These are the 25 most dangerous software bugs of 2022

computer-bug.jpg

A list detailing the top 25 “most dangerous” software flaws, some of which could allow attackers to take over a system, has been published

The list was developed by the Homeland Security Systems Engineering and Development Institute, sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and operated by MITRE. It uses Common Vulnerabilities and Exposures (CVE) data to compile the most frequent and critical errors that can lead to serious vulnerabilities. 

“This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working,” said CWE.

“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations,” it noted.

SEE: Phishing gang that stole millions by luring victims to fake bank websites is broken up by police

The dataset used to calculate the 2022 Top 25 contained a total of 37,899 CVE records from the previous two calendar years, according to MITRE.

The 2022 Top 25 list is also based on data from CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities (KEV) Catalog. CISA launched that catalog in late 2021, requiring federal agencies to patch known exploited vulnerabilities in a given timeframe. 

The top two vulnerabilities remain the same as last year: CWE-787 or out-of-bounds write memory flaw, and CWE-79 for cross-site scripting flaws. 

But SQL injection or CWE-89 as a category jumped three spots up to third, replacing the memory flaw CWE-125 for out-of-bounds read, which dropped two places to fifth.  

In fourth place, with no change in ranking, was CWE-20 for improper input validation, while OS command injection (CWE-78) dropped one place to sixth. 

In seventh spot was CWE-416 or ‘use after free’. Rounding out the top 10 were path traversal vulnerabilities (CWE-22), cross-site request forgery (CWE-352), and unrestricted upload of file with dangerous type (CWE-434).    

Command injection flaws (CWE-77) jumped eight places in the list to 17th spot, while race condition (CWE-362) rose 11 spots to 22nd. 

Each of the CWE entries has a detailed explanation of the flaw and past examples of publicly disclosed flaws. 

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.