CISA

Top 5 most dangerous software weaknesses in 2024

The more things change, the more they stay the same.

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, has released the 2024 CWE Top 25 Most Dangerous Software Weaknesses.

This top 25 highlights the most severe and prevalent weaknesses behind the 31,770 CVEs in this year’s dataset.

Without further ado, here’s this year’s top 5.

#1 CWE-79. The number one is an old acquaintance. Cross-site scripting, also known as XSS, is a very common web application vulnerability. By exploiting XSS vulnerabilities an attacker can inject client-side scripts in a website which later execute when victims browse the website. A prominent example from this year was a Joomla! vulnerability. A website user could input data in the email address field that could trigger XSS because it was not properly escaped.

#2 CWE-787. Last year’s number one, out-of-bounds write. This happens when a program writes to memory locations past the end, or before the beginning, of the intended buffer. In some cases, an adversary can modify control data such as return addresses in order to execute unexpected code. VMWare fixed an out-of-bounds write vulnerability it considered so serious that even end-of-life software received a patch. An attacker could exploit it under certain circumstances to escape out of the sandbox.

#3 CWE-89. SQL Injection, or more formerly known as “Improper Neutralization of Special Elements used in an SQL Command.” If a service fails to properly neutralize special elements, an attacker could use this to destroy or alter the SQL database. Centreon is a widely used network, system and application monitoring tool. In 2024 Centreon fixed a vulnerability that allowed authenticated remote attackers to execute arbitrary code on affected installations.

#4 CWE-352. Cross-Site Request Forgery (CSRF) is basically when a web server is unable to verify that a request was intentionally sent by a legitimate visitor. Apache Roller, a popular Java-based blogging platform, issued an update to address a critical CSRF vulnerability. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller’s CSRF protections allowed an escalation of privileges attack.

#5 CWE-22. Path traversal. Also known as a directory traversal vulnerability, is a type of security flaw that allows attackers to traverse the file system to access files and directories they should not be able to reach. They typically occur in web applications but can affect any software that handles file paths. The Spring Framework patched a vulnerability which allowed an attacker to craft malicious HTTP requests and obtain any file on the file system that was also accessible to the process in which the Spring application is running.

One thing these five weaknesses have in common is that they are easily associated with web servers, web applications, and websites.

A web server is the digital front door to an organization. And vulnerabilities in this door can allow an attacker to access valuable information, and use it as a gateway to even more sensitive data within an organization’s network.

Web servers also often run a significant amount of open-source software. Software that is sometimes overlooked when it comes to patching because notifications of available updates may not be sent out to users. They often have to keep an eye on them themselves.

One of the most effective measures to keep your sensitive data separated from web servers is network segmentation. Dividing a computer network into smaller subnetworks or segments helps increase network security. It can help prevent unauthorized access to sensitive information by keeping that information in a separate segment isolated from general network traffic. If the web server is on its own segment, an attacker can’t use it as a steppingstone to access other critical parts of the network.

Another important security measure—which organizations often have no control over—is input validation. Attackers will use fuzzing techniques and use a wide range of invalid and unexpected data as input to find flaws in the software undergoing the test. One thing you might be able to do to counter this is limit the number of tries that one user or one IP address is allowed.