Mitre reveals the most dangerous software vulnerabilities

The list was published to create analytical rigor “instead of subjective surveys and opinions”

The not-for-profit Mitre Corporation has published an updated list of the world's 25 most dangerous software weaknesses that have inundated applications over the last couple years.

Among the top bugs were out-of-bounds writes and improper neutralization of inputs in web page generation. Mitre said the weaknesses included in the list are “often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.”

To compile the list, Mitre looked at Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. It applied a formula to the data to score each weakness based on prevalence and severity.

“A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen,” said Mitre in a statement.

It said this approach was taken as it would provide an objective look at what vulnerabilities are currently seen in the real world, “creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions and makes the process easily repeatable.”

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMFree download

Number one on Mitre’s list was an out-of-bounds write flaw. Also known as CWE-787, this flaw happens when software writes data past the end or before the beginning of the intended buffer. This can result in corruption of data, a crash, or code execution. This scored 65.93, the highest on the list.

The next largest flaw was an improper input neutralization during web page generation or cross-site scripting bug. This is where software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page and served to other users. This scored 46.84 on the list.

Mitre said the major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses. 

“A preliminary estimate suggests that the percentage of Base-level CWEs has increased from ~60% to ~71% of all Top 25 entries, and the percentage of Class-level CWEs has decreased from ~30% to ~20% of entries. Other weakness levels (e.g., category, compound, and variant) remain relatively unchanged,” it said.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

UK's first government cyber strategy aims to bolster public sector defences
cyber security

UK's first government cyber strategy aims to bolster public sector defences

25 Jan 2022
Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022