A list detailing the 25 “most dangerous” software flaws, some of which could allow attackers to take control of a system, has just been published.
This list was developed in the United States by the Homeland Security Systems Engineering and Development Institute, sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and managed by MITRE. It uses Common Vulnerabilities and Exposures (CVE) data to compile the most frequent and critical errors that can lead to serious vulnerabilities.
“This list features the most common and severe software weaknesses today. Often easy to find and exploit, these weaknesses can lead to exploitable vulnerabilities that allow adversaries to take complete control of a system, steal data or prevent applications from working,” explains CWE.
“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help them mitigate risk. These may be architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards bodies,” it noted.
Same as last year
The dataset used to calculate the 2022 Top 25 contains a total of 37,899 CVE records from the previous two calendar years, according to MITER.
The 2022 Top 25 list is also based on data from CVE records in the dataset that are part of CISA’s Catalog of Known Exploited Vulnerabilities (KEVs).
The two main vulnerabilities remain the same as last year: CWE-787 or out-of-bounds memory write flaw, and CWE-79 for cross-site scripting flaw.
But SQL injection or CWE-89 as a category jumped three places to third, replacing the CWE-125 memory flaw for out-of-bounds reading, which fell two places to third. fifth place.
In fourth place, with no change in ranking, is CWE-20 for incorrect input validation, while OS command injection (CWE-78) drops one place to sixth.
In seventh position, we find the CWE-416 or “use after free”. Path traversal vulnerabilities (CWE-22), cross-site request forgery (CWE-352), and unrestricted downloading of a dangerous file type (CWE-434) round out the top 10.
Command Injection Flaws (CWE-77) jumped eight places in the list to 17th place, while Race Condition (CWE-362) moved up 11 places to 22nd.
Each of the entries in the CWE list has a detailed explanation of the flaw and past examples of publicly disclosed flaws.
Source: “ZDNet.com”