A list of the top 25 “most dangerous” software flaws, some of which can allow attackers to take over a system, has been published.
The list was developed by the Homeland Security Systems Engineering and Development Institute, sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), and administered by MITRE. It uses Common Vulnerabilities and Exposures (CVE) data to compile the most common and critical vulnerabilities that can lead to serious vulnerabilities.
This list shows the most common and most impactful software vulnerabilities. These are often easy to find and exploit, but can lead to vulnerabilities that can exploit the system, allowing attackers to completely take over a system, steal data, or prevent applications from to work.” said CWE†
“Many software professionals will find the CWE Top 25 a practical and useful resource to help mitigate risk. These can include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to the development of standards organisations’, according to the report.
The data set used to calculate the 2022 Top 25 contained a total of 37,899 CVE records from the previous two calendar years, according to MITER.
The 2022 Top 25 list is also based on data from CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities (KEV) Catalog. CISA launched that catalog in late 2021, requiring federal agencies to patch known exploited vulnerabilities within a specified time frame.
The two biggest vulnerabilities remain the same as last year: CWE-787 or out-of-bounds write memory error, and CWE-79 for cross-site scripting errors.
But SQL Injection or CWE-89 as a category jumped three places to third, replacing the out-of-bounds read memory error CWE-125, which dropped two places to fifth.
In fourth place, with no change in ranking, CWE-20 was down for incorrect input validation, while OS Command Injection (CWE-78) dropped one place to sixth.
In seventh place was CWE-416 or ‘use after free’. Rounding out the top 10 were pathtraversal vulnerabilities (CWE-22), cross-site request forgery (CWE-352), and unrestricted upload of dangerous-type files (CWE-434).
Command Injection Errors (CWE-77) rose eight places on the list to 17th, while race condition (CWE-362) rose 11 places to 22nd.
Each of the CWE entries has a detailed explanation of the error and past examples of disclosed errors.