MITER this year shared a list of the top 25 most common and dangerous software weaknesses over the past two years.

Software weaknesses are flaws, bugs, vulnerabilities, and various other types of errors affecting the code, architecture, implementation, or design of a software solution, potentially exposing the systems on which it runs. to attacks.

MITER developed the Top 25 list using 2019 and 2020 Common Vulnerability and Exposure (CVE) data obtained from the National Vulnerability Database (NVD) (approximately 27,000 CVE).

“A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency with which a CWE is the root cause of a vulnerability with the projected severity of its exploitation,” explained MITER.

“This approach provides an objective look at vulnerabilities currently seen in the real world, creates a basis of analytical rigor based on publicly reported vulnerabilities instead of surveys and subjective opinions, and makes the process easily replicable.”

The 25 best MITER bugs 2021 are dangerous because they are generally easy to discover, have a high impact, and are prevalent in software released over the past two years.

They can also be exploited by attackers to potentially take full control of vulnerable systems, steal sensitive data from targets, or trigger a denial of service (DoS) after successful exploitation.

The list below gives the community at large an overview of the most critical and current weaknesses in software security.

Rank username name Goal
[1] CWE-787 Write out of bounds 65.93
[2] CWE-79 Incorrect neutralization of entries when generating Web pages (“Cross-site scripting”) 46.84
[3] CWE-125 Reading out of range 24.9
[4] CWE-20 Incorrect entry validation 20.47
[5] CWE-78 Incorrect neutralization of special elements used in an OS command (‘OS command injection’) 19.55
[6] CWE-89 Incorrect neutralization of special elements used in an SQL command (‘SQL injection’) 19.54
[7] CWE-416 Use after free 16.83
[8] CWE-22 Incorrect limitation of a path name to a restricted directory (‘Path Traversal’) 14.69
[9] CWE-352 Cross-Site Request Infringement (CSRF) 14.46
[10] CWE-434 Unlimited download of dangerous file types 8.45
[11] CWE-306 Missing authentication for the critical function 7.93
[12] CWE-190 Integer overflow or wraparound 7.12
[13] CWE-502 Deserialization of unreliable data 6.71
[14] CWE-287 Incorrect authentication 6.58
[15] CWE-476 NULL pointer dereference 6.54
[16] CWE-798 Using hard-coded credentials 6.27
[17] CWE-119 Inappropriate restriction of operations within a memory buffer 5.84
[18] CWE-862 Missing authorization 5.47
[19] CWE-276 Incorrect default permissions 5.09
[20] CWE-200 Exposing sensitive information to an unauthorized actor 4.74
[21] CWE-522 Insufficiently protected credentials 4.21
[22] CWE-732 Incorrect authorization assignment for critical resource 4.2
[23] CWE-611 Inappropriate restriction of XML external entity reference 4.02
[24] CWE-918 Server-side query forgery (SSRF) 3.78
[25] CWE-77 Incorrect neutralization of special elements used in an order (“Order injection”) 3.58

Top 10 most exploited vulnerabilities

Last year, on May 12, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) also published a list of the 10 most exploited security vulnerabilities between 2016 and 2019.

“Of the top 10, the three most common vulnerabilities used by state sponsored cyber actors from China, Iran, North Korea and Russia are CVE-2017-11882, CVE-2017-0199, and CVE- 2012-0158 “, CISA mentioned. “These three vulnerabilities are related to Microsoft’s OLE technology.”

Chinese hackers have frequently exploited CVE-2012-0158 from December 2018, showing that their targets have failed to quickly apply security updates and that malicious actors will continue to try to abuse so many bugs. that they are not corrected.

Attackers have also focused on exploiting security holes caused by hasty deployments of cloud collaboration services like Office 365.

Unpatched vulnerabilities Pulse Secure VPN (CVE-2019-11510) and Citrix VPN (CVE-2019-19781) were also a favorite target last year, after the switch to remote working caused by the COVID-pandemic. 19 in progress.

CISA recommends abandoning end-of-life software as soon as possible, as it is the easiest and fastest way to mitigate old, unpatched security bugs.

The full list of the 10 most exploited security vulnerabilities since 2016 can be found below, with direct links to their NVD entries.

CVE Associated malware
CVE-2017-11882 Loki, FormBook, Pony / FAREIT
CVE-2017-0199 FINSPY, LATENTBOT, Dridex
CVE-2017-5638 JexBoss
CVE-2012-0158 Dridex
CVE-2019-0604 China Chopper
CVE-2017-0143 Multiple using EternalSynergy and EternalBlue exploitation kit
CVE-2018-4878 DOG CALL
CVE-2017-8759 FINSPY, FinFisher, WingBird
CVE-2015-1641 Toshliph, Uguerrier
CVE-2018-7600 Kitty



Capitol police change training and security procedures 6 months after insurgency


What is the role of machine learning in software testing?

Leave a Reply

Your email address will not be published.

Check Also