MITRE just lately launched its yearly record of the 2024 CWE High 25 Most Harmful Software program Weaknesses.
This record differs from lists that include the commonest vulnerabilities, as it isn’t a listing of vulnerabilities, however reasonably weaknesses in system design that may be exploited to leverage vulnerabilities.
“By definition, code injection is an assault, and after we take into consideration the High 25 it’s figuring out the weaknesses beneath,” mentioned Alec Summers, mission chief for the CVE and CWE applications at MITRE.
These weaknesses can doubtlessly pave the way in which for vulnerabilities and assaults, so it’s vital to pay attention to them and mitigate them as a lot as doable.
In accordance with Summers, one pattern on this yr’s record is that whereas some weaknesses moved up or down the record, lots of the weaknesses on the record are traditional weaknesses which have been round for years, corresponding to people who allow SQL injection and cross-site scripting.
“The extra you perceive these weaknesses, and also you draw connections between these items, you’ll be able to truly begin to eradicate complete courses of issues that we see so many instances,” he mentioned.
Addressing these weaknesses not solely improves product safety, but additionally has the potential to save lots of corporations cash as a result of “the extra weaknesses we keep away from in product improvement, the much less vulnerabilities to handle after deployment,” he defined.
This yr’s record contains the next weaknesses:
- Improper Neutralization of Enter Throughout Net Web page Era (‘Cross-site Scripting’)
- Out-of-bounds Write
- Improper Neutralization of Particular Parts utilized in an SQL Command (‘SQL Injection’)
- Cross-Web site Request Forgery (CSRF)
- Improper Limitation of a Pathname to a Restricted Listing (‘Path Traversal’)
- Out-of-bounds Learn
- Improper Neutralization of Particular Parts utilized in an OS Command (‘OS Command Injection’)
- Use After Free
- Lacking Authorization
- Unrestricted Add of File with Harmful Sort
- Improper Management of Era of Code (‘Code Injection’)
- Improper Enter Validation
- Improper Neutralization of Particular Parts utilized in a Command (‘Command Injection’)
- Improper Authentication
- Improper Privilege Administration
- Deserialization of Untrusted Knowledge
- Publicity of Delicate Data to an Unauthorized Actor
- Incorrect Authorization
- Server-Aspect Request Forgery (SSRF)
- Improper Restriction of Operations throughout the Bounds of a Reminiscence Buffer
- NULL Pointer Dereference
- Use of Exhausting-coded Credentials
- Integer Overflow or Wraparound
- Uncontrolled Useful resource Consumption
- Lacking Authentication for Vital Perform
The dataset the record relies on contains information for 31,779 Widespread Vulnerabilities and Exposures (CVEs) revealed between June 1, 2023 and June 1, 2024.
In accordance with Summers, this yr, the methodology during which the record was created was totally different than in previous years as a result of MITRE and CISA concerned the broader safety group to research the dataset, whereas in earlier years MITRE’s Widespread Weak point Enumeration (CWE) group labored alone.
This may occasionally have resulted in lots of adjustments from earlier years, and this yr’s record solely featured three weaknesses that retained the identical rating as final yr: #3 Improper Neutralization of Particular Parts utilized in an SQL Command (‘SQL Injection’), #10 Unrestricted Add of File with Harmful Sort, and #19 Server-Aspect Request Forgery (SSRF).
The weaknesses that had the largest upward transfer from final yr’s record are #4 Cross-Web site Request Forgery, which moved up 5 ranks; #11 Improper Management of Era of Code (‘Code Injection’), which moved up 12 ranks; #15 Improper Privilege Administration, which moved up seven ranks; and #18 Incorrect Authorization, which moved up six ranks.
Weaknesses that moved down in rank considerably embrace #12 Improper Enter Validation, which moved down six ranks; #21 NULL Pointer Dereference, which moved down 9 ranks; #23 Integer Overflow or Wraparound, which moved down 9 ranks; and #25 Lacking Authentication for Vital Perform, which moved down 5 ranks.
This yr additionally noticed two new entries to the record and two entries that left the High 25. New entries embrace #17 Publicity of Delicate Data to an Unauthorized Actor and #24 Uncontrolled Useful resource Consumption. Earlier entries now not within the High 25 are Concurrent Execution utilizing Shared Useful resource with Improper Synchronization (‘Race Situation’) and Incorrect Default Permissions.
In accordance with MITRE, one doable explanation for the adjustments is that they didn’t obtain CWE mappings from the U.S. Nationwide Vulnerability Database analysts for the CVE information from the primary half of 2024.
“It’s not clear whether or not these gaps have an effect on the relative rankings, for the reason that distribution of unmapped CVEs appears prone to align roughly with the CWE distribution of the complete knowledge set,” MITRE wrote.
