MITRE specialists published a list of 25 most dangerous threats that can lead to vulnerabilities
Representatives of the MITRE organization prepared an updated list of 25 most dangerous problems and shortcomings in the software, which can lead to vulnerabilities and can be used by attackers for hacking systems.
This time, the top 25 was compiled on the basis of its own MITRE data, information from the NVD (National Vulnerability Database), as well as CVSS. Previously, the list was built on the basis of surveys and personal interviews with developers, leading security analysts, researchers and vendors.“These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working”, — write MITRE specialists.
Problems from this list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWEs differ from CVEs, in fact, the former are the forerunners of the latter, so CWEs directly result in vulnerabilities.
CWEs are divided into more than 600 categories, and this year the list was supplemented by CWEs, which combine very extensive classes of various problems, for example, CWE-20 (incorrect input verification), CWE-200 (information disclosure) and CWE-287 ( incorrect authentication).
Read also: IS Research: Small Business Does Not Update Critical Software
The top 10 problems identified by MITER specialists can be seen in the table below. Points were assigned to problems based on how often the CWE serves as a starting point for the actual vulnerability, as well as the severity of its potential exploitation.
| Rank | ID | Name | Score |
| [1] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 75,56 |
| [2] | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45,69 |
| [3] | CWE-20 | Improper Input Validation | 43,61 |
| [4] | CWE-200 | Information Exposure | 32,12 |
| [5] | CWE-125 | Out-of-bounds Read | 26,53 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 24,54 |
| [7] | CWE-416 | Use After Free | 17,94 |
| [8] | CWE-190 | Integer Overflow or Wraparound | 17,35 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 15,54 |
| [10] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14,1 |
| [11] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 11,47 |
| [12] | CWE-787 | Out-of-bounds Write | 11,08 |
| [13] | CWE-287 | Improper Authentication | 10,78 |
| [14] | CWE-476 | NULL Pointer Dereference | 9,74 |
| [15] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6,33 |
| [16] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 5,5 |
| [17] | CWE-611 | Improper Restriction of XML External Entity Reference | 5,48 |
| [18] | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 5,36 |
| [19] | CWE-798 | Use of Hard-coded Credentials | 5,12 |
| [20] | CWE-400 | Uncontrolled Resource Consumption | 5,04 |
| [21] | CWE-772 | Missing Release of Resource after Effective Lifetime | 5,04 |
| [22] | CWE-426 | Untrusted Search Path | 4,4 |
| [23] | CWE-502 | Deserialization of Untrusted Data | 4,3 |
| [24] | CWE-269 | Improper Privilege Management | 4,23 |
| [25] | CWE-296 | Improper Certificate Validation | 4,06 |
Compared to 2011, this year new problems make up about a third of the list. However, most of the threats that were relevant at that time, are still dangerous now.
User Review
( votes)
