IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Mitre reveals the most dangerous software vulnerabilities

The list was published to create analytical rigor “instead of subjective surveys and opinions”

The not-for-profit Mitre Corporation has published an updated list of the world's 25 most dangerous software weaknesses that have inundated applications over the last couple years.

Among the top bugs were out-of-bounds writes and improper neutralization of inputs in web page generation. Mitre said the weaknesses included in the list are “often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.”

To compile the list, Mitre looked at Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. It applied a formula to the data to score each weakness based on prevalence and severity.

“A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen,” said Mitre in a statement.

It said this approach was taken as it would provide an objective look at what vulnerabilities are currently seen in the real world, “creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions and makes the process easily repeatable.”

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMFree download

Number one on Mitre’s list was an out-of-bounds write flaw. Also known as CWE-787, this flaw happens when software writes data past the end or before the beginning of the intended buffer. This can result in corruption of data, a crash, or code execution. This scored 65.93, the highest on the list.

The next largest flaw was an improper input neutralization during web page generation or cross-site scripting bug. This is where software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page and served to other users. This scored 46.84 on the list.

Mitre said the major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses. 

“A preliminary estimate suggests that the percentage of Base-level CWEs has increased from ~60% to ~71% of all Top 25 entries, and the percentage of Class-level CWEs has decreased from ~30% to ~20% of entries. Other weakness levels (e.g., category, compound, and variant) remain relatively unchanged,” it said.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide
Whitepaper

CIAM buyer’s guide

6 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022