Wednesday, December 25, 2024
HomeCVE/vulnerabilityCWE Top 25 - Mitre Released Top 25 Most Dangerous Software Bugs

CWE Top 25 – Mitre Released Top 25 Most Dangerous Software Bugs

Published on

SIEM as a Service

Recently, Mitre released the top 25 most dangerous software bugs 2020; this list is a definitive list of the most popular and impactful issues that are encountered in CWE Top 25 (2019).

The security experts asserted that these software bugs are dangerous, as they are usually easy to find and exploit. Moreover, it enables attackers to hijack a system completely, steals data, or stop an application from working.

The CWE top 25 is a worthwhile association resource that will help the developers, researchers, as well as the users to secure their businesses. Moreover, CWE provides penetration into the most severe and modern security vulnerabilities.

- Advertisement - SIEM as a Service

25 Most Dangerous Software Bugs

RankIDNameScore
[1]CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)46.82
[2]CWE-787Out-of-bounds Write46.17
[3]CWE-20Improper Input Validation33.47
[4]CWE-125Out-of-bounds Read26.50
[5]CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer23.73
[6]CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)20.69
[7]CWE-200Exposure of Sensitive Information to an Unauthorized Actor19.16
[8]CWE-416Use After Free18.87
[9]CWE-352Cross-Site Request Forgery (CSRF)17.29
[10]CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)16.44
[11]CWE-190Integer Overflow or Wraparound15.81
[12]CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)13.67
[13]CWE-476NULL Pointer Dereference8.35
[14]CWE-287Improper Authentication8.17
[15]CWE-434Unrestricted Upload of File with Dangerous Type7.38
[16]CWE-732Incorrect Permission Assignment for Critical Resource6.95
[17]CWE-94Improper Control of Generation of Code (‘Code Injection’)6.53
[18]CWE-522Insufficiently Protected Credentials5.49
[19]CWE-611Improper Restriction of XML External Entity Reference5.33
[20]CWE-798Use of Hard-coded Credentials5.19
[21]CWE-502Deserialization of Untrusted Data4.93
[22]CWE-269Improper Privilege Management4.87
[23]CWE-400Uncontrolled Resource Consumption4.14
[24]CWE-306Missing Authentication for Critical Function3.85
[25]CWE-862Missing Authorization3.77

Analysis Report

This year’s Top 25 CWE list has increased the transition to more distinct weaknesses as they are fought to complex class-level vulnerabilities. These class-level weaknesses yet endure in the list, but these weaknesses have moved down in the ranking. 

The security researchers affirmed that this movement would be continuing, as every year, more advanced and dangerous weaknesses will be introduced. 

If we look correctly to list, then we can recognize that the class-level weaknesses like the CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), the CWE-20 (Improper Input Validation), and the CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) all have moved down a few of places. 

On the other side, there are more specific weaknesses like the CWE-79 (Improper Neutralization of Input During Web Page Generation), and the CWE-787 (Out-of-bounds Write), and CWE-125 (Out-of-bounds Read) were moved towards up to take their spots.

Rather than this weakness, there is another specific movement that is again the result of the mapping, the CWE-772 (Missing Release of Resource after Effective Lifetime) was at the number 21 in the list. And as we said that this movement would be continuing, as every year, new specific weaknesses will be introduced.

Flaws related to Authentication and Authorization

The most significant progress of the list comprises four major weaknesses that are associated with the Authentication and Authorization, and here they are mentioned below:-

  • The CWE-522 (Insufficiently Protected Credentials): from 27 to 18
  • The CWE-306 (Missing Authentication for Critical Function): from 36 to 24
  • The CWE-862 (Missing Authorization): from 34 to 25
  • CWE-863 (Incorrect Authorization): from 33 to 29

Methodology

This new list is quite specific, as it was developed by getting all issued vulnerability data from the NVD. The NVD gets these vulnerability data from CVE and then extends these vulnerabilities along with the additional analysis and information.

This information includes a mapping to one or more weaknesses, and at the same time, the CVSS score, which is a numerical score outlining the possible severity of all these vulnerabilities that are generally based upon a regulated set of features regarding the vulnerability.

Moreover, this year’s list is more leverage as compared to the list of 2018 and 2019. However, to ascertain a CWE’s frequency, the scoring formula determines the number of occasions a CWE is mapped to a CVE with the NVD.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Latest articles

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from...

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...