MITRE lately launched its yearly listing of the 2024 CWE Prime 25 Most Harmful Software program Weaknesses.
This listing differs from lists that include the most typical vulnerabilities, as it’s not a listing of vulnerabilities, however relatively weaknesses in system design that may be exploited to leverage vulnerabilities.
“By definition, code injection is an assault, and once we take into consideration the Prime 25 it’s figuring out the weaknesses beneath,” stated Alec Summers, venture chief for the CVE and CWE applications at MITRE.
These weaknesses can doubtlessly pave the best way for vulnerabilities and assaults, so it’s necessary to pay attention to them and mitigate them as a lot as potential.
Based on Summers, one development on this 12 months’s listing is that whereas some weaknesses moved up or down the listing, lots of the weaknesses on the listing are basic weaknesses which have been round for years, reminiscent of people who allow SQL injection and cross-site scripting.
“The extra you perceive these weaknesses, and also you draw connections between these items, you possibly can really begin to eradicate complete lessons of issues that we see so many occasions,” he stated.
Addressing these weaknesses not solely improves product safety, but in addition has the potential to avoid wasting firms cash as a result of “the extra weaknesses we keep away from in product improvement, the much less vulnerabilities to handle after deployment,” he defined.
This 12 months’s listing consists of the next weaknesses:
- Improper Neutralization of Enter Throughout Internet Web page Technology (‘Cross-site Scripting’)
- Out-of-bounds Write
- Improper Neutralization of Particular Parts utilized in an SQL Command (‘SQL Injection’)
- Cross-Website Request Forgery (CSRF)
- Improper Limitation of a Pathname to a Restricted Listing (‘Path Traversal’)
- Out-of-bounds Learn
- Improper Neutralization of Particular Parts utilized in an OS Command (‘OS Command Injection’)
- Use After Free
- Lacking Authorization
- Unrestricted Add of File with Harmful Kind
- Improper Management of Technology of Code (‘Code Injection’)
- Improper Enter Validation
- Improper Neutralization of Particular Parts utilized in a Command (‘Command Injection’)
- Improper Authentication
- Improper Privilege Administration
- Deserialization of Untrusted Information
- Publicity of Delicate Info to an Unauthorized Actor
- Incorrect Authorization
- Server-Aspect Request Forgery (SSRF)
- Improper Restriction of Operations throughout the Bounds of a Reminiscence Buffer
- NULL Pointer Dereference
- Use of Exhausting-coded Credentials
- Integer Overflow or Wraparound
- Uncontrolled Useful resource Consumption
- Lacking Authentication for Important Perform
The dataset the listing is predicated on consists of information for 31,779 Frequent Vulnerabilities and Exposures (CVEs) printed between June 1, 2023 and June 1, 2024.
Based on Summers, this 12 months, the technique wherein the listing was created was completely different than in previous years as a result of MITRE and CISA concerned the broader safety neighborhood to research the dataset, whereas in earlier years MITRE’s Frequent Weak spot Enumeration (CWE) group labored alone.
This may increasingly have resulted in lots of adjustments from earlier years, and this 12 months’s listing solely featured three weaknesses that retained the identical rating as final 12 months: #3 Improper Neutralization of Particular Parts utilized in an SQL Command (‘SQL Injection’), #10 Unrestricted Add of File with Harmful Kind, and #19 Server-Aspect Request Forgery (SSRF).
The weaknesses that had the largest upward transfer from final 12 months’s listing are #4 Cross-Website Request Forgery, which moved up 5 ranks; #11 Improper Management of Technology of Code (‘Code Injection’), which moved up 12 ranks; #15 Improper Privilege Administration, which moved up seven ranks; and #18 Incorrect Authorization, which moved up six ranks.
Weaknesses that moved down in rank considerably embody #12 Improper Enter Validation, which moved down six ranks; #21 NULL Pointer Dereference, which moved down 9 ranks; #23 Integer Overflow or Wraparound, which moved down 9 ranks; and #25 Lacking Authentication for Important Perform, which moved down 5 ranks.
This 12 months additionally noticed two new entries to the listing and two entries that left the Prime 25. New entries embody #17 Publicity of Delicate Info to an Unauthorized Actor and #24 Uncontrolled Useful resource Consumption. Earlier entries not within the Prime 25 are Concurrent Execution utilizing Shared Useful resource with Improper Synchronization (‘Race Situation’) and Incorrect Default Permissions.
Based on MITRE, one potential explanation for the adjustments is that they didn’t obtain CWE mappings from the U.S. Nationwide Vulnerability Database analysts for the CVE information from the primary half of 2024.
“It’s not clear whether or not these gaps have an effect on the relative rankings, because the distribution of unmapped CVEs appears more likely to align roughly with the CWE distribution of all the information set,” MITRE wrote.
