MITRE experts have published a list of the 25 most common and dangerous problems of 2022. Such bugs can potentially expose systems to attack, allow attackers to take control of vulnerable devices, access sensitive information, or cause a denial of service.
By the way, we also love all sorts of lists and tops, for example: Top Threats That Gridinsoft Anti-Malware Catches, or here’s another: TOP Facts About Adware Attacks To Be Reminded Today.
This time, the list was compiled with the support of the National Security Systems Design and Engineering Institute and the Cybersecurity and Infrastructure Security Agency (CISA). Interestingly, a few years ago the list was built on the basis of surveys and personal interviews with developers, leading security analysts, researchers, and vendors.
Problems in the list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWE differ from CVE in that, in fact, the former are the predecessors of the latter, that is, CWE lead to the appearance of vulnerabilities directly.
CWEs are divided into more than 600 categories that combine very broad classes of diverse problems, such as CWE-20 (incorrect input validation), CWE-200 (information disclosure), and CWE-287 (incorrect authentication).
MITRE reports that the dataset used to compile the new top contained a total of 37,899 CVE IDs over the past two calendar years. Also this time, the calculation methodology has changed slightly: the list is based on information from the NVD (National Vulnerability Database) and the Known Exploited Vulnerabilities (KEV) catalog, which CISA began compiling in 2021. Currently, KEV contains information about 800 known vulnerabilities used in attacks.
The most dangerous bugs in MITRE continue to be those that are easy to spot, have a high impact, and are widespread in software released in the last two years.
The top 25 issues identified by MITRE experts can be seen in the table below.
| Place | ID | Problem | Grade | Number of KEVs (CVEs) | Change from 2021 |
| 1 | CWE-787 | Out-of-bounds entry | 64,2 | 62 | 0 |
| 2 | CWE-79 | Incorrect input neutralization during webpage creation (cross-site scripting) | 45,97 | 2 | 0 |
| 3 | CWE-89 | Incorrect neutralization of special elements used in SQL commands (SQL injection) | 22,11 | 7 | 3 |
| 4 | CWE-20 | Incorrect input validation | 20,63 | 20 | 0 |
| 5 | CWE-125 | Out-of-bounds reading | 17,67 | 1 | -2 |
| 6 | CWE-78 | Incorrect neutralization of special elements used in OS commands (command injection) | 17,53 | 32 | -1 |
| 7 | CWE-416 | Use After Free | 15,5 | 28 | 0 |
| 8 | CWE-22 | Directory Traversal | 14,08 | 19 | 0 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11,53 | 1 | 0 |
| 10 | CWE-434 | Unlimited downloads of dangerous files | 9,56 | 6 | 0 |
| 11 | CWE-476 | Null pointer dereference | 7,15 | 0 | 4 |
| 12 | CWE-502 | Deserialization of Untrusted Data | 6,68 | 7 | 1 |
| 13 | CWE-190 | Integer overflow or carry | 6,53 | 2 | -1 |
| 14 | CWE-287 | Invalid Authentication | 6,35 | 4 | 0 |
| 15 | CWE-798 | Using Hardcoded Credentials | 5,66 | 0 | 1 |
| 16 | CWE-862 | No authorization | 5,53 | 1 | 2 |
| 17 | CWE-77 | Incorrect neutralization of special elements used in commands (command injection) | 5,42 | 5 | 8 |
| 18 | CWE-306 | Lack of authentication for a critical function | 5,15 | 6 | -7 |
| 19 | CWE-119 | Incorrect limitation of operations within the memory buffer | 4,85 | 6 | -2 |
| 20 | CWE-276 | Invalid default permissions | 4,84 | 0 | -1 |
| 21 | CWE-918 | Server Side Request Forgery (SSRF) | 4,27 | 8 | 3 |
| 22 | CWE-362 | Race condition | 3,57 | 6 | 11 |
| 23 | CWE-400 | Uncontrolled consumption of resources | 3,56 | 2 | 4 |
| 24 | CWE-611 | Incorrect restriction of links to external XML | 3,38 | 0 | -1 |
| 25 | CWE-94 | Incorrect control over code generation (code injection) | 3,32 | 4 | 3 |
Compared to the 2021 top, three types of vulnerabilities have disappeared from the list: disclosure of confidential information to an unauthorized subject (dropped to 33rd place), insufficient protection of credentials (now at 38th place) and incorrect assignment of permissions for critical resources (30th place).
