A list detailing the top 25 “most dangerous” software flaws, some of which could allow attackers to take control of a system, has been released
The list was compiled by the Homeland Security Systems Engineering and Development Institute, sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and operated by MITRE. It uses Common Vulnerabilities and Exposures (CVE) data to compile the most frequent and critical errors that can lead to serious vulnerabilities.
“This list features the most common and impactful software weaknesses today. Often easy to find and exploit, they can lead to exploitable vulnerabilities that allow adversaries to take complete control of a system, steal data or prevent applications from working”, says CWE.
“Many professionals who deal with software will find the CWE Top 25 a handy and practical resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers , security researchers, educators, and contributors to standards development organizations,” he noted.
The dataset used to calculate the 2022 Top 25 contained a total of 37,899 CVE records from the previous two calendar years, according to MITER.
The 2022 Top 25 list is also based on data from CVE records in the dataset that are part of CISA’s Catalog of Known Exploited Vulnerabilities (KEVs). CISA launched this catalog in late 2021, requiring federal agencies to patch known exploited vulnerabilities within a specified time frame.
The two main vulnerabilities remain the same as last year: CWE-787 or out-of-bounds write memory flaw, and CWE-79 for cross-site scripting flaws.
But SQL injection or CWE-89 as a category jumped three places to third place, replacing the CWE-125 memory flaw for out-of-bounds reading, which dropped two places to fifth place.
In fourth place, with no ranking change, was CWE-20 for incorrect input validation, while OS command injection (CWE-78) dropped one place to sixth place.
In seventh place was CWE-416 or ‘use after free’. Rounding out the top 10 were path traversal vulnerabilities (CWE-22), cross-site request forgery (CWE-352), and unlimited dangerous file type download (CWE-434).
Command Injection Faults (CWE-77) jumped eight places in the list to 17th place, while Race Condition (CWE-362) rose 11 places to 22nd.
Each of the CWE entries contains a detailed explanation of the flaw and earlier examples of publicly disclosed flaws.