MITRE CWE 25

The American not-for-profit organization MITRE has recently published a list of CWE 25 of the most dangerous software vulnerabilities., The cybersecurity experts have compiled a list of the most dangerous and common software vulnerabilities with CWE (Common Weakness Enumeration) identifiers.

 This MITRE CWE 25 release of the top 25 most dangerous software bugs 2021 is a definitive list of the most popular and impactful issues that are encountered in CWE Top 25 (2020).

In this list, the experts have compiled the top 25 vulnerabilities that allow attackers to take complete control of computer programs, disable them, and steal the data processed on them. 

So, this list will help the cybersecurity professionals to better understand the security threats, and not only that even it will also help the software developers, testers, and beta testers to enhance their software.

To compile this list the security researchers at MITRE have used information on published vulnerabilities (CVE), information about them from the NVD (National Vulnerability Database), and CVSS vulnerability ratings. 

In short, they have developed a unique algorithm to assess the prevalence and severity of vulnerabilities. Below we have mentioned the complete list of the most dangerous vulnerabilities compiled by MITRE.

You can also read 10 Mobile App Security Scanners to Detect Vulnerability in Applications 2021

25 Most Dangerous Software Vulnerabilities

MITRE CWE 25

CWE-787 – Out-of-bounds Write

This software vulnerability under MITRE CWE 25 writes data that can lead to exploitation of data, a crash, or code execution; in short, it’s a Memory Corruption flaw. This flaw can transform the index arithmetic that recommends a memory location that is present outside the sides of the buffer. To describe the corruption that has been made by the software is indicated as memory corruption.

  • CWE-787 Score: 65.93

CWE-79 – Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

This software vulnerability generally does not compensate or incorrectly counterbalances user-controllable input. However, in this flaw, there are three main kinds of XSS, and here we have mentioned them below:-

  • Type 1: Reflected XSS (or Non-Persistent)
  • Type 2: Stored XSS (or Persistent)
  • Type 0: DOM-Based XSS

There are several cases, where the attack can be originated and the victim does not get aware of this attack. The threat actors generally use several methods to encode the malicious portion of the attack, like the URL encoding or Unicode, and that makes the request unsuspicious.

  • CWE-79 Score: 46.84

CWE-125 – Out-of-bounds Read

This particular vulnerability under MITRE CWE 25 enables the threat actors to learn all the delicate data that are present in the other memory locations and help to create a crash. This type of crash frequently occurs when the code learns different amounts of data, and after that, it assumes that a guard exists to prevent the read operation, like a NUL in a string.

  • CWE-125 Score: 24.9

CWE-20 – Improper Input Validation

This software’s product generally gets input or data, but the important point is that it does not approve or incorrectly confirm the input that has the properties which are needed in the process of the data safely and accurately. Apart from this, input validation is generally used in the method for monitoring dangerous inputs so that it can assure that the inputs are secured for processing inside the code.

  • CWE-20 Score: 20.47

CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection‘)

This security flaw assembles each and every part of an OS command that is being used externally and was influenced by input from an upstream element. But it does not compensate or incorrectly counterbalances the specific elements that could transform the designated OS command.

  • CWE-78 Score: 19.55

CWE-89 – Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

In this software, the adequate replacement or quoting of SQL syntax is present in the user-controllable inputs. Apart from this, the produced SQL query can create all those inputs that are to be rendered as SQL rather than the ordinary user data.

  • CWE-89 Score: 19.54

CWE-416 – Use After Free

This Use After Free vulnerability offers the ability to crash a program using unexpected values or by executing arbitrary code. Moreover, the Use-after-free vulnerability has two general overlapping circumstances, and here they are mentioned below:-

Error situations and other uncommon events.

For freeing the memory it creates confusion over which part of the program is responsible.

  • CWE-416 Score: 16.83

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

To construct a pathname this security flaw uses the external input, and it does this simply to detect a directory located under a restricted origin directory. However, within the pathname, it doesn’t neutralize special elements properly, and special elements like “..” and “/” separators. By using these special elements, outside of the restricted location an attacker can easily escape accessing files or directories on the infected system.

  • CWE-22 Score: 14.69

CWE-352 – Cross-Site Request Forgery (CSRF)

This flaw simply makes the affected system malfunction, since, due to this flaw the affected system won’t be able to check or distinguish properly between the genuine well-formed, valid, consistent request and intentionally created consistent request. And to exploit this vulnerability the attackers abuse the URL, image load, XMLHttpRequest, etc. which leads to unintended code execution.

  • CWE-352 Score: 14.46

CWE-434 – Unrestricted Upload of File with Dangerous Type

By exploiting this vulnerability an attacker can easily process dangerous types of files within the product’s environment by uploading or transferring them. So, by utilizing this security flaw an attacker can create resource consumption issues on the affected system.

  • CWE-434 Score: 8.45

CWE-306 – Missing Authentication for Critical Function

This vulnerability doesn’t authenticate any functionality that utilizes a significant amount of resources or needs a certain user identity.

