Mitre reveals the most dangerous software vulnerabilities

The list was published to create analytical rigor “instead of subjective surveys and opinions”

The not-for-profit Mitre Corporation has published an updated list of the world's 25 most dangerous software weaknesses that have inundated applications over the last couple years.

Among the top bugs were out-of-bounds writes and improper neutralization of inputs in web page generation. Mitre said the weaknesses included in the list are “often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.”

To compile the list, Mitre looked at Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. It applied a formula to the data to score each weakness based on prevalence and severity.

“A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen,” said Mitre in a statement.

It said this approach was taken as it would provide an objective look at what vulnerabilities are currently seen in the real world, “creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions and makes the process easily repeatable.”

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMFree download

Number one on Mitre’s list was an out-of-bounds write flaw. Also known as CWE-787, this flaw happens when software writes data past the end or before the beginning of the intended buffer. This can result in corruption of data, a crash, or code execution. This scored 65.93, the highest on the list.

The next largest flaw was an improper input neutralization during web page generation or cross-site scripting bug. This is where software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page and served to other users. This scored 46.84 on the list.

Mitre said the major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses. 

“A preliminary estimate suggests that the percentage of Base-level CWEs has increased from ~60% to ~71% of all Top 25 entries, and the percentage of Class-level CWEs has decreased from ~30% to ~20% of entries. Other weakness levels (e.g., category, compound, and variant) remain relatively unchanged,” it said.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022