MITRE has released a list of Top 25 Most Dangerous Software Errors (CWE Top 25) that are widely spread and leads to serious vulnerabilities. The list was generated based on the vulnerabilities published within the National Vulnerability Database.
These vulnerabilities are easily exploitable and allow an attacker to get complete control over the system. Attackers can steal sensitive data, crash the application, cause a DOS condition.
The CWE Top 25 list will be a useful resource for software developers, software testers, software customers, software project managers, security researchers, and educators to gain insights of the common security threats in Industry, MITRE said.
MITRE says that the list was generated based on the data-driven approach based on the CVE published NVD, as well as the CVSS scores associated with it.
“A scoring formula was then applied to determine the level of prevalence and danger each weakness presents. This data-driven approach can be used as a repeatable, scripted process to generate a CWE Top 25 list regularly with minimal effort,” MITRE says.
Also read: Simjacker Vulnerability – Attackers take Control Over Mobile Phones via an SMS Message
2019 list is the latest release since 2011 CWE/SANS Top 25, “the 2011 CWE/SANS Top 25 was constructed using surveys and personal interviews with developers, top security analysts, researchers, and vendors, but the 2019 list was based on real-world vulnerabilities.” MITRE said.
CWE Top 25 List
MITRE provided a list of vulnerabilities with overall CVSS score and description for each of them with examples.
| Rank | ID | Name | Score |
|---|---|---|---|
| [1] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 75.56 |
| [2] | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.69 |
| [3] | CWE-20 | Improper Input Validation | 43.61 |
| [4] | CWE-200 | Information Exposure | 32.12 |
| [5] | CWE-125 | Out-of-bounds Read | 26.53 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 24.54 |
| [7] | CWE-416 | Use After Free | 17.94 |
| [8] | CWE-190 | Integer Overflow or Wraparound | 17.35 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 15.54 |
| [10] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.10 |
| [11] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 11.47 |
| [12] | CWE-787 | Out-of-bounds Write | 11.08 |
| [13] | CWE-287 | Improper Authentication | 10.78 |
| [14] | CWE-476 | NULL Pointer Dereference | 9.74 |
| [15] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6.33 |
| [16] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 5.50 |
| [17] | CWE-611 | Improper Restriction of XML External Entity Reference | 5.48 |
| [18] | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 5.36 |
| [19] | CWE-798 | Use of Hard-coded Credentials | 5.12 |
| [20] | CWE-400 | Uncontrolled Resource Consumption | 5.04 |
| [21] | CWE-772 | Missing Release of Resource after Effective Lifetime | 5.04 |
| [22] | CWE-426 | Untrusted Search Path | 4.40 |
| [23] | CWE-502 | Deserialization of Untrusted Data | 4.30 |
| [24] | CWE-269 | Improper Privilege Management | 4.23 |
| [25] | CWE-295 | Improper Certificate Validation | 4.06 |
The CWE’s calculated by MITRE, based on a scoring formula, the vulnerabilities that are common and cause high impact will receive a high score.
