Skip to main content

MITRE Releases 2019 List of Top Security Weaknesses

by Chris Brook on Wednesday September 18, 2019

Contact Us
Free Demo

MITRE has published a list of the most dangerous software errors - weaknesses that could lead to a critical vulnerability and in turn, code execution and the theft of data, if left unresolved.

Developers and those who work with software should be especially weary of errors in the way software performs on a memory buffer, and how it neutralizes and validates input.

While there many software weaknesses can be indicative of a problem and lead to vulnerabilities further down the road, these in particular are cause for concern, according to a new list released by MITRE this week.

MITRE, the not-for-profit organization that manages the Common Vulnerabilities and Exposures (CVE) list, a dictionary of disclosed cybersecurity vulnerabilities and exposures, published the list, the Top 25 Most Dangerous Software Errors, on Tuesday. The list aggregates the most pressing weaknesses as classified by its Common Weakness Enumeration (CWE™).

Ordinarily, there are a number of different ways to view MITRE’s CWE - users can look at weaknesses commonly introduced during design, during implementation, and in software written in different languages, C++, Java, and PHP for example. This list, updated for the first time since 2011, are labeled dangerous because if left unaddressed, they could let an attacker execute code on the software, steal data, or just prevent the software from working.

The different between this list and the one published nearly a decade ago is that this iteration is actually data-driven, based on CVE advisory data from National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS). 2011's list was based on surveys and interviews carried out by MITRE.

Three misconfigurations - Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Neutralization of Input During Web Page Generation, or Cross-site Scripting (XSS) and Improper Input Validation - take the first three spots.

For the most dangerous weakness, in some languages the direct addressing of memory locations don't automatically ensure locations are valid for the memory buffer being referenced. This can result in read or write operations to be performed on memory locations linked to data structures or internal program data. An attacker could also execute malicious code, change the control flow, read sensitive data, or crash the system.

The rest of the top five is rounded out by common weaknesses including information disclosure and out-of-bounds read.

The full list of MITRE’s most dangerous weaknesses for 2019 are as follows:

Rank ID NVD Count Avg CVSS Overall Score
1 CWE-119 3545 8.045 75.56
2 CWE-79 3430 5.778 45.69
3 CWE-20 2360 7.242 43.61
4 CWE-200 2300 5.778 32.12
5 CWE-125 1428 7.242 26.53
6 CWE-89 977 5.961 24.54
7 CWE-416 799 7.270 17.94
8 CWE-190 867 9.129 17.35
9 CWE-352 693 8.374 15.54
10 CWE-22 759 7.679 14.10
11 CWE-78 486 8.365 11.47
12 CWE-787 510 7.275 11.08
13 CWE-287 495 8.707 10.78
14 CWE-476 572 8.169 9.74
15 CWE-732 334 8.188 6.33
16 CWE-434 239 6.834 5.50
17 CWE-611 262 7.949 5.48
18 CWE-94 230 8.637 5.36
19 CWE-798 215 8.782 5.12
20 CWE-400 288 6.980 5.04
21 CWE-772 304 6.714 5.04
22 CWE-426 215 7.823 4.40
23 CWE-502 177 8.921 4.30
24 CWE-269 226 7.332 4.23
25 CWE-295 248 6.658 4.06


The list assesses each weakness by what MITRE refers to as its frequency, essentially the number of times a weakness is mapped to a CVE within the National Vulnerability Database. A chart on MITRE’s website includes an average CVSS score - something which translates to the severity of the vulnerability - for each weakness.

Developers may find it interesting to review the weaknesses that fell just outside of its top 25, including weaknesses like server-side request forgery (SSRF), missing authentication for critical function, and open redirects.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to DLP

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives

The Definitive Guide to Data Classification

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business