HomeVulnerabilityMITRE shares 2024's prime 25 most harmful software program weaknesses

MITRE shares 2024’s prime 25 most harmful software program weaknesses

MITRE has shared this 12 months’s prime 25 listing of the commonest and harmful software program weaknesses behind greater than 31,000 vulnerabilities disclosed between June 2023 and June 2024.

Software program weaknesses confer with flaws, bugs, vulnerabilities, and errors present in software program’s code, structure, implementation, or design.

Attackers can exploit them to breach programs the place the susceptible software program is operating, enabling them to achieve management over affected units and entry delicate information or set off denial-of-service assaults.

“Usually straightforward to seek out and exploit, these can result in exploitable vulnerabilities that permit adversaries to fully take over a system, steal information, or stop functions from working,” MITRE mentioned right now.

“Uncovering the foundation causes of those vulnerabilities serves as a strong information for investments, insurance policies, and practices to forestall these vulnerabilities from occurring within the first place — benefiting each business and authorities stakeholders.”

To create this 12 months’s rating, MITRE scored every weak point primarily based on its severity and frequency after analyzing 31,770 CVE information for vulnerabilities that “would profit from re-mapping evaluation” and reported throughout 2023 and 2024, with a concentrate on security flaws added to CISA’s Identified Exploited Vulnerabilities (KEV) catalog.

See also  PixieFail UEFI Flaws Expose Tens of millions of Computer systems to RCE, DoS, and Data Theft

“This annual listing identifies essentially the most essential software program weaknesses that adversaries steadily exploit to compromise programs, steal delicate information, or disrupt important companies,” CISA added right now.

“Organizations are strongly inspired to assessment this listing and use it to tell their software program security methods. Prioritizing these weaknesses in improvement and procurement processes helps stop vulnerabilities on the core of the software program lifecycle.”

Rank ID Identify Rating KEV CVEs Change
1 CWE-79 Cross-site Scripting 56.92 3 +1
2 CWE-787 Out-of-bounds Write 45.20 18 -1
3 CWE-89 SQL Injection 35.88 4 0
4 CWE-352 Cross-Web site Request Forgery (CSRF) 19.57 0 +5
5 CWE-22 Path Traversal 12.74 4 +3
6 CWE-125 Out-of-bounds Learn 11.42 3 +1
7 CWE-78 OS Command Injection 11.30 5 -2
8 CWE-416 Use After Free 10.19 5 -4
9 CWE-862 Lacking Authorization 10.11 0 +2
10 CWE-434 Unrestricted Add of File with Harmful Sort 10.03 0 0
11 CWE-94 Code Injection 7.13 7 +12
12 CWE-20 Improper Enter Validation 6.78 1 -6
13 CWE-77 Command Injection 6.74 4 +3
14 CWE-287 Improper Authentication 5.94 4 -1
15 CWE-269 Improper Privilege Administration 5.22 0 +7
16 CWE-502 Deserialization of Untrusted Data 5.07 5 -1
17 CWE-200 Publicity of Delicate Data to an Unauthorized Actor 5.07 0 +13
18 CWE-863 Incorrect Authorization 4.05 2 +6
19 CWE-918 Server-Aspect Request Forgery (SSRF) 4.05 2 0
20 CWE-119 Improper Operations Restriction in Reminiscence Buffer Bounds 3.69 2 -3
21 CWE-476 NULL Pointer Dereference 3.58 0 -9
22 CWE-798 Use of Laborious-coded Credentials 3.46 2 -4
23 CWE-190 Integer Overflow or Wraparound 3.37 3 -9
24 CWE-400 Uncontrolled Useful resource Consumption 3.23 0 +13
25 CWE-306 Lacking Authentication for Crucial Operate 2.73 5 -5
See also  CISOs who delayed patching Palo Alto vulnerabilities now face actual risk

CISA additionally frequently releases “Safe by Design” alerts highlighting the prevalence of broadly recognized and documented vulnerabilities which have but to be eradicated from software program regardless of out there and efficient mitigations.

Some have been issued in response to ongoing malicious exercise, like a July alert asking distributors to remove path OS command injection vulnerabilities exploited by Chinese language Velvet Ant state hackers in current assaults focusing on Cisco, Palo Alto, and Ivanti community edge units.

In Might and March, the cybersecurity company revealed two extra “Safe by Design” alerts urging tech executives and software program builders to forestall path traversal and SQL injection (SQLi) vulnerabilities of their merchandise and code.

CISA additionally urged tech distributors to cease transport software program and units with default passwords and small workplace/house workplace (SOHO) router producers to safe them towards Volt Storm assaults.

Final week, the FBI, the NSA, and 5 Eyes cybersecurity authorities launched an inventory of the highest 15 routinely exploited security vulnerabilities final 12 months, warning that attackers centered on focusing on zero-days (security flaws which were disclosed however are but to be patched).

See also  Google Chrome Underneath Lively Attack, Exploiting New Vulnerability

“In 2023, the vast majority of essentially the most steadily exploited vulnerabilities have been initially exploited as a zero-day, which is a rise from 2022, when lower than half of the highest exploited vulnerabilities have been exploited as a zero-day,” they cautioned.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular