-10.3 C
New York
Monday, December 23, 2024

The highest 25 weaknesses in software program in 2024


MITRE not too long ago launched its yearly listing of the 2024 CWE High 25 Most Harmful Software program Weaknesses

This listing differs from lists that include the commonest vulnerabilities, as it’s not an inventory of vulnerabilities, however moderately weaknesses in system design that may be exploited to leverage vulnerabilities. 

“By definition, code injection is an assault, and once we take into consideration the High 25 it’s figuring out the weaknesses beneath,” mentioned Alec Summers, undertaking chief for the CVE and CWE packages at MITRE. 

These weaknesses can doubtlessly pave the way in which for vulnerabilities and assaults, so it’s essential to concentrate on them and mitigate them as a lot as doable.

In response to Summers, one pattern on this yr’s listing is that whereas some weaknesses moved up or down the listing, a number of the weaknesses on the listing are traditional weaknesses which were round for years, corresponding to people who allow SQL injection and cross-site scripting.

“The extra you perceive these weaknesses, and also you draw connections between these items, you possibly can really begin to get rid of complete lessons of issues that we see so many instances,” he mentioned.

Addressing these weaknesses not solely improves product safety, but in addition has the potential to save lots of corporations cash as a result of “the extra weaknesses we keep away from in product growth, the much less vulnerabilities to handle after deployment,” he defined.

This yr’s listing contains the next weaknesses:

  1. Improper Neutralization of Enter Throughout Internet Web page Era (‘Cross-site Scripting’)
  2. Out-of-bounds Write
  3. Improper Neutralization of Particular Parts utilized in an SQL Command (‘SQL Injection’)
  4. Cross-Web site Request Forgery (CSRF)
  5. Improper Limitation of a Pathname to a Restricted Listing (‘Path Traversal’)
  6. Out-of-bounds Learn
  7. Improper Neutralization of Particular Parts utilized in an OS Command (‘OS Command Injection’)
  8. Use After Free
  9. Lacking Authorization
  10. Unrestricted Add of File with Harmful Sort
  11. Improper Management of Era of Code (‘Code Injection’)
  12. Improper Enter Validation
  13. Improper Neutralization of Particular Parts utilized in a Command (‘Command Injection’)
  14. Improper Authentication
  15. Improper Privilege Administration
  16. Deserialization of Untrusted Knowledge
  17. Publicity of Delicate Data to an Unauthorized Actor
  18. Incorrect Authorization
  19. Server-Aspect Request Forgery (SSRF)
  20. Improper Restriction of Operations inside the Bounds of a Reminiscence Buffer
  21. NULL Pointer Dereference
  22. Use of Arduous-coded Credentials
  23. Integer Overflow or Wraparound
  24. Uncontrolled Useful resource Consumption
  25. Lacking Authentication for Important Operate

The dataset the listing is predicated on contains data for 31,779 Widespread Vulnerabilities and Exposures (CVEs) printed between June 1, 2023 and June 1, 2024. 

In response to Summers, this yr, the methodology through which the listing was created was completely different than in previous years as a result of MITRE and CISA concerned the broader safety neighborhood to investigate the dataset, whereas in earlier years MITRE’s Widespread Weak spot Enumeration (CWE) workforce labored alone. 

This will have resulted in lots of adjustments from earlier years, and this yr’s listing solely featured three weaknesses that retained the identical rating as final yr: #3 Improper Neutralization of Particular Parts utilized in an SQL Command (‘SQL Injection’), #10 Unrestricted Add of File with Harmful Sort, and #19 Server-Aspect Request Forgery (SSRF).

The weaknesses that had the largest upward transfer from final yr’s listing are #4 Cross-Web site Request Forgery, which moved up 5 ranks; #11 Improper Management of Era of Code (‘Code Injection’), which moved up 12 ranks; #15 Improper Privilege Administration, which moved up seven ranks; and #18 Incorrect Authorization, which moved up six ranks. 

Weaknesses that moved down in rank considerably embody #12 Improper Enter Validation, which moved down six ranks; #21 NULL Pointer Dereference, which moved down 9 ranks; #23 Integer Overflow or Wraparound, which moved down 9 ranks; and #25 Lacking Authentication for Important Operate, which moved down 5 ranks. 

This yr additionally noticed two new entries to the listing and two entries that left the High 25. New entries embody #17 Publicity of Delicate Data to an Unauthorized Actor and #24 Uncontrolled Useful resource Consumption. Earlier entries not within the High 25 are Concurrent Execution utilizing Shared Useful resource with Improper Synchronization (‘Race Situation’) and Incorrect Default Permissions.

In response to MITRE, one doable reason for the adjustments is that they didn’t obtain CWE mappings from the U.S. Nationwide Vulnerability Database analysts for the CVE data from the primary half of 2024. 

“It’s not clear whether or not these gaps have an effect on the relative rankings, for the reason that distribution of unmapped CVEs appears more likely to align roughly with the CWE distribution of all the knowledge set,” MITRE wrote

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles