untrusted Data) appear at #7, #17, and #23 respectively; and CWE-476 (NULL Pointer Dereference) appears at #14 and not at all in the 2011 Top 25.

CWE-20 and CWE-200 (#3 and #4, respectively), which are class level weaknesses and well-known secure coding problem areas, likely made it high on the list because there are “potentially instances when these entries are used for mapping vulnerabilities to CWE when more specific, lower-level weakness types might be more appropriate,” the CWE team also notes.

The CWE Top 25 also includes weaknesses and vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), Path Traversal, OS Command Injection, Improper Authentication, Code Injection, Use of Hard-coded Credentials, and Incorrect Permission Assignment for Critical Resource, among others.

Related: Stop Using CVSS to Score Risk

Related: Risk-Based Vulnerability Management is a Must for Security & Compliance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.