High 25 Software program Weaknesses in 2024

MITER not too long ago printed its annual checklist of 2024 CWE High 25 Most Harmful Software program Weaknesses.

This checklist differs from lists containing the commonest vulnerabilities, as it isn’t an inventory of vulnerabilities, however quite weaknesses within the system design that may be exploited to use the vulnerabilities.

“By definition, code injection is an assault, and once we take into consideration the highest 25, we establish the underlying weaknesses,” mentioned Alec Summers, mission lead for the CVE and CWE packages at MITER.

These weaknesses can probably pave the way in which for vulnerabilities and assaults, so it is very important concentrate on them and mitigate them as a lot as doable.

In response to Summers, a pattern on this 12 months’s checklist is that whereas some weaknesses moved up or down the checklist, lots of the weaknesses on the checklist are basic weaknesses which have been round for years, resembling those who permit SQL injection and cross interplay. web site scripts.

“The extra you perceive these weaknesses and make connections between them, you’ll be able to start to remove total courses of issues that we see so many occasions,” he mentioned.

Addressing these weaknesses not solely improves product safety, but additionally has the potential to save lots of firms cash as a result of “the extra weaknesses we keep away from in product improvement, the less vulnerabilities there might be to handle after implementation,” he defined.

This 12 months’s checklist consists of the next weaknesses:

1. Improper neutralization of enter throughout internet web page technology (“cross-site scripting”)
2. Writing out of bounds
3. Improper neutralization of particular components utilized in a SQL command (“SQL Injection”)
4. Cross Web site Request Forgery (CSRF)
5. Improperly limiting a path title to a restricted listing (“Path Traversal”)
6. Studying out of limits
7. Improper neutralization of particular components utilized in an working system command (“OS command injection”)
8. Use later free
9. Lacking authorization
10. Unrestricted add of recordsdata with harmful sorts
11. Insufficient management of code technology (“code injection”)
12. Incorrect enter validation
13. Improper neutralization of particular components utilized in a command (“Command injection”)
14. Improper authentication
15. Improper privilege administration
16. Deserialization of untrusted knowledge
17. Publicity of confidential info to an unauthorized actor
18. Incorrect authorization
19. Server Aspect Request Forgery (SSRF)
20. Inappropriate restriction of operations throughout the boundaries of a reminiscence buffer
21. NULL pointer dereference
22. Utilizing encrypted credentials
23. Integer overflow or enveloping wrapper
24. Uncontrolled consumption of assets
25. Lacking authentication for vital perform

The dataset on which the checklist relies consists of information of 31,779 Widespread Vulnerabilities and Exposures (CVEs) printed between June 1, 2023 and June 1, 2024.

In response to Summers, this 12 months, the technique The time by which the checklist was created was completely different than in earlier years as a result of MITER and CISA concerned the broader safety neighborhood to research the info set, whereas in earlier years MITER’s Widespread Weaknesses Enumeration (CWE) crew labored solely.

This will likely have resulted in lots of modifications from earlier years, and this 12 months’s checklist solely featured three weaknesses that maintained the identical rating as final 12 months: #3 Improper neutralization of particular components utilized in a SQL command (‘SQL Injection’ ), #10 Unrestricted File Add with Harmful Kind and #19 Server Aspect Request Forgery (SSRF).

Weaknesses that noticed the largest upward motion from final 12 months’s checklist are No. 4 cross-site request forgery, which rose 5 spots; #11 Insufficient management of code technology (“Code Injection”), promoted 12 ranks; #15 Improper privilege administration, promoted seven ranks; and #18 Incorrect Authorization, which moved up six ranks.

Weaknesses that dropped considerably in rank embody #12 Incorrect Enter Validation, which dropped six ranks; #21 NULL pointer dereference, which dropped 9 ranks; #23 Integer Overflow or Wraparound, which dropped 9 ranks; and #25 Lacking Authentication for Vital Features, which dropped 5 ranks.

This 12 months there have been additionally two new entries to the checklist and two entries that left the High 25. The brand new entries embody #17 Publicity of Delicate Data to an Unauthorized Actor and #24 Uncontrolled Useful resource Consumption. Earlier entries which might be not within the High 25 are Concurrent Execution Utilizing Shares with Incorrect Sync (“Race Situation”) and Incorrect Default Permissions.

In response to MITER, a doable trigger for the modifications is that they didn’t obtain CWE assignments from the US Nationwide Vulnerability Database analysts for CVE information from the primary half of 2024.

“It’s unclear whether or not these gaps have an effect on the relative rankings, because it appears probably that the distribution of unmapped CVEs roughly aligns with the CWE distribution of the complete knowledge set,” MITER wrote.