  • CWE-306 Score: 7.93

CWE-190 – Integer Overflow or Wraparound

In this case, when the logic pretends that the original value will always be smaller than the resulting value, here, to produce an integer overflow or wraparound this security flaw performs a calculation, which causes other weaknesses to come into the light, and as result it enables the threat actors to perform:-

  • Control looping
  • Make a security decision
  • Determine the offset or size in behaviors such as memory allocation
  • Copying
  • Concatenation
  • CWE-190 Score: 7.12

CWE-502 – Deserialization of Untrusted Data

Without properly verifying the valid data, this security flaw deserializes untrusted data. In short, by exploiting this vulnerability, an attacker can perform unapproved actions, like creating a shell.

  • CWE-502 Score: 6.71

CWE-287 – Improper Authentication

This vulnerability is an “Improper Authentication” issue, and by exploiting this flaw, an attacker can present a genuine-looking identity to trick the system and make it approve all its claims to be correct and verified properly.

  • CWE-287 Score: 6.58

CWE-476 – NULL Pointer Dereference

This vulnerability is a NULL Pointer Dereference flaw, and this flaw occurs when a NULL pointer is dereferenced by the affected application as a valid pointer. Apart from this, due to several issues like race conditions, and simple programming omissions this flaw can occur.

  • CWE-476 Score: 6.54

CWE-798 – Use of Hard-coded Credentials

This vulnerability is a Hard-coded Credentials that actually contains the hard-coded credentials like:-

  • Password
  • Cryptographic key

And by exploiting this security flaw, an attacker can easily use it for its purposes like:- 

  • Inbound authentication
  • Outbound communication to external components
  • Encryption of internal data
  • CWE-798 Score: 6.27

CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer

This vulnerability is a Memory Buffer flaw, and outside of the intended boundary of the buffer, the memory location that is available could be exploited by the threat actors to read or write. As a result, this could allow the threat actors to perform the following actions:-

  • Execute arbitrary code
  • Alter the intended control flow
  • Read sensitive information
  • Cause the system to crash
  • CWE-119 Score: 5.84

CWE-862 – Missing Authorization

This vulnerability under MITRE CWE 25 is a Missing Authorization flaw, and by exploiting this flaw a threat actor could easily evade the authorization process to get access to a resource and perform a wide range of actions like:-

  • Information exposures
  • Denial of service
  • Execution of arbitrary code
  • CWE-862 Score: 5.47

CWE-276 – Incorrect Default Permissions

This vulnerability is an Incorrect Default Permissions flaw, and by exploiting this security flaw an attacker can easily modify installed files on the affected system since the permissions are remained by default set to “anyone can modify.”

  • CWE-276 Score: 5.09

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

Due to this vulnerability, a threat actor can get unauthorized access to the sensitive information present on the affected system. And here are the data that could be exposed:-

  • Personal messages
  • Financial data
  • Health records
  • Geographic location
  • Contact details
  • OS information
  • Installed packages
  • Business secrets and intellectual property
  • Network status and configuration
  • Product’s own code or internal state
  • Logging of connections or message headers
  • The discrepancy between two internal operations that can be observed by an outsider
  • CWE-200 Score: 4.74

CWE-522 – Insufficiently Protected Credentials

This security flaw under CWE 25 generally transfers or stocks all the sensitive data, and apart from this it implements all kind of insecure method that is quite susceptible in nature and it is illegal interception and/or retrieval. However, this security flaw leads to an inaccurate design of the affected software which is associated with architectural security methods.

  • CWE-522 Score: 4.21

CWE-732 – Incorrect Permission Assignment for Critical Resource

The vulnerability is an Incorrect Permission flaw that defines the permissions that are required for a security-critical resource. However, it generally enables that the resource to be read or transformed by unintended threat actors. When a resource gets the permissions setting which implements access to a wider range of threat actors, and that’s why it can give results to the exposure of crucial data.

  • CWE-732 Score: 4.2

CWE-611 – Improper Restriction of XML External Entity Reference

This is an XXE (XML External Entities) vulnerability, and this security flaw allows an attacker to concoct an XML doc file with URIs, which causes the document to set incorrect documents into its end result and expose the file contents.

  • CWE-611 Score: 4.02

CWE-918 – Server-Side Request Forgery (SSRF)

This is a Cross-Site Port Attack vulnerability under MITRE CWE 25 and by exploiting this security flaw a threat actor can make unexpected hosts and ports to believe that the server is sending them requests by providing them URLs to bypass the access controls of firewalls and security tools.

  • CWE-918 Score: 3.78

CWE-77 – Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

This is a Command Injection vulnerability, and by using the externally-influenced input from an upstream component this flaw enables any threat actor to develop a command, now, here at this point when the proposed command is sent to a downstream component the attacker gets the ability to modify the command.

  • CWE-77 Score: 3.58

Apart from this, on current security flaws, the MITRE score is not the only source of information, as there are several security portals that evaluate their score and ranking according to their analysis and methods.

However, the list finally ends here, and the above security flaws that we have mentioned are the top 25 security flaws of 2021 according to MITRE.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.