The highest 25 weaknesses in software program in 2024

MITRE just lately launched its yearly record of the 2024 CWE High 25 Most Harmful Software program Weaknesses. 

This record differs from lists that comprise the commonest vulnerabilities, as it isn’t a listing of vulnerabilities, however quite weaknesses in system design that may be exploited to leverage vulnerabilities. 

“By definition, code injection is an assault, and after we take into consideration the High 25 it’s figuring out the weaknesses beneath,” stated Alec Summers, challenge chief for the CVE and CWE applications at MITRE. 

These weaknesses can probably pave the way in which for vulnerabilities and assaults, so it’s necessary to concentrate on them and mitigate them as a lot as attainable.

In keeping with Summers, one pattern on this 12 months’s record is that whereas some weaknesses moved up or down the record, a whole lot of the weaknesses on the record are traditional weaknesses which were round for years, reminiscent of those who allow SQL injection and cross-site scripting.

“The extra you perceive these weaknesses, and also you draw connections between this stuff, you’ll be able to truly begin to get rid of entire courses of issues that we see so many occasions,” he stated.

Addressing these weaknesses not solely improves product safety, but additionally has the potential to avoid wasting corporations cash as a result of “the extra weaknesses we keep away from in product growth, the much less vulnerabilities to handle after deployment,” he defined.

This 12 months’s record contains the next weaknesses:

1. Improper Neutralization of Enter Throughout Net Web page Technology (‘Cross-site Scripting’)
2. Out-of-bounds Write
3. Improper Neutralization of Particular Components utilized in an SQL Command (‘SQL Injection’)
4. Cross-Website Request Forgery (CSRF)
5. Improper Limitation of a Pathname to a Restricted Listing (‘Path Traversal’)
6. Out-of-bounds Learn
7. Improper Neutralization of Particular Components utilized in an OS Command (‘OS Command Injection’)
8. Use After Free
9. Lacking Authorization
10. Unrestricted Add of File with Harmful Sort
11. Improper Management of Technology of Code (‘Code Injection’)
12. Improper Enter Validation
13. Improper Neutralization of Particular Components utilized in a Command (‘Command Injection’)
14. Improper Authentication
15. Improper Privilege Administration
16. Deserialization of Untrusted Knowledge
17. Publicity of Delicate Info to an Unauthorized Actor
18. Incorrect Authorization
19. Server-Aspect Request Forgery (SSRF)
20. Improper Restriction of Operations throughout the Bounds of a Reminiscence Buffer
21. NULL Pointer Dereference
22. Use of Laborious-coded Credentials
23. Integer Overflow or Wraparound
24. Uncontrolled Useful resource Consumption
25. Lacking Authentication for Important Operate

The dataset the record relies on contains data for 31,779 Widespread Vulnerabilities and Exposures (CVEs) revealed between June 1, 2023 and June 1, 2024. 

In keeping with Summers, this 12 months, the methodology through which the record was created was totally different than in previous years as a result of MITRE and CISA concerned the broader safety neighborhood to investigate the dataset, whereas in earlier years MITRE’s Widespread Weak spot Enumeration (CWE) crew labored alone. 

This may increasingly have resulted in lots of modifications from earlier years, and this 12 months’s record solely featured three weaknesses that retained the identical rating as final 12 months: #3 Improper Neutralization of Particular Components utilized in an SQL Command (‘SQL Injection’), #10 Unrestricted Add of File with Harmful Sort, and #19 Server-Aspect Request Forgery (SSRF).

The weaknesses that had the most important upward transfer from final 12 months’s record are #4 Cross-Website Request Forgery, which moved up 5 ranks; #11 Improper Management of Technology of Code (‘Code Injection’), which moved up 12 ranks; #15 Improper Privilege Administration, which moved up seven ranks; and #18 Incorrect Authorization, which moved up six ranks. 

Weaknesses that moved down in rank considerably embody #12 Improper Enter Validation, which moved down six ranks; #21 NULL Pointer Dereference, which moved down 9 ranks; #23 Integer Overflow or Wraparound, which moved down 9 ranks; and #25 Lacking Authentication for Important Operate, which moved down 5 ranks. 

This 12 months additionally noticed two new entries to the record and two entries that left the High 25. New entries embody #17 Publicity of Delicate Info to an Unauthorized Actor and #24 Uncontrolled Useful resource Consumption. Earlier entries not within the High 25 are Concurrent Execution utilizing Shared Useful resource with Improper Synchronization (‘Race Situation’) and Incorrect Default Permissions.

In keeping with MITRE, one attainable explanation for the modifications is that they didn’t obtain CWE mappings from the U.S. Nationwide Vulnerability Database analysts for the CVE data from the primary half of 2024. 

“It’s not clear whether or not these gaps have an effect on the relative rankings, for the reason that distribution of unmapped CVEs appears more likely to align roughly with the CWE distribution of the whole knowledge set,” MITRE wrote.