Friday, November 1, 2024
HomeCVE/vulnerabilityCWE Top 25 (2019) - List of Top 25 Most Dangerous...

CWE Top 25 (2019) – List of Top 25 Most Dangerous Software Weakness that Developers Need to Focus

Published on

Malware protection

MITRE has released a list of Top 25 Most Dangerous Software Errors (CWE Top 25) that are widely spread and leads to serious vulnerabilities. The list was generated based on the vulnerabilities published within the National Vulnerability Database.

These vulnerabilities are easily exploitable and allow an attacker to get complete control over the system. Attackers can steal sensitive data, crash the application, cause a DOS condition.

The CWE Top 25 list will be a useful resource for software developers, software testers, software customers, software project managers, security researchers, and educators to gain insights of the common security threats in Industry, MITRE said.

- Advertisement - SIEM as a Service

MITRE says that the list was generated based on the data-driven approach based on the CVE published NVD, as well as the CVSS scores associated with it.

“A scoring formula was then applied to determine the level of prevalence and danger each weakness presents. This data-driven approach can be used as a repeatable, scripted process to generate a CWE Top 25 list regularly with minimal effort,” MITRE says.

2019 list is the latest release since 2011 CWE/SANS Top 25, “the 2011 CWE/SANS Top 25 was constructed using surveys and personal interviews with developers, top security analysts, researchers, and vendors, but the 2019 list was based on real-world vulnerabilities.” MITRE said.

CWE Top 25 List

MITRE provided a list of vulnerabilities with overall CVSS score and description for each of them with examples.

RankIDNameScore
[1]CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer75.56
[2]CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)45.69
[3]CWE-20Improper Input Validation43.61
[4]CWE-200Information Exposure32.12
[5]CWE-125Out-of-bounds Read26.53
[6]CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)24.54
[7]CWE-416Use After Free17.94
[8]CWE-190Integer Overflow or Wraparound17.35
[9]CWE-352Cross-Site Request Forgery (CSRF)15.54
[10]CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.10
[11]CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)11.47
[12]CWE-787Out-of-bounds Write11.08
[13]CWE-287Improper Authentication10.78
[14]CWE-476NULL Pointer Dereference9.74
[15]CWE-732Incorrect Permission Assignment for Critical Resource6.33
[16]CWE-434Unrestricted Upload of File with Dangerous Type5.50
[17]CWE-611Improper Restriction of XML External Entity Reference5.48
[18]CWE-94Improper Control of Generation of Code (‘Code Injection’)5.36
[19]CWE-798Use of Hard-coded Credentials5.12
[20]CWE-400Uncontrolled Resource Consumption5.04
[21]CWE-772Missing Release of Resource after Effective Lifetime5.04
[22]CWE-426Untrusted Search Path4.40
[23]CWE-502Deserialization of Untrusted Data4.30
[24]CWE-269Improper Privilege Management4.23
[25]CWE-295Improper Certificate Validation4.06

The CWE’s calculated by MITRE, based on a scoring formula, the vulnerabilities that are common and cause high impact will receive a high score.

Related Read

Sources to Trace New Vulnerabilities

10 Best Vulnerability Scanning Tools For Penetration Testing – 2019

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...